Breach Notification When the AI Vendor Is Implicated: The 2026 Flow

Breach response is decided in the first hour. If your AI vendor's playbook is "we'll get back to you," your covered-entity customer is already in trouble.

What the rule says

flowchart LR
  Voice[Voice call] --> Redact[PII / PHI redaction]
  Redact --> LLM[LLM with BAA]
  LLM --> Resp[Response]
  Resp --> Sanitize[Remove non-needed PHI]
  Sanitize --> Caller[Caller]
  Resp --> AuditDB[(Audit DB)]

The HIPAA Breach Notification Rule, 45 CFR Part 164 Subpart D, requires a covered entity to notify affected individuals without unreasonable delay and no later than 60 days after discovery. 45 CFR 164.410 requires a business associate to notify the covered entity on the same 60-day clock from the business associate's discovery. Breaches affecting 500+ individuals require notice to HHS and prominent media in the affected state on the same timeline. Sub-500 breaches are reported annually to HHS by 60 days after the calendar year end. The Breach Notification Rule applies to "unsecured" PHI — encrypted PHI under HHS-recognized methods is generally exempt under the safe harbor. New York SHIELD compresses the individual notification clock to 30 days for NY residents, and the 2024 42 CFR Part 2 Final Rule extended the breach notification rule to Part 2 records.

What it means for AI voice/chat agents

When the AI vendor is implicated — a leaked transcript, a misconfigured model that exposed prompts, a credential leak, a ransomware attack on the vendor — the operational chain is more complicated than a simple covered-entity-only breach. Five things happen in parallel.

First, the AI vendor identifies the scope: which patients, which records, which time window, which downstream systems. This is where audit logs and tamper-evident storage pay back their cost a thousand times over.

Second, the AI vendor notifies the covered entity within the contractual window — typically 24–72 hours under a mature BAA. The notice includes the elements required by 45 CFR 164.410: identity of affected individuals where possible, description of the breach, types of PHI involved, and mitigation steps.

Third, the covered entity runs its own risk-of-compromise assessment under 45 CFR 164.402(2): if the probability that PHI has been compromised is low, the breach notification rule may not trigger. This assessment must be documented.

Fourth, if notification is required, the covered entity sends individual notices, posts substitute notice if necessary, notifies HHS, and — for 500+ events — notifies media. State-specific notices layer on top.

Fifth, the AI vendor and the covered entity coordinate the corrective action plan, including whether OCR will impose a CAP and what duration of monitoring is required.

CallSphere implementation

CallSphere's breach playbook is operational, not theoretical. Our SOC monitors anomalous-access alerts in real time and runs incident triage 24/7. The standard BAA commits to 48-hour notice from confirmed discovery, with a same-day "we are investigating" notice if anomalous activity is detected. We provide the customer with an evidence pack — affected patient list with masked identifiers, time window, PHI categories, downstream systems, root cause, and mitigation — formatted to drop directly into the customer's HIPAA documentation. Our incident commander is the same person on every event and is named in the BAA. We cover the 30-day SHIELD timeline for New York customers and the 42 CFR Part 2 Part 2-specific elements for behavioral-health customers. Across 50+ healthcare customers we have a tested tabletop annually with each major customer.

Build/audit checklist

1. Identify the named incident commander on the AI vendor side and the customer side.
2. Set a contractual notification window of 24–72 hours from discovery in the BAA.
3. Maintain an evidence pack template that covers HIPAA, SHIELD, CMIA, and Part 2 elements.
4. Tabletop the breach playbook at least annually with the AI vendor.
5. Confirm the AI vendor's audit logs are tamper-evident and retained 6+ years.
6. Document the risk-of-compromise assessment template before you need it.
7. Pre-draft individual, substitute, HHS, and media notice templates.
8. Build a state-overlay matrix so multi-state breaches route to every required regulator.
9. Confirm cyber-insurance covers breach response coordination costs.

FAQ

What is CallSphere's breach notification window? 48 hours from confirmed discovery in the standard BAA, with same-day initial notice on suspected events.

Does encryption save us from notification? Often, yes. Encrypted ePHI under HHS-recognized methods with keys protected is not "unsecured PHI" and the breach notification rule generally does not trigger. We document this for every encrypted artifact.

Who decides if an event is a breach? The covered entity, after a documented risk-of-compromise assessment under 45 CFR 164.402(2). The AI vendor provides the evidence; the covered entity makes the legal determination.

What about state-specific notices? We track CA, NY, TX, IL, and other state requirements and include the state-specific notice templates in the evidence pack.

Sources

• 45 CFR Part 164 Subpart D Breach notification: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
• 45 CFR 164.410 Notification by a business associate: https://www.law.cornell.edu/cfr/text/45/164.410
• 45 CFR 164.402 Definitions and risk assessment: https://www.law.cornell.edu/cfr/text/45/164.402
• HHS Breach Notification Rule: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html