Does HIPAA require a covered entity to notify the media after a large breach of protected health information?
45 CFR 164.406 requires a covered entity to notify prominent media outlets when a breach of unsecured protected health information involves more than 500 residents of a single State or jurisdiction.
The answer
The media-notification trigger
45 CFR 164.406(a) requires a covered entity, for a breach involving more than 500 residents of a State or jurisdiction, to notify prominent media outlets serving that State or jurisdiction. The trigger is geographic concentration, not the raw national total.
The deadline
Media notice is not open-ended. Section 164.406(b) requires the notification without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.
The judged input
What the AI drafted
Submitted to the judgeThis is an excerpt from a draft breach-response advisory memo — the kind of work product a lawyer generates with a legal-AI drafting tool, then has to stand behind. Kingsfield does not write it; it rules on the citations the model put in it. This draft cites three authorities; one of them is wrong.
The judge ruled on every citation as the draft used it — it accepted 45 CFR 164.406(a) and 45 CFR 164.406(b) and rejected 45 CFR 164.408(b). Here is why.
The verdict
How Kingsfield ruled
Ruled 2026-06-23Each citation in the draft above was submitted to the Kingsfield judge and ruled against the primary-law corpus — Accept, Reject, or Inconclusive, per citation. These are live verdicts, not editorial. Each card shows the claim the draft made and the verbatim authority the verdict was rendered against.
The draft claimed: For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall notify prominent media outlets serving the State or jurisdiction.
“Standard. For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery of the breach as provided in § 164.404(a)(2), notify prominent media outlets serving the State or jurisdiction.”
Cite found; proposition supported by the cited text.
The draft claimed: Media notification must be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.
“Implementation specification: Timeliness of notification. Except as provided in § 164.412, a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.”
Cite found; proposition supported by the cited text.
The draft claimed: Section 164.408(b) triggers a covered entity's duty to notify prominent media outlets when a breach involves more than 500 residents of a State.
Cite found, but the cited text does not support the claim. 45 CFR 164.408(b) governs contemporaneous notification to the Secretary for breaches involving 500 or more individuals; the media-notification duty is at 45 CFR 164.406. Regenerate with the correct authority.
Run your own work through the judge
Kingsfield rules on every citation, quote, and proposition your AI produces, against the primary law we cover. Accept, Reject, or Inconclusive, per citation, with a signed Audit Capsule.
Connect the Judge See the architectureThis page is legal information, not legal advice, and does not create an attorney-client relationship. The draft shown is an illustration of a typical AI answer; verdicts reflect the cited authority in the Kingsfield corpus as of the ruling date shown above.