WikiFrameworksHIPAANotification of breach

Notification of breach

Plain English Translation

Business associates must notify the covered entity without unreasonable delay following the discovery of a breach of unsecured PHI. A breach is considered discovered on the first day it is known — or would have been known with reasonable diligence — to any workforce member of the associate.

Executive Takeaway

Business associates must rapidly notify covered entities of any unsecured PHI breaches to ensure regulatory compliance.

ImpactHigh
ComplexityMedium

Why This Matters

  • Bullet 1: Prompt breach notification minimizes financial and reputational damage following a security incident.
  • Bullet 2: Covered entities rely heavily on rapid vendor reporting to meet their own 60-day reporting obligations.
  • Bullet 3: Failure to meet statutory breach reporting timelines can result in severe financial penalties from regulators.

What “Good” Looks Like

  • Executed business associate agreements dictating strict, legally binding breach reporting timelines, with tools like WatchDog Security's Vendor Risk Management helping track vendor status, agreement coverage, and risk tiers.
  • Automated alerting mechanisms configured to identify data exposure or anomalous access immediately.
  • A well-documented, regularly tested incident response plan shared between the organization and key vendors, with tools like WatchDog Security's Risk Register helping track breach-response risks, owners, treatment plans, and board-level visibility.

Put HIPAA compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

The rule requires covered entities and business associates to provide notification following a breach of unsecured protected health information.

It mandates that business associates notify the covered entity without unreasonable delay upon discovering a breach of unsecured PHI.

Notification must occur without unreasonable delay and no later than 60 calendar days after the discovery of the breach.

It is the unauthorized acquisition, access, use, or disclosure of protected health information that compromises its security or privacy.

A business associate has a maximum of 60 calendar days from the exact date of discovery to report the breach to the covered entity.

The notification must include the identification of each individual whose unsecured PHI was breached and any other available information the covered entity needs.

A breach is considered discovered on the first day it is known to the business associate or would have been known by exercising reasonable diligence.

Generally, no. The business associate notifies the covered entity, which ultimately holds the legal responsibility for notifying affected patients.

The agreement should specify the exact timeframe, communication channels, and processes for the business associate to report security incidents to the covered entity. Tools like WatchDog Security's Vendor Risk Management can help teams maintain a centralized view of business associate agreements, assigned vendor owners, and assessment status.

Covered entities should strictly enforce business associate agreements, perform regular vendor risk assessments, and establish clear incident response communication protocols. Tools like WatchDog Security's Vendor Risk Management can support this by organizing business associates, risk tiers, security assessments, and follow-up actions in one workflow.

Business associate breach notification obligations can be difficult to manage when contracts, vendor owners, risk tiers, and incident contacts are spread across spreadsheets or inboxes. Tools like WatchDog Security's Vendor Risk Management can centralize the vendor catalog, track security assessments, and help teams maintain visibility into which business associates handle PHI and require strict breach reporting terms.

Breach notification evidence should be organized so teams can reconstruct what happened, when it was discovered, who was notified, and what follow-up actions were taken. Tools like WatchDog Security's Compliance Center can help map evidence to HIPAA requirements, track missing artifacts, and support a more consistent audit trail for breach notification controls.

HIPAA 164.410

"The company, as a covered entity, requires all business associates, following the discovery of a breach of unsecured protected health information, to notify the company of such breach. A breach is treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate."

VersionDateAuthorDescription
1.0.02026-05-05Compliance Content TeamInitial publication