HIPAA Breach in 2025? Notification to HHS is Required

What is significant about March 1, 2026? According to the website

Days Of The Year, it is National Barista Day, Share a Smile Day, and Endometriosis Awareness Day. While these are all great causes, the date carries additional significance for any covered entity (e.g., a pharmacy) who had a HIPAA breach of less than 500 patients in 2025. This is because breach notifications for 2025 are due to the Secretary of Health and Human Services no later than 60 days after the end of the calendar year in which the breach occurred.

Notification to the Secretary

For breaches which involve less than 500 patients (even one patient), the pharmacy can report the event to the Secretary right away, or they may maintain a record of the breaches which occurred within the single calendar year and report them to the Secretary no later than 60 days after the end of the calendar year. For breaches of 500 or more patients, the breach must be reported to the Secretary as soon as possible but no later than 60 days after discovery of the breach to be in compliance with the HIPAA Breach Notification Rule.

Notification to the Patient

Regardless of the size of the breach, the patient must be notified as soon as possible but no later than 60 days after the discovery of the breach. At a minimum, the notice must contain:

• A brief description of what happened including the date of the breach and the date of discovery, if known.
• A description of the types of unsecure PHI involved (e.g., name, social security number, date of birth, prescription number).
• Any steps the patient should take to protect themselves from potential harm.
• A brief description of what the pharmacy is doing to investigate the breach, reduce the harm to the patient and protect against future breaches.
• The contact information for the pharmacy’s Privacy Officer, including phone, email and/or address.

All notices must be provided via first-class mail to the last known address of the patient or their next of kin, if the patient is deceased. Patient notices may be sent electronically if the patient has previously requested or agreed to receive electronic communications. If the pharmacy has insufficient or out-of-date contact information for less than 10 patients affected by the breach, they may provide the notice by an alternative written form, telephone, or other means. If the pharmacy has insufficient or out-of-date contact information for 10 or more patients, they must post a conspicuous notice on the homepage of the pharmacy website or post in a major print or broadcast media in the area that patients are likely to reside. The print or broadcast media posting must be up for a period of 90 days and contain a toll-free number for patients to call to learn if they were affected by the breach.

Notification to the Media

For any breach that involves more than 500 residents of a State or jurisdiction, the pharmacy must also notify prominent media outlets within the State or jurisdiction. The notification shall be provided as soon as possible but no later than 60 days after the discovery of the breach. The notification must include the same required elements as the notification to the patient.

PAAS Tips:

• Pharmacies must take their breach notification requirements seriously
• Patients whose PHI was compromised are more likely to file a complaint that can be the impetus for an OCR investigation – better to dot your ‘I’s and cross your ‘T’s when an accidental disclosure has occurred
• Several recent cases investigated by the OCR (for failing to report a breach) have led to settlements, including Syracuse ASC ($250K - July 2025) and Cadia HealthCare Facilities ($182K - Sept 2025)

By Trenton Thiede, PharmD, MBA, President at PAAS National^®, expert third party audit assistance, FWA/HIPAA and USP 800 compliance.

Copyright © 2025 PAAS National, LLC. Unauthorized use or distribution prohibited. All use subject to terms at https://paasnational.com/terms-of-use/.