When Must a PHI Breach Be Reported Under HIPAA, and Who Must Be Notified?

It’s an unfortunate reality, but today’s healthcare organizations face serious cybersecurity risks, and PHI (protected health information) breaches are on the rise. In fact, serious breaches affecting over 500 patients increased by 61% from 2019 to 2020 alone. While healthcare organizations need to take immediate action to fix the source of a breach, whether it’s installing software patches, updating IoT devices, addressing insider threats, or some other remediation action, HIPAA also requires you to take specific actions for breach reporting.

However, the HIPAA Breach Notification Rule has a lot of facets, so providers need to understand their responsibilities for reporting breaches of protected health information. Here’s a quick overview of when PHI security breaches should be reported, as well as who you should report them to.

When Healthcare Providers Must Report Breaches

According to the HIPAA Breach Notification Rule, all covered entities and business associates must notify the HHS OCR when there’s a breach of “unsecured protected health information.” This means you must only report breaches of unsecured PHI, or PHI that wasn’t encrypted or otherwise rendered unusable, whether it was in a physical or electronic format.

HIPAA says that providers must report PHI security breaches under these circumstances:

  • Unauthorized use or disclosure of PHI, per the HIPAA Privacy Rule.
  • Disclosures that compromise a patient’s privacy or security.
  • There was a chance the disclosure caused harm to the patient.

Alternatively, if you can prove the disclosure meets the following criteria, it might not require reporting:

  • Identifying information was removed, so the data couldn’t tie back to an individual.
  • The disclosure happened between business associates or employees of the covered entity.
  • An internal team member accidentally accessed the information and wasn’t acting maliciously.
  • You can prove the party who received the PHI didn’t retain it.

However, the risks of not reporting a breach are high, so it’s best to report the disclosure to the OCR. You can then provide supporting documentation to prove the disclosure wasn’t a true breach, such as the results of a PHI breach risk assessment, which the OCR will review.

Who To Notify in the Event of a PHI Breach

Breach notification requirements depend on the extent of the breach. A small breach has more lax reporting requirements, while larger breaches require more work. Depending on the breach, you might need to notify patients, the media, and the OCR.


You’re required to notify all affected patients within 60 days of discovering the breach. PHI compliance rules under HIPAA require you to send a printed letter to the patient’s last known address or, if they’re deceased, to their next of kin. You can also send email notifications, but only if the patient opted into them.

If the breach affected more than ten people, you need to post a notice about the breach on your website for 90 days. It must also include a toll-free number that patients can call to talk to someone about the breach.

The Media

Small breaches don’t require media notification, but if the breach affected over 500 people in a state or jurisdiction, HIPAA requires you to notify the media in that area no later than 60 days after discovering the breach. You must send the media the same information you sent to patients. You can do that by sending a press release to major news outlets in the area.


You have to notify the HHS OCR about all breaches. But when you notify them depends on how many records were affected.

If the breach involved fewer than 500 records, you’re allowed to tell the OCR about breaches on an annual basis. You just need to report breaches within 60 days of the end of the calendar year. If you experienced a handful of small breaches over the course of the year, this can be a more efficient way to save time by reporting all breaches at once.

However, if the breach involved 500 records or more, you must notify the OCR within 60 days of discovering the breach.

Regardless of the extent of the breach, you can fill out a report electronically on the HHS OCR website. You’ll also need to submit documentation proving that you notified patients about the breach. If you want to argue that a disclosure wasn’t actually a breach, you’ll need to submit a risk assessment proving that PHI wasn’t compromised, as well as supporting documentation.

Avoid Breaches In The First Place: Secure Your PHI

HIPAA breach reporting guidelines aren’t complex, but if your business experiences frequent breaches, they can become an administrative — and financial — headache. The fewer breaches you experience, the less your organization has to worry about breach reporting. The best way to do that is to follow PHI cybersecurity best practices and invest in healthcare cybersecurity to prevent breaches in the first place.

The issue is that large hospitals and other healthcare organizations often don’t know where their ePHI exists, which increases the odds of a breach. That’s where companies like Tausight can help. Tausight’s Situational ePHI Awareness solution makes it possible to identify PHI and analyze activity and risk throughout the healthcare ecosystem in real-time. Awareness of your PHI, how it’s being used and shared, and what its risk level is enables you to take the appropriate measures to protect it and lessen the likelihood of breaches — while still supporting the need to share PHI securely.

Is your organization’s cybersecurity robust enough to survive a potential attack? Contact us today to see how Tausight can help.

profile photo of David Ting

David Ting

Founder and CTO, Tausight

Related Articles