Skip to main content
All terms
Regulations & Laws

Breach Notification Rule

The HIPAA rule requiring covered entities to notify affected individuals, HHS, and sometimes the media after a breach of unsecured protected health information. Codified at 45 CFR §§164.400-414.

In depth

A breach is presumed when unsecured PHI is acquired, accessed, used, or disclosed in a way the Privacy Rule does not permit, unless a four-factor risk assessment shows a low probability of compromise. Individuals must be notified without unreasonable delay and no later than 60 days. Breaches affecting 500 or more individuals must be reported to HHS and prominent media without unreasonable delay; smaller breaches are logged and reported to HHS annually.

Related terms

See where your pharmacy actually stands on Breach Notification Rule.

A mock inspection turns terms like this into a scored, prioritized fix list for your pharmacy.

Book a mock inspection