HIPAA Breach Notification Rules for Websites

Under the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D), a breach is an impermissible use or disclosure of PHI that compromises its security or privacy. The rule creates a presumption of breach — any unauthorized access to, acquisition, use, or disclosure of PHI is presumed to be a reportable breach unless the covered entity can demonstrate a low probability that the PHI has been compromised.

For websites, common breach scenarios include:

• Database containing PHI exposed through a SQL injection attack
• Tracking pixels transmitting PHI to unauthorized third parties
• Patient records accessible without authentication due to misconfiguration
• Form submissions routed to incorrect recipients
• Unsecured S3 bucket or cloud storage containing patient data discovered by researchers

To determine whether a presumed breach requires notification, organizations must conduct a four-factor risk assessment:

1. Nature and extent of PHI involved — what types of information were exposed? Data with greater sensitivity (mental health, HIV status, substance abuse) increases breach probability.
2. Identity of the person who used or received the PHI — was it another covered entity (lower risk) or an unknown external party (higher risk)?
3. Whether PHI was actually acquired or viewed — mere access to a misconfigured database may differ from confirmed data exfiltration.
4. Extent to which the risk has been mitigated — did the organization immediately revoke access and recover the data?

This assessment must be documented. If you cannot demonstrate low probability of compromise, notification is required.

HIPAA's breach notification timeline is strict and non-negotiable:

• Individual notification: Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery of the breach
• HHS notification: If the breach affects 500 or more individuals in a single state, HHS must also be notified within 60 days. Breaches affecting fewer than 500 individuals must be reported to HHS annually.
• Media notification: Breaches affecting 500 or more residents of a state must be reported to prominent media outlets in that state
• Business associate notification: A BA that discovers a breach must notify the covered entity within 60 days — the BA's timeline starts at discovery, not at the time it notifies the CE

Notification to individuals must include specific elements under 45 CFR § 164.404(c):

• Brief description of what happened, including the date of the breach and date of discovery
• Description of the types of PHI involved
• Steps individuals should take to protect themselves (credit monitoring, fraud alerts)
• Description of what the organization is doing to investigate, mitigate harm, and prevent future breaches
• Contact information for individuals to ask questions or get assistance

Notifications must be in plain language, not legalese. They are typically sent by first-class mail, though email can be used if the individual has agreed to electronic communication.

Every organization handling ePHI must have a breach response plan before an incident occurs. For website-focused organizations, the plan should specifically address:

• Who is notified first internally when a potential website breach is discovered
• How to preserve evidence without disrupting operations
• Procedures for assessing the scope of the breach (log analysis, database queries)
• Legal counsel engagement trigger points
• Template notifications ready to be customized and sent
• Contact list for HHS's Breach Reporting Portal (ocrportal.hhs.gov)

A response plan that exists only on paper has limited value. Conduct tabletop exercises annually where your team walks through a simulated website breach scenario.