The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

What do covered entities need to do if a breach of PHI occurs?

Notification to Individuals:
Once a health care provider discovers a breach (i.e., when the incident that involves the impermissible use or disclosure of PHI becomes first known), a notification needs to be sent to affected individuals without unreasonable delay and in no case later than 60 calendar days after the date of the breach (unless requested by law enforcement). The 60 day time period should be seen as an outer limit. So, if the risk analysis and the necessary information to provide notification is completed earlier, waiting until the day 60 would be seen as an unreasonable delay. However, if during the 60 day period a prompt risk analysis and investigation is conducted and it is concluded that no breach occurred, then no notification is necessary.    

The breach notification should be sent to individual in written form by first-class mail at the last known address. If an individual agrees to receive a notification via e-mail and this agreement has not been rescinded, then the written notification can be sent electronically. In the case of minors or individuals who lack legal capacity due to a mental or physical condition, the parent or personal representative should be notified. If the provider knows that an individual is deceased, the notification should be sent to the individual's next of kin or personal representative (i.e., a person who has the authority to act on behalf of the decedent or the decedent's estate), if the address is known. In urgent situations where there is a possibility for imminent misuse of the unsecured PHI, additional notice by telephone or other means may be made. However, direct written notice must still be provided.

Substitute notice must be provided if contact information is not available for some or all of the affected individuals or if some notifications that were sent are returned as undeliverable. The form of the substitute notice is based on the number of individuals for whom contact information was unavailable or out-of-date. If the number of individuals is fewer than ten, the provider should choose a form that can be reasonably calculated to reach the individual who should be notified. Possible forms may be an e-mail message, a phone call (keeping in mind that sensitive information should not be left on voicemail or in messages to other household members), or possibly a web posting if no other contact information is available and this is reasonably calculated to reach the individual. If the number of individuals is ten or more, the provider should place a conspicuous notice that includes a toll-free number: (1) on its homepage or a hyperlink that conveys the nature and important of the information to the actual notice, or (2) in major print or broadcast media in geographic areas where the affected individuals of the breach likely live. If the provider can update the contact information and provide written notice to one or more individuals so as to bring the total number of individuals for whom contact information is unavailable or out-of-date to less than ten, then the conspicuous notice requirement can be avoided.

Notification to Media:

If the breach of unsecured PHI involved more than 500 individuals residing in a particular State or jurisdiction (a geographic area smaller than a state), prominent media outlet must be notified (most likely via a press release) without unreasonable delay and no later than 60 days after discovery. The notification to the media is not a substitute for the notification to the individual. In the scenario that the breach involved a business associate that services multiple covered entities, a covered entity is required only to provide media notification if the breach involved more than 500 of its patients.

Notification to the Secretary:

For breach of unsecured PHI that involve more than 500 individuals, the Secretary of the Department of Health and Human Services should be notified without unreasonable delay and no later than 60 days after discovery. The information should be submitted via the HHS website. The Secretary will post a list of covered entities that submit reports of breaches of unsecured PHI involving more than 500 individuals. 

If the breach of unsecured PHI involves less than 500 individuals, the health care provider should maintain an internal log or other documentation of such breaches. This information should then be submitted annually (before March 1) to the Secretary of HHS for the preceding calendar year via the HHS website. (A separate form must be completed for each breach that occurred during the calendar year.) The health care provider should maintain its internal log or other documentation of breaches for six years.



Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed