This is not true. All hipaa breaches must be reported. The U.S. Department of Health and Human Services (HHS) DOES REQUIRE breach notification. HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act. Source: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html - It's also important to keep in mind that almost every state has breach notification laws that must be followed in the event of a hipaa breach too!