Guest Post: Current State of HIPAA Breach Notification – Notify Patients…or Not?

Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

Eight thousand providers. One question. When do we notify patients of a breach? I hear this question several times a week from all types of covered entities; hospitals, clinics and physician offices. Many are confused or misinformed about the answer. Furthermore, real world experience varies dramatically. Some providers notify everyone. Others notify only when necessary. What’s the answer?

First and foremost, you do not have to notify the patient each and every time there is a breach of protected health information (PHI). The law requires notification only if you meet one of two conditions:
1) When 500 or more records have been breached at the same time, you must notify the patients involved, OR
2) When you as the covered entity (CE) have conducted the required “risk analysis” and determined the patient (or patients) could suffer substantial financial or reputational harm.

The issue with the second requirement is the term “substantial”. It is very subjective and not fully defined within the rules. Conducting a risk analysis and determining the extent would appear to be a classic case of the fox guarding the hen house. As such, many observers expected hospitals NOT to notify, or perhaps under-notify, as the cost of a breach can be very high — both direct costs and the soft cost of reputational harm to the CE. However, we see providers taking a “better safe than sorry” approach and over-notifying.

In next week’s post, we’ll cover the risks of over-notifying after a breach.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Jan,

    Thank you for a most informative and relevant post. The issue of breach of protected health information is so important and affects all covered entities at one time or another.

    I will certainly tune in for the remaing parts to the series.

    Joseph Grace MD

  • HIPAA is still pretty confusing to a lot of people because there are so many aspects of it, and as you mentioned, not everything is clearly defined.

    As for reporting, I’m sure that almost anyone could claim that their reputation has been ruined if personal health information was leaked. A job seeker that was denied employment because of a pre-existing health condition that was divulged through a breach could also claim financial loss. Pretty tricky territory, really.

    One thing is clear though, auditing is already underway so certified entities would be well served to close any technological gaps they might have to avoid penalties or fines for non-compliance.

  • While understanding what to do in case of a breach is important…how about taking the proper steps to avoid a breach?

    Anyone know the #1 reason for a breach?

    Lost or stolen portable storage device – generally meaning laptop, also meaning USB hard drive or “thumb” drive.

    IF those items are properly encrypted you have safe harbor meaning, you don’t have to notify patients.

    This is the #1 easiest way to avoid the #1 cause of PHI breaches.

  • Good point John. I’m all about prevention. I’ll have to use your comment for a future post so that more people get a chance to read it.

Click here to post a comment