Notification of breach
Plain English Translation
Business associates must notify the covered entity without unreasonable delay following the discovery of a breach of unsecured PHI. A breach is considered discovered on the first day it is known — or would have been known with reasonable diligence — to any workforce member of the associate.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Establish clear communication channels with all vendors processing PHI and include mandatory breach notification requirements in all initial contracts.
Required Actions (scaleup)
- Implement automated vendor risk management platforms to centrally track business associate agreements and audit incident response readiness.
Required Actions (enterprise)
- Integrate SIEM and automated vendor risk portals to provide real-time visibility into third-party security events and automate downstream reporting workflows.
The rule requires covered entities and business associates to provide notification following a breach of unsecured protected health information.
It mandates that business associates notify the covered entity without unreasonable delay upon discovering a breach of unsecured PHI.
Notification must occur without unreasonable delay and no later than 60 calendar days after the discovery of the breach.
It is the unauthorized acquisition, access, use, or disclosure of protected health information that compromises its security or privacy.
A business associate has a maximum of 60 calendar days from the exact date of discovery to report the breach to the covered entity.
The notification must include the identification of each individual whose unsecured PHI was breached and any other available information the covered entity needs.
A breach is considered discovered on the first day it is known to the business associate or would have been known by exercising reasonable diligence.
Generally, no. The business associate notifies the covered entity, which ultimately holds the legal responsibility for notifying affected patients.
The agreement should specify the exact timeframe, communication channels, and processes for the business associate to report security incidents to the covered entity. Tools like WatchDog Security's Vendor Risk Management can help teams maintain a centralized view of business associate agreements, assigned vendor owners, and assessment status.
Covered entities should strictly enforce business associate agreements, perform regular vendor risk assessments, and establish clear incident response communication protocols. Tools like WatchDog Security's Vendor Risk Management can support this by organizing business associates, risk tiers, security assessments, and follow-up actions in one workflow.
Business associate breach notification obligations can be difficult to manage when contracts, vendor owners, risk tiers, and incident contacts are spread across spreadsheets or inboxes. Tools like WatchDog Security's Vendor Risk Management can centralize the vendor catalog, track security assessments, and help teams maintain visibility into which business associates handle PHI and require strict breach reporting terms.
Breach notification evidence should be organized so teams can reconstruct what happened, when it was discovered, who was notified, and what follow-up actions were taken. Tools like WatchDog Security's Compliance Center can help map evidence to HIPAA requirements, track missing artifacts, and support a more consistent audit trail for breach notification controls.
"The company, as a covered entity, requires all business associates, following the discovery of a breach of unsecured protected health information, to notify the company of such breach. A breach is treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | Compliance Content Team | Initial publication |

