Open Nav Close Nav

News / Blog

What Is the HIPAA Breach Notification Rule?

Doctor holding a stethoscope while crossing his arms

The Health Insurance Portability and Accountability Act (HIPAA) is in place to ensure that you protect your patients’ health information (PHI). As a covered entity or business associate in the healthcare industry, you must be keeping your patients’ medical records in digital storage as part of your business operations.

These digital records or electronic patient health information (ePHI) are prone to cyber-attacks like hacking after leaving patient records unsecured. These threats to health records make confidentiality a vital factor in your industry.

Your healthcare institution must be HIPAA compliant, meaning your organization implements the standards established in the HIPAA. These standards include rules to maintain PHI and ePHI safety and security. Among these rules is the Breach Notification Rule, which states that you must report any breach to the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR).

Failure to follow the established protocols are violations of the rule and result in appropriate fines. Here are the four categories of HIPAA violations and their respective penalty amounts according to the HIPAA Enforcement Rule that the U.S. HHS OCR provided.

A: Did Not Know

Covered entities or business associates that did not know that they have violated a HIPAA rule and would not have known that they violated a provision despite exercising reasonable diligence may pay an amount between $100 and $50,000 per violation.

This penalty category is no longer as common as other HIPAA penalties because you should have no excuse to understand that you must protect your patients’ medical records, whether they are physical or digital.

For example, you may have violated a HIPAA provision by failing to conduct proper employee training when it comes to keeping your records secure, which led to a data breach due to unsecured files.

You may claim that you did not know your employee should undergo HIPAA training every two years, but it goes without saying that employees who are assigned to keep documents safe should understand the necessary protocols in keeping documents secure locations.

B: Reasonable Cause

If you have violated HIPAA provisions due to reasonable causes, you may be subject to fines between $1,000 and $50,000 per violation.

A HIPAA violation example that may constitute a reasonable cause is when you release PHI to a patient’s family members who are neither their dependents nor someone with a Power of Attorney. Unauthorized people gaining access to a patient’s medical records is a violation of HIPAA regulations.

C-I: Willful Neglect — Corrected

Your violation of HIPAA provisions is considered “willful neglect” if you violated the rules consciously, meaning your mistake was intentional or due to irresponsibly overlooking your obligation to comply with HIPAA rules.

Even if you have corrected such a violation in time (within 30 days), you must pay an amount between $10,000 and $50,000 for each violation.

An example of a violation that falls under the willful neglect category is when you opted to save money instead of investing in the necessary tools and training to ensure that your PHI and ePHI are secure.

You may have thought that you only run a small business in the healthcare sector, convinced that you are not prone to data breaches. However, statistics show that 43% of cyber-attacks target small businesses.

C-II: Willful Neglect — Not Corrected

If the HHS Department deems your violation as willful neglect, and you failed to implement corrective measures in time, you must pay at least $50,000 in fines for each violation.

Going back to the Breach Notification Rule, failure to notify affected parties in time is a violation that may constitute willful neglect. Not correcting the violation may look like failing to implement strong HR policies to make sure all affected parties know about the data breach that took place.

HIPAA Breach Notification Rule Outline

Understanding the Breach Notification Rule’s provisions is vital to avoid any of the above violations and penalties. Here is an outline of how the HIPAA Breach Notification Rule operates and what you must follow:

Notification Process

You must notify your patients and the HHS Department should your medical institution suffer a data breach involving ePHI. This is called individual notice. Additionally, you should conduct initial investigation measures regarding the data breach, where you can assess how many patient records have been compromised.

Data breaches that affect less than 500 patient records are small-scale hacks. In such cases, you must visit the OCR website to fill out and submit a small-scale hack form after the initial investigation.

Data breaches that affect more than 500 patient records require more notification processes. You should provide media notice. Notifying the media ensures that the general public knows to avoid using the affected system while you conduct remediation measures.

In addition to notifying individuals and the media (when necessary), you must fill out and submit a breach notification to the Secretary. For breaches that affect less than 500 individuals, you can submit a report annually and no later than 60 days at the end of the year when you discover a breach. For breaches that affect more than 500 individuals, you must submit a report no later than 60 days following the day you discovered a breach.

Notification Message

HIPAA compliance requires you to include specific information in the breach notification you send to the HHS OCR. The rule states that authorities look for the following elements in your breach notification message:

  • A detailed description of the compromised ePHI and affected personal identifiers
  • A list of names and positions of the individuals who gained unauthorized access to PHI, ePHI, and relevant information
  • Specific information about the nature of the data breach, whether the compromised details were stolen or viewed
  • The degree of mitigation strategies you applied before reporting and how well your remediation measures fared


The HIPAA Breach Notification Rule is in place to make sure that covered entities or business associates in the healthcare industry report any instance of data breaches to the concerned public and official departments.

Failure to uphold HIPAA rules results in violations and appropriate fines, depending on the severity of your violation. Be sure to work with seasoned lawyers to understand the nuances of the HIPAA regulations and effectively avoid violations that bring costly penalties.