Breach notice identification of individuals
Plain English Translation
Breach notifications from a business associate to the covered entity must include, to the extent possible, the identity of each individual whose unsecured PHI was accessed, acquired, used, or disclosed during the breach. This information enables the covered entity to fulfill its own notification obligations.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Ensure application databases map user accounts or IDs directly to any stored health information so that a compromised table can be translated into a list of affected individuals.
Required Actions (scaleup)
- Implement detailed application-level audit logging that records exactly which records were accessed during a session, simplifying the forensic identification process post-breach.
Required Actions (enterprise)
- Deploy advanced Data Loss Prevention (DLP) and forensic analysis tools capable of automatically identifying and generating secure manifests of specific records exfiltrated during a cyberattack.
Under HIPAA 164.410, a business associate must notify the covered entity of any breach of unsecured protected health information without unreasonable delay.
Yes, to the extent possible, the business associate must identify each individual whose unsecured protected health information has been accessed or acquired.
The notice must include the identification of each affected individual and any other available information the covered entity is required to include in their patient notification.
The organization must provide notification to the covered entity without unreasonable delay and in no case later than 60 calendar days after discovering the breach.
Unsecured protected health information is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through approved methodologies.
The covered entity ultimately bears the legal responsibility for notifying the affected individuals, although they completely rely on the business associate to identify who was compromised.
The business associate must identify individuals to the extent possible. If exact identification is impossible, they must provide the covered entity with the best available data.
HIPAA views these actions as unauthorized interactions with protected health information that compromise the security or privacy of the data, triggering the notification mandate.
A checklist should include steps for identifying the breach, determining the scope of compromised PHI, identifying affected individuals, logging discovery dates, and drafting the notice.
Covered entities should maintain a centralized security incident log and coordinate closely with the vendor to ensure all provided identities are accurately cross-referenced.
The hard part is connecting a compromised system, table, file, or account back to specific patient records quickly enough to support HIPAA notification timelines. Tools like WatchDog Security's Asset Inventory can help by maintaining system ownership, SaaS inventory, cloud asset context, and identity mapping so incident teams have a clearer starting point for determining which individuals may have been affected.
Affected-individual lists often contain sensitive PHI or identifiers, so sending them through ordinary email can create additional exposure and audit issues. Tools like WatchDog Security's Secure File Sharing can support encrypted transfer, TOTP verification, and audit logs when a business associate needs to provide breach-scope information to a covered entity.
"A business associate's breach notification includes, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | Compliance Team | Initial publication |
