under the breach notification rule, what determines whether individuals and media must be notified?
Under the HIPAA Breach Notification Rule, whether you must notify individuals and the media is determined mainly by (1) whether there is a “breach” of unsecured protected health information (PHI) and (2) how many people, and where they live, are affected.
What triggers individual notice?
Individual notification is required when there is a breach of unsecured PHI that is not low risk after a formal risk assessment. In practice, this hinges on:
- PHI was accessed, acquired, used, or disclosed in a way not permitted by the HIPAA Privacy Rule.
- A risk assessment (considering who received the data, whether it was actually viewed, whether it was mitigated, etc.) does not show a low probability that the PHI was compromised.
- The PHI was “unsecured,” meaning it was not properly encrypted or destroyed according to federal guidance.
If these conditions are met, each affected individual must be notified without unreasonable delay and no later than 60 days after discovery of the breach.
What triggers media notice?
Media notification is not about every breach; it is tied to the scale and geography of the incident.
- Media notice is required when the breach involves more than 500 residents of a single state or jurisdiction.
- “Residents of a single state or jurisdiction” means the 500+ must be in the same state or jurisdiction; 600 people spread across three different states (200/200/200) would not, by itself, trigger media notice under this rule.
- When this threshold is met, the covered entity must notify prominent media outlets serving that state or jurisdiction, usually via a press release, within 60 days of discovery.
Media notice is in addition to , not a substitute for, notifying affected individuals.
Key determinants at a glance
- Is it a breach of unsecured PHI?
- If no → Breach Notification Rule may not require notice.
- If yes → Move to risk assessment.
- Does the risk assessment show low probability of compromise?
- If yes → Notification generally not required.
- If no → Must notify affected individuals.
- How many individuals are affected, and where do they reside?
- Any number (1+) → Notify each affected individual.
* More than 500 individuals total → Notify HHS promptly.
* More than 500 **residents of one state/jurisdiction** → Also notify prominent media in that area.
Simple table of thresholds
| Notification target | What determines if notice is required? |
|---|---|
| Individuals | Breach of unsecured PHI with more than low risk of compromise, affecting them in any number (1+). | [7][5]
| Media | Breach of unsecured PHI affecting more than 500 residents of a single state or jurisdiction. | [9][3][5]
| HHS | Breach of unsecured PHI; if 500+ individuals, report within 60 days, otherwise log and report annually. | [1][5][7]
Mini “Quick Scoop” storyline
Imagine a hospital misconfigures a database, exposing thousands of patient records online for several weeks. A risk assessment shows the data was indexed by search engines and likely viewed, meaning the probability of compromise is not low. Because this involves unsecured PHI and real risk, every affected patient must receive an individual breach notice within 60 days, telling them what happened and what they can do.
Now say 2,000 of those patients live in the same state. That crosses the “more than 500 residents in one state” line, so the hospital must also issue a press release or similar notice to prominent media outlets serving that state, on roughly the same timeline. The media notice does not replace the letters to patients; it exists to reach people whose contact details may be wrong or incomplete.
Information gathered from public forums or data available on the internet and portrayed here.