Limited-timeFree scans and removals, no strings attached.Start free
FrontlinePrivacy
Federal

HIPAA Breach Notification Rule

What it does, who it protects, and how to invoke it. Plain English.

Who it protects

Patients of any HIPAA-covered entity (hospitals, doctors' offices, EMS services, health plans). For first responders treated at covered facilities: you are the patient too.

What it does

Forces covered entities to notify you in writing within 60 days when your protected health information is breached. Breaches affecting 500+ people also trigger HHS notification and media notification in the affected jurisdiction.

How to invoke it

Passive, the rule binds the covered entity, not you. If you suspect a breach happened and you weren't notified, file a complaint with HHS Office for Civil Rights at hhs.gov/ocr. The complaint triggers an OCR investigation.

Enforcement reality

OCR investigates and can impose civil penalties up to ~$2M per violation category per year. Settlements have ranged from low six figures to $16M (Anthem 2018). No private right of action under HIPAA itself; some states (CA, IL) have parallel state laws that DO allow private suits.

What the Breach Notification Rule actually does

The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) was added to HIPAA in 2009 by the HITECH Act. The plain-English version: when a hospital, clinic, EMS service, insurer, or any other HIPAA-covered entity has your medical data exposed, they have to tell you in writing within 60 days.

Notification is mandatory. The covered entity has to tell each affected patient by mail or, if you've consented to electronic notice, by email. If the breach involved more than 500 people, they also have to notify the U.S. Department of Health and Human Services and a major media outlet in the affected jurisdiction. HHS posts the breach to its public "wall of shame" at breach.hhs.gov.

The data that gets dumped is exactly the data first responders try to keep private: home address, date of birth, Social Security number, insurance ID, sometimes diagnoses and treatment history. The notification is the trigger that lets you do everything downstream, broker opt-outs, fraud alerts, credit freezes.

Why this matters for nurses and EMS specifically

Nurses, paramedics, EMTs, and any first responder treated at a covered facility sit on both sides of the rule. You're a provider when you're working. You're a patient when you've been to the ER for the back you threw out, or when your insurer ran your annual labs, or when you delivered your kid at the hospital where you happen to also work.

That dual exposure matters because most healthcare breaches start with the employer side. The 2024 Change Healthcare breach hit roughly 100 million Americans through their insurers. The 2015 Anthem breach exposed 79 million records and produced the $16M HHS settlement. Healthcare workers were inside both numbers, both as employees of the affected entity and as members of the affected patient population.

If your hospital system or insurer breaches, you'll get the notice as a patient. The notice is your trigger. Don't ignore it.

What the notification has to tell you

The rule is specific. Each notice must include:

  • A brief description of what happened
  • The types of information involved (name, address, SSN, diagnosis, etc.)
  • Steps you should take to protect yourself
  • What the covered entity is doing to investigate, mitigate, and prevent recurrence
  • Contact information so you can ask questions

If a notice is missing any of those, that's a separate Breach Notification Rule violation. It's not just the breach itself, the inadequate notification is a second hook for OCR.

How to invoke

You don't invoke this rule directly. The rule binds the covered entity. They have to notify you. Your role is reactive, with two paths:

  1. You got a notice. Document it. Save the letter. Note the date. Use the disclosed data categories to decide what downstream action to take, broker sweep, credit freeze, fraud alerts, change of insurance ID where possible.
  2. You suspect a breach happened and you weren't notified. File a complaint with the HHS Office for Civil Rights at hhs.gov/ocr. The complaint form is online. OCR investigates and decides whether to act. Investigation timelines run anywhere from six months to two years.

Either way, the breach notice is one piece of evidence. It tells you what data was exposed. It does not tell you whether that data made it into the broker pipeline. Run a scan sixty days after a breach notice. If your address shows on a broker site that wasn't carrying it before, the breach traveled.

Enforcement reality

The HHS Office for Civil Rights investigates. Civil penalties run up to roughly $2M per violation category per calendar year. Settlements vary widely:

  • Anthem (2018): $16M, 79M-record breach, the largest HIPAA settlement on record
  • Premera Blue Cross (2020): $6.85M, 10.4M records
  • Excellus Health Plan (2020): $5.1M
  • Memorial Healthcare System (2017): $5.5M

The pattern: large breaches get million-dollar settlements. Smaller breaches at clinics and small practices get six-figure settlements or corrective action plans without a financial penalty.

There is no private right of action under HIPAA itself. You cannot sue your hospital under federal HIPAA when they breach your data. You can only file with OCR.

Some states do allow private suits under parallel statutes. California (CMIA) and Illinois (BIPA, where biometrics are involved) are the two most active. If you live in those states and your covered entity breached, ask a privacy attorney whether you have a state claim that HIPAA itself wouldn't give you.

Where it doesn't reach

The rule binds covered entities and their business associates. It does not reach:

  • Direct-to-consumer health apps. Fitness trackers, period-tracking apps, mental health platforms that aren't connected to a covered entity. Those run under FTC rules, not HIPAA.
  • Genetic testing services. 23andMe and similar are not HIPAA-covered. The 2023 23andMe breach was handled under state breach laws, not HIPAA.
  • Data the covered entity legitimately disclosed. If your hospital sold de-identified data to a research aggregator and the aggregator was breached, that's a different chain of liability.
  • Public-records exposures. If your home address and DOB show on a broker site, HIPAA doesn't reach that. Broker opt-outs do.

What to do after a breach notice

The 60-day window starts when the covered entity discovers the breach. By the time you get the notice, the data has been exposed for somewhere between a few days and a few months.

Your downstream playbook:

  1. Read the notice. Note exactly which data categories were exposed. SSN, address, DOB, insurance ID, diagnosis.
  2. Place a credit freeze at all three bureaus. Free, takes ten minutes per bureau. See the FCRA page for the mechanics.
  3. Run a broker scan. Compare to any prior scan you have. If new addresses or new aggregations appear, the breach data may have entered the broker pipeline.
  4. File the OCR complaint if the notice was late, incomplete, or you suspect the breach was larger than disclosed. The complaint form is at hhs.gov/ocr.
  5. Save the letter. A breach notice is the documentary trigger for any state civil claim you might pursue.

What we do

We can't file the HIPAA complaint for you. That's the patient's path through HHS. We do run the downstream broker side. After a healthcare breach, the address and DOB are the highest-value pair attackers reuse. We sweep broker sites every two weeks and re-notice anything that re-lists. If you've gotten a breach letter recently, run a scan and we'll show you what's already exposed.

Run a free scan. No signup.Talk to us