What are HIPAA breach notification requirements for a practice experiencing a PHI breach?

When a practice experiences a PHI breach, HIPAA requires alerting the people whose information was exposed and reporting the incident to the Department of Health and Human Services, with the exact timing guided by how many individuals are affected. You must notify affected individuals without unreasonable delay and no later than 60 days after discovering the breach. For breaches that involve 500 or more individuals, you also notify the Secretary (HHS) within the same general window, and you must additionally (in those large cases) inform the media in the relevant jurisdiction. If the breach is smaller (fewer than 500 individuals), HHS notification is handled differently—typically via an annual report rather than a separate immediate notice—but you still document the breach and take steps to mitigate harm. Throughout, you maintain records of the breach and your corrective actions to prevent recurrence. So the best answer reflects notifying both affected individuals and HHS according to the breach size, with timelines that are generally up to 60 days for larger breaches, and the requirement to document and mitigate. The other options fall short because they either limit notification to internal staff, claim no notification is required, or set an incorrect threshold for notifying patients.