HIPAA Breach Notification Rules: A Technical Guide to What Triggers Reporting and How Fast You Need to Move

Your monitoring system fires an alert at 2 AM: unauthorized access to a database containing patient records. The next 72 hours will determine whether this becomes a manageable incident or a compliance catastrophe. HIPAA's Breach Notification Rule has specific requirements for what constitutes a breach, who must be notified, and how quickly. For technical teams, understanding these rules before an incident happens is the difference between a coordinated response and panic. What Counts as a Breach Under HIPAA (45 CFR 164.400-414), a breach is any unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of the information. The key word is unsecured. If the compromised data was encrypted to NIST standards and the encryption key was not compromised, it is not a reportable breach. This is the single most important technical control you can implement — it transforms a breach into a security incident. The Four-Factor Risk Assessment When an