The HHS data breach policy, known as the HIPAA Breach Notification Rule, is a protocol that requires HIPAA-covered entities and their business associates to report any breach involving protected health information (PHI) to HHS, affected individuals, and in some cases, the media.
A breach is, generally, an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.
Data breaches must be reported 60 calendar days after the “date of discovery,” regardless of the certainty of a breach. If a breach involves under 500 individuals, the covered entity may keep a record of information and submit it within 60 calendar days after the conclusion of the calendar year in which the breach was discovered. If a breach involves 500 or more individuals, the covered entity must report the breach to a state media outlet, in addition to HHS and individuals.
Information in an HHS data breach report includes
Type of covered entity
Number of affected individuals
Date of breach submission
Type of breach
Breached information location