HIPAA Breach Notification Procedures

On April 23, 2025, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released a News Bulletin about a settlement agreement over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) for a phishing attack breach of protected health information (PHI). As part of the investigation, among other violations, OCR found that a healthcare network failed to notify affected individuals, the HHS Secretary, and the media of a breach of unsecured protected health information within 60 days of its discovery.

A breach is an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI such that the use or disclosure poses a significant risk of harm to the affected individual. Unsecured PHI is PHI that has not been encrypted by rendering it unusable, unreadable, or indecipherable to unauthorized individuals. Covered entities must only provide required notification if the breach involved unsecured PHI.

If a breach of PHI occurs, covered entities, including dental providers, must follow the Breach Notification Rule, which requires covered entities to provide notification following a breach of unsecured PHI. In addition to notifying affected individuals, upon discovery of a possible breach, the covered entity is required to conduct a risk assessment to determine whether a PHI breach occurred, and the extent of the breach.

Who Must Be Notified and When

Following a breach of unsecured PHI, dental providers are required to provide breach notification within 60 calendar days from the discovery of the breach, to affected individuals, or next of kin; to law enforcement if any illegal activity is suspected; to the HHS Secretary and prominent media outlets if the breach involves more than 500 individuals; and in California, to the California Attorney General, if the breach involves more than 500 individuals. For smaller breaches, a dental provider must keep a log of all breaches that involve less than 500 individuals, which must be submitted annually to HHS no later than 60 days after the end of each calendar year.

Notification Method

A written breach notice to affected individuals must be sent by first-class mail, or email if requested by the affected individual, and must contain the following information:

Description of what happened, including PHI involved
Steps the individual should take to protect themselves from potential harm resulting from the breach
A description of investigation and mitigation steps
Contact information

Documentation

The dental provider must document the office’s breach notification policies and procedures in the HIPAA Plan. All breach documentation – breach risk assessment, breach notification plan, breach log, and breach incident notices – must be maintained in the office for six years.

To our OSHA Review subscribers… template HIPAA forms – HIPAA plan, Notice of Privacy Practices (NPP), breach notification documentation, HIPAA checklist (to aid with security risk analysis), and sample BA contract – are available from OSHA Review’s website.

HIPAA Breach Notification Procedures

OSHA Review

OSHA Review’s Spore Check System

SUV Ultra 5 Disinfectant & Cleaner

OSHA Review Compliance Program

OSHA Review © Dosimetry Monitoring Service

Sign up to receive our latest news & events

Share This

OSHA Review

Related Posts

Sign up to receive our latest news & events