Under HIPAA, you must notify the HHS Office for Civil Rights (OCR) within 60 days of discovering a breach affecting 500+ individuals. Breaches affecting fewer than 500 must be reported annually. However, internal containment, forensic documentation, and legal hold should begin within 72 hours of discovery — before the formal notification clock matters.
The Four Breach Categories HIPAA Recognizes
Before you can respond correctly, you need to know what type of breach you have. HIPAA defines a breach as any unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. Four scenarios are automatically presumed to be breaches unless you can prove otherwise:
- Unauthorized access: An employee viewing records they have no treatment relationship with
- Unauthorized disclosure: PHI sent to the wrong patient, fax, or email
- Theft or loss: A stolen laptop, lost USB drive, or missing paper chart
- Hacking/ransomware: Any malware incident that touched ePHI systems
There are three narrow exceptions — the "low probability of compromise" safe harbor — but they require a documented 4-factor risk assessment. Most real-world incidents don't qualify.
Hours 0–4: Contain First, Document Everything
The moment you suspect a breach, start a written log with timestamps. Courts and OCR investigators look at this log to evaluate your response.
- Isolate affected systems. Disconnect compromised devices from the network. Do not turn them off — forensic analysis requires live memory in ransomware cases.
- Revoke compromised credentials immediately. If an account was phished or a password exposed, disable the account within minutes, not hours.
- Preserve logs. Tell your IT provider to export and preserve all relevant system logs before anything is overwritten. Log retention policies typically overwrite data in 30–90 days.
- Notify your Privacy Officer. This triggers the formal HIPAA response process and gets legal counsel involved.
Hours 4–24: Assess the Scope
You need to answer four questions before you can determine your notification obligations:
- What PHI was involved? (Name, SSN, diagnosis, treatment records, payment info?)
- Who accessed or received it?
- Was it actually acquired and used, or just potentially accessible?
- Has the risk been mitigated? (E.g., a misdirected fax recipient confirmed destruction)
Your answers feed a written risk assessment. Under the Breach Notification Rule, if you cannot demonstrate low probability of compromise across all four factors, it's a breach requiring notification.
The Notification Hierarchy
HIPAA requires notification at three levels, each with different timelines:
| Who to Notify | Deadline | Method |
|---|---|---|
| Affected individuals | Within 60 days of discovery | First-class mail; email if consent on file |
| HHS/OCR (500+ affected) | Within 60 days of discovery | HHS Breach Portal |
| HHS/OCR (<500 affected) | Annual log, submitted by March 1 | HHS Breach Portal |
| Prominent media (500+ in state) | Within 60 days of discovery | Press release or direct media contact |
| Business associates | Immediately upon discovery (per BAA) | Per Business Associate Agreement terms |
What the Patient Notification Letter Must Include
OCR has specific requirements for breach notification letters. Missing any element can itself become a violation:
- Brief description of what happened, including date of breach and date of discovery
- Description of the types of PHI involved
- Steps individuals should take to protect themselves
- Brief description of what you are doing to investigate, mitigate harm, and prevent future incidents
- Contact information for questions (dedicated toll-free number or email)
Common Mistakes That Escalate OCR Penalties
OCR's enforcement patterns show that the breach itself often triggers less penalty than the response failures:
- Delayed discovery reporting: If you knew about indicators for 3 weeks before declaring a breach, OCR counts discovery from when you "should have known."
- No written risk assessment: Verbal determinations that it "wasn't really a breach" don't satisfy the safe harbor requirements.
- Inadequate business associate agreements: If a vendor caused the breach and you have no BAA, you share liability.
- Lack of workforce training documentation: OCR will ask for training records. If your staff can't explain what constitutes PHI, expect a corrective action plan.
The Forensic Report Your IT Provider Should Deliver
A competent healthcare IT provider should give you a written forensic report within 5–7 days of a serious incident. That report should include:
- Timeline of attacker activity (based on log analysis)
- Exact list of systems and data stores accessed
- How initial access occurred (phishing, unpatched software, stolen credential)
- Evidence of data exfiltration (or evidence it didn't occur)
- Remediation steps taken and remaining
If your current IT provider can't produce this, that's a separate problem worth addressing before the next incident. See our guide to HIPAA-compliant IT services for what to look for in a healthcare-qualified MSP.
Frequently Asked Questions
Does HIPAA require me to notify patients even if no data was actually stolen?
Yes, unless you can document a low probability of compromise under all four risk factors. Simply locking the attacker out is not enough — you need documented evidence that PHI was not acquired or viewed.
What is the fine for a HIPAA breach?
OCR fines range from $100 to $50,000 per violation (per record), with annual maximums of $1.9 million per violation category. However, the largest fines ($1M+) typically result from willful neglect or failure to have policies, not from the breach itself.
Do ransomware attacks automatically count as HIPAA breaches?
Yes. HHS guidance from 2016 and confirmed in 2022 states that ransomware is presumed to be a breach because PHI was acquired (encrypted by an unauthorized party). The safe harbor exception is extremely difficult to meet for ransomware.