How do patients get notified if their HIPAA PHI has been compromised?

by | Jun 13, 2023 | HIPAA News and Advice

Patients are typically notified if their HIPAA-protected health information (PHI) has been compromised through a breach by the covered entity or business associate responsible for safeguarding their PHI, with notifications provided by mail or electronically, depending on the patient’s preference and the nature of the breach, and such notifications are mandated by HIPAA to include details about the breach, steps taken to mitigate the harm, and instructions for the patient to protect themselves from potential harm. Notification of a compromise of patients’ PHI under HIPAA is an important aspect of healthcare privacy and security practices. Healthcare professionals, administrators, and compliance officers must know the protocols and obligations associated with PHI breach notifications.

Notification ProcessDescription
Notification ResponsibilityCovered entities and business associates must notify patients in case of a PHI breach.
Confirmation of BreachA breach is confirmed through an investigation before notifying patients.
Risk AssessmentEntities assess the level of risk posed by the breach to determine if patient notification is required.
Timely NotificationPatients must be notified without unreasonable delay, typically within 60 days from breach discovery.
Written NotificationPatients usually receive written notifications by mail, containing detailed breach information.
Electronic NotificationPatients who consent to electronic communication may receive notifications via email or secure online portals.
Substitute NoticeIf contact information is lacking for some patients, substitute notice methods may be used, such as website postings or media announcements.
Content of NotificationNotification letters include a clear breach description, actions taken to address the breach, contact details, and guidance for self-protection.
Reporting to HHSBreaches affecting 500 or more individuals require reporting to the Secretary of HHS and, if applicable, the media.
Consequences of Non-ComplianceFailure to comply with breach notification requirements can lead to civil and criminal penalties, reputational damage, and legal actions.
Prevention and PreparednessHealthcare organizations should focus on prevention through security measures, staff training, incident response planning, risk assessments, and documentation.
Table: Process of Notifying Patients When Their PHI is Compromised

PHI includes a broad range of individually identifiable health information that is transmitted or maintained by covered entities (e.g., healthcare providers, health plans, healthcare clearinghouses) and their business associates. HIPAA is a federal law enacted in 1996 that establishes safeguards for the protection of PHI. It comprises two key rules relevant to breach notifications. The HIPAA Privacy Rule defines PHI and sets standards for its protection and permissible uses and disclosures. The HIPAA Security Rule outlines security standards to safeguard electronic PHI (ePHI) through administrative, physical, and technical safeguards.

A breach of PHI, according to HIPAA, is an impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Not every security incident or privacy violation qualifies as a breach. Certain exceptions exist, such as unintentional disclosures between authorized individuals within a covered entity or business associate. However, when a breach does occur, prompt action is required. Covered entities and business associates have specific responsibilities when it comes to detecting, responding to, and reporting PHI breaches. They are required to have mechanisms in place to detect and respond to potential breaches promptly. This includes conducting regular risk assessments, implementing security measures, and training staff on privacy and security policies.

Once a potential breach is detected, a thorough investigation is necessary. This involves determining the scope of the breach, identifying the individuals involved, and assessing the potential harm to affected individuals. If the breach is confirmed and poses a risk of financial, reputational, or other harm to the affected individuals, covered entities are obligated to notify them promptly. Notifications should include details about the breach, the types of PHI involved, steps taken to mitigate harm, and instructions for individuals to protect themselves. In cases where the breach affects 500 or more individuals, covered entities must notify the Secretary of HHS and the media within specific timeframes. Smaller breaches can be reported to HHS annually. Covered entities must inform their business associates of breaches promptly so that appropriate actions can be taken to address the breach and prevent further exposure.

The method of notifying affected individuals and other parties depends on various factors, including the number of individuals affected and individual preferences. The primary methods of notification are written notification, electronic notification, and substitute notification. Covered entities typically send written notifications to affected individuals by mail. These letters contain all required information about the breach and mitigation steps. Covered entities may use email or secure online portals if individuals have agreed to electronic communication. However, special precautions must be taken to ensure the security and confidentiality of electronic notifications. If there is insufficient contact information for a portion of affected individuals, substitute notice through a prominent posting on the covered entity’s website or in major print or broadcast media may be necessary.

Timeliness is very important in breach notification. Covered entities and business associates must act swiftly while balancing the need for a thorough investigation. Covered entities must notify affected individuals without unreasonable delay, but no later than 60 days from the date of discovery of the breach. Delays may occur if law enforcement requests a delay in notification for investigative purposes. For breaches affecting 500 or more individuals, HHS must be notified without unreasonable delay and no later than 60 days after the discovery of the breach. If the breach affects more than 500 individuals in a particular state or jurisdiction, prominent media outlets must be notified within 60 days as well.

Notification letters or electronic communications to affected individuals should contain specific information to ensure transparency and assist individuals in protecting themselves. The key components include the description of the breach, steps taken, contact information and protection measures. The notification letter should include a clear and concise explanation of the breach, including when it occurred, the types of PHI involved, and how it happened; details about the actions taken by the covered entity to investigate and mitigate the breach, as well as steps individuals can take to protect themselves; contact details for individuals to reach out for further information or assistance; and guidance on actions individuals can take to protect themselves, such as monitoring financial accounts and reporting suspicious activity.

Failure to comply with HIPAA breach notification requirements can result in consequences for covered entities and business associates. These consequences may include civil penalties, criminal penalties, reputational damage, and legal action. HHS may impose civil penalties ranging from $100 to $50,000 per HIPAA violation, depending on the level of culpability. In cases of willful neglect, criminal penalties can apply, with fines ranging from $50,000 to $1.5 million. Breach incidents and non-compliance can harm the reputation of healthcare organizations and negatively impact patient trust. Affected individuals may pursue legal action against the entity responsible for the breach, potentially resulting in costly litigation.

Given the potential consequences of PHI breaches, healthcare organizations should prioritize prevention and preparedness. Key strategies include implementing security measures to protect PHI, including encryption, access controls, and regular security audits; ensuring that staff receives training on HIPAA requirements, privacy, and security policies; developing and regularly updating an incident response plan to guide actions in the event of a breach; conducting regular risk assessments to identify vulnerabilities and proactively address them; and maintaining thorough records of breach detection, investigation, and notification processes to demonstrate compliance with HIPAA requirements.


The notification of compromised PHI under HIPAA is a process that demands swift and precise action. Healthcare professionals and organizations must be well-prepared to detect, respond to, and report breaches, ensuring that affected individuals are promptly notified, and regulatory obligations are met. Prevention measures remain the foundation for safeguarding patient privacy and maintaining compliance with HIPAA regulations. Understanding the requirements of breach notifications is necessary for healthcare entities committed to protecting PHI and maintaining trust with their patients.


What is HIPAA Protected Health Information and why is it significant?
What are examples of protected health information?
How does HIPAA PHI differ from other types of patient data?
What is protected health information under HIPAA?
How long should an individual retain protected health information (PHI)?
What are the primary risks associated with mishandling Protected Health Information?
How can healthcare organizations safeguard HIPAA Protected Health Information effectively?
Are there specific software solutions designed to protect HIPAA PHI?
How does the digital storage of records impact the security of Protected Health Information?
Which personnel within a healthcare facility have access to HIPAA Protected Health Information?
What are the legal consequences of leaking HIPAA PHI unintentionally?
How does encryption technology help in protecting HIPAA Protected Health Information?
Can patients themselves request access to their own HIPAA PHI?
How frequently should healthcare providers audit their storage of Protected Health Information?
What role do third-party vendors play in ensuring the safety of HIPAA PHI?
How do healthcare mergers impact the management of HIPAA Protected Health Information?
Are there guidelines on how to physically store documents containing HIPAA PHI securely?
How has the cloud computing revolution affected the storage of HIPAA Protected Health Information?
How are breaches of HIPAA PHI typically discovered and reported?
What educational initiatives exist for healthcare professionals about Protected Health Information?
How do mobile devices and apps ensure they don’t breach HIPAA Protected Health Information standards?
What are the ethical implications of mishandling HIPAA PHI?
How do international healthcare facilities handle HIPAA Protected Health Information?
What challenges do small private practices face in safeguarding HIPAA PHI?
How do medical research entities handle and protect HIPAA Protected Health Information?
Can unauthorized sharing of HIPAA PHI on social media lead to legal actions?
How does biometric data collection align with HIPAA Protected Health Information standards?
What steps should be taken when a breach of Protected Health Information is suspected?
How do patients get notified if their HIPAA PHI has been compromised?
Are there any certifications for software platforms handling HIPAA Protected Health Information?
What is the role of the Office for Civil Rights concerning HIPAA PHI breaches?
How do state-specific laws impact the handling of HIPAA Protected Health Information?
How do telehealth services ensure the confidentiality of HIPAA PHI during sessions?
Can wearable health devices compromise the security of HIPAA Protected Health Information?
How can patients ensure that their HIPAA PHI is being stored and managed correctly?
What are the implications for insurance providers regarding breaches of HIPAA Protected Health Information?
Can healthcare organizations use HIPAA PHI for marketing purposes?
How can whistleblowers report potential misuse of HIPAA Protected Health Information?
What considerations do pharmaceutical companies have to make regarding HIPAA PHI?
How do HIPAA PHI regulations impact health tech startups?
Are there specific protocols for destroying outdated HIPAA Protected Health Information?
Can data analytics on patient data be performed without breaching HIPAA PHI guidelines?
How do patients’ genetic data get protected under HIPAA Protected Health Information guidelines?
How do hospitals integrate new technologies without risking HIPAA PHI security?
Are there challenges in cross-border transfer of HIPAA Protected Health Information?
How do patients provide consent for the use of their Protected Health Information in research?
What role do firewalls and VPNs play in safeguarding HIPAA PHI in hospitals?
Can mental health records have different regulations under HIPAA Protected Health Information standards?
What initiatives can increase transparency in the handling of HIPAA PHI by healthcare institutions?
3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy