Who must a covered entity notify when unsecured protected health information is breached, and is media notice always required?
After a breach of unsecured protected health information, a covered entity must notify each affected individual without unreasonable delay, and must notify the Secretary of HHS; media notice is a separate, threshold-triggered duty.
The answer
The individual-notice duty
45 CFR § 164.404 requires a covered entity to notify each individual whose unsecured protected health information has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of a breach. The notice must go out without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.
Notice to the Secretary
Separate from individual notice, the covered entity must report the breach to the Secretary of HHS. Section 164.408 governs the timing and manner of that report, distinguishing breaches affecting 500 or more individuals from smaller breaches logged annually.
The judged input
What the AI drafted
Submitted to the judgeThis is an excerpt from a draft breach-response advisory memo — the kind of work product a lawyer generates with a legal-AI drafting tool, then has to stand behind. Kingsfield does not write it; it rules on the citations the model put in it. This draft cites three authorities; one of them is wrong.
The judge ruled on every citation as the draft used it — it accepted 45 CFR § 164.404 and 45 CFR § 164.408 and rejected 45 CFR § 164.406. Here is why.
The verdict
How Kingsfield ruled
Ruled 2026-06-23Each citation in the draft above was submitted to the Kingsfield judge and ruled against the primary-law corpus — Accept, Reject, or Inconclusive, per citation. These are live verdicts, not editorial. Each card shows the claim the draft made and the verbatim authority the verdict was rendered against.
The draft claimed: A covered entity must notify each individual whose unsecured protected health information has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of a breach, without unreasonable delay and no later than 60 calendar days after discovery.
“Standard —(1) General rule. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.”
Cite found; proposition supported by the cited text.
The draft claimed: A covered entity must notify the Secretary of breaches of unsecured protected health information, with timing depending on whether the breach affects 500 or more individuals.
“Standard. A covered entity shall, following the discovery of a breach of unsecured protected health information as provided in § 164.404(a)(2), notify the Secretary.”
Cite found; proposition supported by the cited text.
The draft claimed: Section 164.406 requires media notice for a breach affecting fewer than 500 residents of a State or jurisdiction.
Cite found, but the cited text does not support the claim. 45 CFR 164.406 requires notice to prominent media outlets only when a breach affects more than 500 residents of a State or jurisdiction, not fewer; the duty owed for a sub-500 breach is individual notice under 164.404 and reporting to the Secretary under 164.408. Regenerate with the correct authority.
Run your own work through the judge
Kingsfield rules on every citation, quote, and proposition your AI produces, against the primary law we cover. Accept, Reject, or Inconclusive, per citation, with a signed Audit Capsule.
Connect the Judge See the architectureThis page is legal information, not legal advice, and does not create an attorney-client relationship. The draft shown is an illustration of a typical AI answer; verdicts reflect the cited authority in the Kingsfield corpus as of the ruling date shown above.