What Are the Breach Notification Rule Requirements in HIPAA?

what are the breach notification rule requirements

Managing medical records is one of the most challenging parts of maintaining any practice, from extensive treatment logs to patient history. Confidential information is the key to providing first-class services to your patients. However, according to The Health Insurance Portability and Accountability Act of 1996, breaches of privacy on someone’s medical information require that you notify the patient in question of the incident.

So what are the breach notification rule requirements from HIPAA specifically? Read on to learn how the rules work. They mostly depend on the circumstances and extent to which the breached information impacts the patient. 

And if you need experts to help you manage your cash flow and revenue cycles for a compliant practice, including navigating HIPAA in medical billing, call PracticeForces.

What Is a Medical Information Breach?

HIPAA defines a medical information breach as any situation where an unauthorized user gains access to protected, unsecured paper or electronic medical records. The risk associated with the breach defines its severity and dictates the procedure. 

For example, HIPAA’s risk assessment for a breach includes the following:

  • The type, nature, and extent of protected health information involved in the breach
  • The unauthorized individual who obtained the information
  • Whether the unauthorized individual fully accessed or viewed the information
  • The efficacy of risk mitigation responses from medical professionals involved

Breach Notification Rule Requirements

Just what are the breach notification rule requirements, though? 

Notify Patient

Depending on the risk assessment, medical professionals must start by notifying impacted individuals. This must happen no more than 60 days after the discovery of the breach. 

Send Letter

Covered entities must send breach notification letters through first-class mail. These details might include an implicated department of unsecured protected health information or the extent to which the risk compromised records.

Notify Department of Health and Human Services

Next, you need to notify the Department of Health and Human Services. If the breach impacted over 500 people, this notification needs to occur no more than 60 days after discovery. Smaller cases may occur within 60 days of the end of the same calendar year.

Notify Media

Did the breach involve over 500 individuals? Covered entities must notify the media in the patients’ states to increase awareness and allow more patients to take action. Failing to notify the media may result in legal penalties.

Update Webpage

Finally, the impacted organization must post a substitute breach notice that links to the homepage. It should remain on the website for 90 days.

Improve Practice Billing and Workflow With PracticeForces

HIPAA is just one of the rules in place to ensure that practices service their patients well. Other potential areas to refine might involve streamlining the basic points of medical billing or outsourcing your practice’s cash flow management. Why not contact PracticeForces to help? 

With comprehensive services for medical practices of any kind, our team can help you maximize your profits and streamline your operations.

What are the breach notification rule requirements for less than 500 individuals? Find out from PracticeForces at (727) 202-5429. And remember to ask about billing and workflow management ideas that could aid your practice!

Parul Garg, CEO and co-founder of PracticeForces, has significantly contributed to the growth of over 1,000 U.S. medical practices through her expertise in medical billing and coding since the company’s inception in 2003. With a background in Computer Science and an MBA in Human Resources, her leadership and AAPC-certified coding skills have been pivotal in managing the company’s operations effectively.

Related Posts


Do you want to streamline your reimbursements?

Subscribe for actionable tips and insights to grow your medical practice >

Call Now Button