What constitutes a HIPAA breach and typical notification requirements?

HIPAA breach notification rules require timely alerts to everyone involved and the right agencies. When a breach of unsecured PHI is discovered, the covered entity or business associate must notify the affected individuals without undue delay and no later than 60 days after discovery. They must also notify the HHS Office for Civil Rights within the same 60-day window. If the breach affects 500 or more individuals, a notice must also be issued to prominent media outlets serving the area within that same timeframe. This combination—individual notification within 60 days, OCR notification within 60 days, and media notice for large breaches—best matches the rule. The other options are incorrect because notification to individuals isn’t optional, the timeframe isn’t 30 days, and notifications aren’t limited to business associates only.