What are the timelines and notice considerations for the HIPAA Privacy Rule?

The HIPAA Privacy Rule works to protect patient's rights, which include those related to privacy and staying informed. As such, the law includes notices and other time-sensitive components. Covered entities must not only remain aware of these factors, but should also have a system in place to stay up-to-date with them to ensure compliance.

What are the timelines and notice considerations for the HIPAA Privacy Rule?


Under the HIPAA Privacy Rule, covered entities must keep patients informed about certain occurrences.

Privacy practices notice: HIPAA requires covered entities to provide all patients with a notice of their privacy practices, detailing their duties under the law and how they will abide by the Privacy Rule. In this document, health care providers must also explain when and how they will disclose protected health information and outline patients' rights to contact the U.S. Department of Health and Human Services if the individuals suspect a violation occurred. Covered entities must give patients the privacy practices notice by the first doctor's appointment and should display the notice somewhere patients can easily access the document.

Breach notifications: HIPAA violations may occur, and if they do, covered entities must notify affected patients and the Secretary of HHS. Health care providers should send the breach notification via first-class mail or through email within 60 days of discovering the incident, though prompt communication is best. In the case that the breach affects 500 or more individuals, the covered entity must also notify the media.


Notices are not the only HIPAA components that are time-sensitive.

Authorization expiration date: Covered entities need to obtain a patient-signed authorization to release PHI for reasons other than health care operations, treatment or payment purposes. For the authorization to be valid, the document must have an expiration date or event after which the health care provider can no longer disclose the PHI. Releasing information beyond this deadline would constitute a violation.

Granting patient access to PHI: Health care providers have to grant patients access to PHI within 30 days of the request. If a situation prevents the covered entity from adhering to that timeline, it may extend the time frame by 30 days but must also notify the patient of why it could not grant prior access.

Incident Response: While there is no specific time frame for responding to a HIPAA violation - other than the 60-day patient notification deadline - doing so in a prompt manner can help covered entities avoid costly fees. The Secretary of HHS cannot impose civil penalties if the health care provider remedies the violation within 30 days unless the breach occurred due to willful neglect. In some cases, the HHS can even extend that time frame.

Penalties associated with noncompliance

Covered entities that do not notify patients of privacy practices or contact them when a breach of private information occurs may be subject to civil penalties. Additionally, not abiding by the timelines, such as releasing information after an authorization date expires, can result in fees.

The HIPAA Help Center optimizes compliance, allowing covered entities to abide by deadlines and meet the law's fast-paced demands. For example, the seven-step process in the Incident Response Tool module makes addressing breaches efficient and increases the covered entity's chances of correcting the violation within the 30-day time frame.

Make time for what matters most
Your Patients