The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases media outlets following a breach of unsecured protected health information. For home health agencies, the most dangerous mistakes happen in the first 72 hours — when paralysis and uncertainty consume the time that compliance deadlines require. Step 1: Determine Whether a Breach Has Occurred (Hours 0–24) Not every security incident is a reportable breach. The four-factor risk assessment determines whether unauthorized access to PHI poses a significant risk of harm:
- Factor 1: The nature and extent of PHI involved — types of data and sensitivity level
- Factor 2: Who accessed the PHI and their likelihood of misusing it
- Factor 3: Whether PHI was actually acquired or viewed, or only potentially accessible
- Factor 4: Whether risk has been mitigated — credentials changed, device recovered intact
If the assessment cannot demonstrate low probability of PHI compromise, notification is required. The burden of proof is on the agency. Document the four-factor assessment in writing regardless of outcome — OCR reviews this document first. Step 2: Identify All Affected Individuals (Days 1–7) Forensic analysis determines what data was accessible, what records were stored on compromised systems, and the scope of unauthorized access. Work with your managed security provider and legal counsel. Over-notification is defensible. Under-notification generates additional OCR scrutiny. Step 3: Notify Affected Individuals — Within 60 Days Individual notification sent within 60 days of discovery. Required content:
- Brief description of what happened — breach date and discovery date
- Types of PHI involved — categories, not individual records (name, SSN, diagnoses, etc.)
- Steps individuals should take — credit freeze, fraud alerts, monitoring services
- What your agency is doing — investigation, mitigation, and future breach prevention
- Contact information — dedicated phone number or email for affected individuals' questions
Method: first-class mail to last known address. If 10 or more individuals cannot be reached by mail, substitute notice on your agency website for 90 days. If 500 or more individuals in a state are affected, notify prominent media in that state within 60 days. Step 4: Notify HHS OCR
- 500 or more individuals affected in a state: notify OCR within 60 days of discovery via ocrportal.hhs.gov
- Fewer than 500 individuals: log in your breach register, submit to OCR within 60 days after year end
Step 5: Business Associate Notification If the breach originated at a business associate, your BAA governs their notification timeline to you. Your own OCR clock starts at your discovery — not at your BA's notification. Business associate delays directly compress your compliance timeline. The Four Most Common Breach Notification Mistakes
- Starting the 60-day clock from the wrong date: the clock starts at discovery, not at the conclusion of the forensic investigation
- Vague notification content: "a security incident occurred" without specifics on data types, mitigation steps, and contact information fails the content requirements
- Missing the four-factor risk assessment documentation: OCR investigators review this to assess good-faith determination
- Counting business associate notification delays toward your deadline: your clock starts when you discover the breach
ShieldForce provides complete breach response support — from forensic determination through notification logistics — as an included component of our incident response service.
Ready to protect your home health agency? The first step takes 30 minutes and costs nothing. ShieldForce delivers purpose-built managed cybersecurity for healthcare — 24/7 SOC monitoring, behavioral EDR, advanced layered email security, immutable backup with tested restoration, MFA enforcement, and complete HIPAA documentation — starting at $35/user/month. BAA signed on day one. Fully deployed in 72 hours. No IT staff required.
→ Schedule Your Free HIPAA Risk Assessment