HIPAA Breach Notification: What to Do When Patient Data Is Compromised

You just found out that a laptop with patient records was stolen from a provider’s car. Or your EHR vendor called to say they were hit with ransomware. Or a staff member accidentally faxed a patient’s records to the wrong number.

Now what?

The next 60 days will define whether this is a manageable incident or a compliance catastrophe. How you respond to a breach matters as much as — and sometimes more than — the breach itself. OCR has repeatedly imposed larger penalties for mishandled breach responses than for the underlying security failures that caused them.

This is the guide you need to read before a breach happens. Because once it does, you won’t have time to figure it out.

What Counts as a Breach Under HIPAA (and What Doesn’t)

A breach under HIPAA is any impermissible use or disclosure of protected health information that compromises the security or privacy of that information. That’s the legal definition. In practice, it means any time PHI ends up somewhere it shouldn’t be — whether through a hack, a lost device, a misdirected communication, or an employee accessing records they had no reason to view.

But not every incident is a reportable breach. HIPAA provides three narrow exceptions:

1. Unintentional access by a workforce member acting in good faith and within the scope of their authority, where the information isn’t further disclosed in a way that violates the Privacy Rule.
2. Inadvertent disclosure between authorized persons at the same covered entity or business associate, where the information isn’t further used or disclosed improperly.
3. Good faith belief that the unauthorized person couldn’t retain the information — for example, if an email with PHI was sent to the wrong address but you have a good faith belief it was deleted without being read.

If none of those exceptions apply, HIPAA presumes the incident is a breach unless you can demonstrate a low probability that PHI was compromised. That’s where the four-factor risk assessment comes in.

The Four-Factor Risk Assessment

When an incident doesn’t fall into one of the three exceptions, you must conduct a risk assessment evaluating four factors:

1. The nature and extent of the PHI involved — What types of identifiers were included? Was it clinical information, financial data, Social Security numbers? The more sensitive and detailed the information, the higher the risk.
2. The unauthorized person who used the PHI or to whom the disclosure was made — Was it another healthcare provider who has their own HIPAA obligations? A random stranger? A malicious actor? The identity and obligations of the recipient matter.
3. Whether the PHI was actually acquired or viewed — Did the unauthorized person actually open the file, read the fax, or access the data? A lost encrypted laptop that was powered off is different from a stolen laptop that was logged in and unlocked.
4. The extent to which the risk to the PHI has been mitigated — Did you recover the information? Get a signed confidentiality agreement from the recipient? Confirm the data was destroyed?

You must document this assessment for every incident, whether or not you ultimately determine it’s a reportable breach. If OCR comes knocking, they’ll want to see your analysis and your reasoning. “We decided it wasn’t a breach” without documentation is itself a violation.

The 60-Day Notification Clock

Once you determine that a reportable breach has occurred — or should have determined, which is an important distinction — the 60-day clock starts ticking. You have 60 calendar days from the date of discovery to notify affected individuals.

Discovery doesn’t mean the date you finished your investigation. It means the date you first knew about the breach, or the date you would have known if you were exercising reasonable diligence. If a staff member noticed something suspicious on January 5 but didn’t report it until February 10, the clock started on January 5 — because a reasonable compliance program would have caught it then.

This is why having a culture of incident reporting matters. Every day that passes between an incident and its discovery is a day subtracted from your response window.

What If You’re Not Sure Yet?

The 60-day window is a maximum, not a target. You don’t need to wait until you’ve completed a full forensic investigation to begin notifications. In fact, OCR has been critical of organizations that used ongoing investigations as a reason to delay notification beyond what was reasonable.

Start notifying as soon as you have enough information to do so. You can supplement your initial notification with additional details as your investigation progresses.

Who You Must Notify

1. Affected Individuals

Every person whose unsecured PHI was or is reasonably believed to have been accessed, acquired, used, or disclosed must receive individual written notification. This must be sent by first-class mail to the last known address — or by email if the individual has previously agreed to electronic communication.

If you don’t have current contact information for 10 or more individuals, you must also post a conspicuous notice on your website homepage for at least 90 days or provide notice through major print or broadcast media in the area where the affected individuals likely reside.

2. HHS / Office for Civil Rights

All breaches must be reported to the HHS Secretary through the OCR breach reporting portal. The timing depends on the size of the breach:

• 500 or more individuals affected: Report to OCR within 60 days of discovery — the same timeline as individual notification.
• Fewer than 500 individuals affected: Report to OCR no later than 60 days after the end of the calendar year in which the breach was discovered. This is the annual reporting requirement discussed below.

3. Media

If a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area within 60 days of discovery. This isn’t optional, and “prominent” means outlets with broad reach — major newspapers, television stations, or news websites. A post on your practice’s Facebook page doesn’t count.

What Your Notification Must Contain

HIPAA requires five specific elements in every breach notification:

1. A brief description of the breach, including the date of the breach and the date of discovery (if known).
2. A description of the types of information involved — not the actual data, but the categories (e.g., names, dates of birth, Social Security numbers, diagnosis codes, treatment information).
3. Steps individuals should take to protect themselves, such as monitoring credit reports, placing fraud alerts, or changing passwords for patient portal accounts.
4. A description of what you are doing to investigate the breach, mitigate harm, and prevent future occurrences.
5. Contact information for individuals to ask questions — including a toll-free phone number, email address, website, or mailing address.

The notification must be written in plain language. Not legalese, not corporate PR speak. Clear, direct communication about what happened and what the affected person should do about it.

State Breach Notification Laws: The Shorter Clock You Might Be Missing

HIPAA’s 60-day window is a federal ceiling, not the only rule that applies. Nearly every state has its own breach notification law, and many impose significantly shorter timelines:

• Florida: 30 days to notify individuals, 30 days to notify the state attorney general.
• Texas: 60 days to notify individuals, but the state attorney general must be notified if 250+ residents are affected.
• California: Notification must be made “in the most expedient time possible and without unreasonable delay,” and no later than 45 days from discovery in some circumstances.
• New York: Notification must be made “in the most expedient time possible and without unreasonable delay,” with specific reporting to the attorney general, the Department of State, and the Division of State Police.
• Colorado and Connecticut: 30-day notification timelines.

If you operate in a state with a shorter notification window, that window controls — not HIPAA’s 60 days. And if you have patients across multiple states, you need to comply with each state’s requirements for its residents.

Failing to meet state deadlines while meeting HIPAA’s 60-day window is a common and costly mistake. You can be fully compliant with federal breach notification requirements and still face state enforcement actions and fines.

Small Breaches: The Annual Reporting Requirement Most Practices Miss

If a breach affects fewer than 500 individuals, you don’t have to report it to OCR within 60 days. Instead, you must maintain a log of all such breaches during the calendar year and submit them to OCR within 60 days after the end of that calendar year — meaning by March 1 of the following year.

This is not optional. It is not a suggestion. And many small practices have no idea it exists.

Every misdirected fax. Every email sent to the wrong patient. Every instance of an employee accessing a record without a treatment, payment, or operations reason. If your four-factor risk assessment determines these are breaches (and many of them will be), they must be logged and reported annually.

OCR uses this annual data to identify patterns. A practice that reports zero small breaches year after year is either genuinely flawless or, more likely, not tracking incidents properly. Both scenarios attract attention.

Real Examples of Botched Breach Responses

The enforcement history is full of cases where the breach response was worse than the breach.

Presence Health — $475,000 for Late Notification

In 2015, Presence Health reported a breach involving paper-based operating room schedules that contained PHI for 836 patients. The breach itself was relatively minor. But Presence Health didn’t notify affected individuals until nearly four months after discovery — well past the 60-day window. OCR’s settlement focused almost entirely on the notification delay, not the underlying incident. The message was clear: failing to notify on time is its own violation, regardless of how minor the breach was.

Cottage Health — $3 Million for a Preventable Breach and Inadequate Response

Cottage Health System suffered breaches in 2013 and again in 2015, exposing records of over 62,000 patients. The root cause was a misconfigured server that made patient data accessible via internet search engines. But what escalated the enforcement action was Cottage Health’s failure to implement a corrective action plan after the first breach — and then suffering a nearly identical breach two years later. OCR’s resolution agreement cited the lack of a comprehensive risk analysis, the failure to implement security measures, and the inadequate response to the initial breach.

Advocate Medical Group — $5.55 Million

Advocate Medical Group reported a breach involving the theft of four unencrypted laptops containing ePHI of approximately 4 million individuals. The settlement hinged on systemic failures: no comprehensive risk assessment, no policies governing the removal of devices containing ePHI from facilities, and no encryption — despite encryption being a known safeguard that would have rendered the breach non-reportable. The breach response revealed that Advocate had no meaningful security program in place to begin with.

The Common Thread

In each of these cases, OCR’s enforcement focused not just on the breach itself, but on what the organization’s response revealed about its overall compliance posture. A breach investigation pulls back the curtain on your entire HIPAA program. If OCR finds that you had no risk assessment, no policies, no training documentation, and no incident response plan, the penalties escalate dramatically — even if the original breach was relatively small.

Common Breach Scenarios for Small Practices

You don’t need a sophisticated cyberattack to have a reportable breach. The most common breach scenarios for small practices are mundane and preventable:

Lost or Stolen Devices

A laptop left in a car. A phone dropped at a restaurant. A tablet taken from an exam room. If the device contained unencrypted ePHI, it’s a reportable breach — period. Encryption is the single most effective way to neutralize this risk, because encrypted data is considered “unsecured PHI” only if the encryption key was also compromised.

Ransomware

HHS has stated that a ransomware attack is a reportable breach in most cases, because the attacker has acquired access to (and potentially exfiltrated) ePHI. Small practices are frequent ransomware targets precisely because they tend to have weaker security controls and are more likely to pay the ransom. Your response must include forensic analysis to determine the scope of access, which often requires outside expertise.

Misdirected Email or Fax

Sending a patient’s records to the wrong fax number, the wrong email address, or the wrong patient. These are among the most common small-practice breaches. Each instance requires a four-factor risk assessment. Many will qualify as reportable breaches, especially if the information was detailed or sensitive.

Employee Snooping

Staff accessing records of patients they’re not treating — whether out of curiosity about a neighbor, a celebrity, or an ex-spouse. This is an impermissible use of PHI and likely a reportable breach. It’s also a HIPAA sanction policy issue: your policies must include consequences for unauthorized access, and you must enforce them consistently.

Improper Disposal

Putting paper records with PHI in the regular trash. Donating or recycling old computers without properly wiping the hard drives. Failing to shred documents before disposal. All reportable if the PHI is accessed or could reasonably have been accessed.

The 2026 Proposed Rule Changes to Breach Notification

The proposed 2026 HIPAA Security Rule changes include significant modifications to breach notification requirements that practices need to prepare for:

72-Hour Notification to HHS: The proposed rule would require covered entities and business associates to notify HHS within 72 hours of discovering a breach, a dramatic reduction from the current 60-day window. This applies to notification to HHS — the individual notification timeline would remain at 60 days, but the pressure to identify and report breaches quickly would increase substantially.

Business Associate Notification: Business associates would be required to notify covered entities within 24 hours of discovering a breach, down from the current “without unreasonable delay” standard (which is generally interpreted as 60 days).

Enhanced Documentation: The proposed rule would require more detailed documentation of breach investigations, risk assessments, and notification decisions, making it even more critical to have a documented incident response process in place before an incident occurs.

These proposed changes are not yet final, but the direction is clear: HHS wants faster reporting, more transparency, and better documentation. Practices that build their breach response processes around the proposed timelines now will be ahead when the final rule publishes. For more details on the full scope of proposed changes, see our 2026 HIPAA Security Rule breakdown.

The Breach Response Plan You Need Before a Breach Happens

If you’re building your breach response plan after discovering a breach, you’re already behind. Every practice needs a documented breach response plan, reviewed and updated at least annually, that covers:

Incident Detection and Reporting

• Who do staff members report suspected incidents to? (Name a specific person and a backup.)
• What qualifies as a reportable incident? (Provide examples, not just legal definitions.)
• What’s the deadline for internal reporting? (24 hours is a reasonable standard.)
• Is there a way to report anonymously?

Investigation and Risk Assessment

• Who conducts the four-factor risk assessment?
• What documentation is required?
• Who makes the determination of whether the incident is a reportable breach?
• When do you involve legal counsel?
• When do you bring in outside forensic expertise?

Notification Process

• Who drafts the notification letters?
• Who reviews them (legal counsel should)?
• How are they sent, and how is delivery documented?
• Who reports to OCR through the breach portal?
• Who handles state notification requirements?
• Who handles media notification if 500+ individuals are affected?

Mitigation and Prevention

• What steps will be taken to contain the breach?
• How will you prevent recurrence?
• Who documents the corrective actions taken?

Post-Incident Review

• What went right and wrong in the response?
• What policy or procedure changes are needed?
• Does the risk assessment need to be updated?

Breach Response Checklist

When a breach occurs or is suspected, work through this checklist:

Immediate (within 24 hours):

• Document the incident: what happened, when, who discovered it, what PHI was involved
• Contain the breach: disable compromised accounts, recover devices if possible, isolate affected systems
• Notify your internal breach response lead
• Preserve all evidence — do not delete logs, emails, or any relevant records
• Determine if law enforcement should be contacted (especially for theft or ransomware)

Within 1 week:

• Conduct the four-factor risk assessment and document your analysis
• Determine if the incident meets the definition of a reportable breach
• Identify all affected individuals and the types of PHI compromised
• Engage legal counsel if the breach is reportable or the scope is uncertain
• Check state breach notification deadlines for all affected individuals’ states of residence

Within 30 days:

• Draft notification letters to affected individuals with all five required elements
• Have legal counsel review all notifications
• Begin sending individual notifications (don’t wait for the 60-day deadline if you’re ready sooner)
• Report to OCR if 500+ individuals are affected (or log for annual reporting if fewer)
• Notify state attorneys general or other state agencies as required
• Notify media if 500+ residents of a single state or jurisdiction are affected

Within 60 days:

• Complete all individual notifications
• Complete all required OCR and state reporting
• Document all mitigation steps taken
• Update your risk assessment to reflect the breach and any new vulnerabilities identified
• Conduct a post-incident review and update your breach response plan

Ongoing:

• Monitor for any additional exposure related to the breach
• Implement corrective actions identified during the post-incident review
• Provide additional workforce training if the breach involved human error
• Log the breach in your annual breach tracking log
• Update policies and procedures as needed

How ComplyMD Helps You Prepare for — and Respond to — a Breach

A breach is stressful enough without scrambling to figure out your legal obligations in real time. ComplyMD is built to ensure your practice is prepared before an incident occurs and supported when one does:

• Breach response plan templates customized to your practice’s size, specialty, and state — not generic documents you have to interpret yourself.
• Incident tracking and documentation that walks you through the four-factor risk assessment for every incident, creating the audit trail OCR expects to see.
• Automated state law mapping so you know exactly which notification deadlines apply based on where your affected patients reside.
• Notification letter drafts that include all five required elements, written in plain language and reviewed for compliance.
• Annual breach log reporting so you never miss the small-breach reporting requirement that catches most practices off guard.

The best time to set up your breach response infrastructure is before you need it. The second best time is now.