BAA Clauses

HIPAA BAA Breach Notification Clause: What Must Be Included

Q: What information must a BA provide when reporting a breach?

To the extent possible, the BA must provide: the identity of affected individuals; a description of what happened; the types of PHI involved; what the BA did and is doing to investigate; steps individuals can take to protect themselves; and contact information for further inquiries. If all information is not available, the BA provides what it has and supplements as more is learned.

By BAA Generator Editorial · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 5 min read

Key Takeaways

✓ HIPAA mandates a breach notification provision in every BAA
✓ The statutory deadline is 60 days after the BA discovers the breach
✓ Most well-drafted BAAs negotiate shorter windows of 5–30 days
✓ The BA must notify the CE — who then notifies affected individuals and HHS

Direct answer: Under 45 CFR § 164.504(e)(2)(ii)(C), a HIPAA BAA must require the business associate to report any breach of unsecured PHI to the covered entity without unreasonable delay and no later than 60 days after discovery. Many BAAs include shorter contractual timelines of 5–30 days.

The Statutory Breach Notification Requirement

The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) requires that when a breach of unsecured PHI occurs, the business associate notify the covered entity. This obligation is incorporated into the BAA as a required element under 45 CFR § 164.504(e)(2)(ii)(C).

A BAA that omits a breach notification provision is missing a required element under HIPAA's Privacy Rule. This is not a technicality — OCR specifically examines BAAs for the presence of this provision during compliance investigations. The absence of this clause can result in an automatic finding of non-compliance, separate from any underlying breach that may have occurred. For a comprehensive overview of the Breach Notification Rule, see HIPAA breach notification requirements.

What Constitutes a "Breach" vs. a "Security Incident"

HIPAA distinguishes between a breach and a security incident. A security incident is any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. A breach is a specific type of security incident: an impermissible use or disclosure of unsecured PHI that compromises its security or privacy.

BAA breach notification clauses typically require the BA to report both: (1) actual breaches and (2) security incidents that may constitute breaches. This is intentional — covered entities need early warning so they can participate in the investigation and make the breach/no-breach determination, which ultimately rests with the covered entity.

The 60-Day Rule and Why Shorter Is Better

HIPAA sets a 60-day maximum for BA-to-CE breach notification after the BA discovers the breach. However, the covered entity then has its own 60-day window to notify affected individuals after discovering the breach. If the BA waits the full 60 days to notify the CE, the CE has essentially no time to conduct its own investigation before its notification deadline begins running.

Best practice is to negotiate a contractual notification window of 5–15 days. This gives the covered entity time to:

Independently assess the scope of the breach
Prepare breach notification letters for affected individuals
Notify HHS within 60 days as required
Coordinate media notifications if more than 500 residents of a state are affected
Engage legal counsel and breach response resources

What Information the BA Must Provide When Notifying

A well-drafted BAA breach notification clause should require the BA to provide, to the extent known at the time of notification:

The identity of each individual whose PHI was or is reasonably believed to have been accessed, acquired, used, or disclosed
A brief description of what happened, including the date of the breach and the date it was discovered
A description of the types of PHI involved (e.g., name, Social Security number, diagnosis)
Any steps the BA is taking or recommends individuals take to protect themselves
A description of what the BA is doing to investigate, mitigate, and prevent further breaches
Contact information for the BA's designated contact for further inquiries

If complete information is not available at initial notification, the BAA should require the BA to supplement its report as additional information becomes available.

The BA's Obligation to Mitigate

Under 45 CFR § 164.530(f), covered entities must mitigate harmful effects of PHI uses or disclosures they know about. The BAA should extend this obligation to the BA — requiring the BA to take prompt action to contain the breach, terminate unauthorized access, preserve evidence, and cooperate with the covered entity's investigation. A strong BAA breach notification clause combines notification with mitigation obligations in a single provision.

What Happens If a BA Fails to Notify

If a business associate fails to provide timely breach notification to the covered entity, both parties may face consequences. The covered entity may have missed its own downstream notification deadlines, which is itself a HIPAA violation. The BA's failure to notify is a material breach of the BAA, which typically gives the covered entity grounds to terminate the agreement. See what to do when you discover a missing BAA for related guidance on remediation steps.

Frequently Asked Questions

What does a HIPAA BAA breach notification clause require?

A HIPAA BAA breach notification clause must require the business associate to report any breach of unsecured PHI to the covered entity without unreasonable delay and within 60 days of discovery. It must also require reporting of security incidents and impermissible disclosures even when it is uncertain whether a reportable breach has occurred. The clause should specify what information the BA must provide and a contact point for communications.

How long does a business associate have to notify the covered entity of a breach?

Under HIPAA, a business associate must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovering the breach (45 CFR § 164.410). Many BAAs contractually shorten this to 5, 10, or 30 days. The 60-day window is a regulatory maximum — not a target. Covered entities should negotiate shorter contractual timelines to preserve their ability to meet their own notification obligations to individuals and HHS.

What information must a BA provide when reporting a breach?

To the extent possible at the time of notification, the BA must provide: the identity of affected individuals; a description of what happened including dates; the types of PHI involved; steps individuals can take to protect themselves; what the BA is doing to investigate and prevent recurrence; and contact information for further inquiries. If all information is not available initially, the BA supplements its report as more information becomes known.

Can a BAA require shorter breach notification than HIPAA's 60-day window?

Yes. A BAA can contractually require the BA to notify the covered entity in fewer than 60 days — and this is strongly recommended. A 5- to 15-day contractual notice window gives the covered entity more time to prepare its own downstream breach notifications to affected individuals and HHS before their regulatory deadlines begin running. Shorter contractual windows are a best practice and are widely used in well-drafted BAAs.

Generate a BAA with a Proper Breach Notification Clause

BAA Generator includes all required HIPAA provisions — including a breach notification clause with a 15-day contractual window.

Generate Your BAA Free →