45 CFR 164.408 Explained: HIPAA Breach Notification to the Secretary – Requirements, Deadlines, and Reporting Steps

• Validate the provided main and related keywords and the outline.
• Structure the article strictly per the outline with the exact H1 and H2 headings.
• Write focused, high-value content for each section and integrate keywords naturally.
• Explain requirements, deadlines, and reporting steps clearly and concisely.
• Organize the specified FAQs and answer them directly.
• Conclude with a brief summary and return clean HTML only.

45 CFR 164.408 sets the rules for notifying the Secretary of Health and Human Services when a breach of Unsecured Protected Health Information occurs. This guide translates the regulation into practical steps so you can meet every breach notification deadline with confidence and maintain strong covered entity compliance.

Covered Entity's Obligation

If you are a covered entity, you must notify the Secretary of any breach of Unsecured Protected Health Information (UPHI). A breach is “discovered” on the first day it is known to you—or would have been known by exercising reasonable diligence—which starts the breach notification deadline clock.

What triggers notification

Notification is required only for UPHI. PHI that has been properly encrypted or destroyed is not “unsecured,” so incidents involving secured PHI generally do not trigger reporting to the Secretary. When PHI is impermissibly used or disclosed and risk cannot be reduced to a low probability, you treat it as a reportable breach.

Discovery and diligence

Discovery includes knowledge by any workforce member or agent. Implement internal escalation so incidents surface quickly, your risk assessment begins promptly, and deadlines are not missed.

Documentation and retention

Document your investigation, risk assessment, breach determination, and breach mitigation steps. Retain these records consistent with HIPAA’s documentation retention requirements (commonly six years) to demonstrate covered entity compliance.

Breaches Involving 500 or More Individuals

For a breach affecting 500 or more individuals (across all jurisdictions), you must notify the Secretary without unreasonable delay and in no case later than 60 calendar days from discovery. Treat this as a top-priority breach notification deadline.

• Report each qualifying breach individually through the HHS Breach Reporting Portal as soon as practicable.
• Submit even if some details are preliminary; you can amend the report as more facts emerge.
• Coordinate internal and external communications so your Secretary submission aligns with required individual and, if applicable, media notices.

Practical tips

• Confirm the total number of affected individuals for the incident; the 500+ threshold is per breach event, not per state.
• Build a dated timeline (incident, discovery, notifications) to show you acted without unreasonable delay.

Breaches Involving Fewer Than 500 Individuals

For breaches affecting fewer than 500 individuals, you must maintain a log and submit a consolidated notice to the Secretary no later than 60 days after the end of the calendar year in which the breaches were discovered. You may report earlier if you choose.

• Record each breach separately in your internal log with dates of occurrence and discovery, number of individuals, and mitigation measures.
• Ensure all small-breach entries for the year are included in the annual submission.
• Retain your log and supporting documentation for audit readiness and compliance verification.

Notification Method

Submit breach notifications to the Secretary through the HHS Breach Reporting Portal. The portal guides you through two pathways: one for breaches involving 500 or more individuals and another for fewer than 500.

• Prepare organizational details, incident dates, affected counts, and a concise narrative before you start.
• You can save a draft, submit, and later update or amend the report as new information becomes available.
• A business associate or outside advisor may submit on your behalf, but the covered entity remains responsible for accuracy and timeliness.

Content of Notification

The Secretary’s notification must include information the portal requests so HHS can evaluate scope, cause, and remediation. Be complete and factual.

Typical elements you will provide

• Covered entity name, point of contact, and type of organization.
• Number of individuals affected and the states or jurisdictions involved.
• Dates of the breach and discovery, plus when notifications were or will be sent.
• Type of breach (for example, hacking/IT incident, unauthorized access/disclosure, theft, loss, improper disposal).
• Location of breached information (e.g., network server, email, EHR, laptop, desktop, paper/film).
• Types of UPHI involved (such as names, Social Security numbers, dates of birth, clinical details, account information).
• Brief description of what happened, containment efforts, and breach mitigation steps to reduce risk of harm.
• Corrective actions taken to prevent recurrence (policy changes, workforce re-training, technical safeguards).
• Business associate involvement, if any, and their role in incident response.

Business Associate's Role

Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 calendar days after discovery. This business associate reporting must include, to the extent possible, the identities of affected individuals and information the covered entity needs to meet all content and timing requirements.

• Provide a clear incident summary, dates, systems affected, and the types of UPHI involved.
• Share evidence of containment and breach mitigation steps, and coordinate on individual notifications.
• Expect to assist with follow-up questions from HHS; cooperation is part of effective compliance.

Although a business associate may submit the Secretary notification if authorized, the covered entity is ultimately accountable for accuracy and timeliness under 45 CFR 164.408.

Law Enforcement Delay

If a law enforcement official determines that a notification would impede a criminal investigation or damage national security, you must delay the notification. This criminal investigation delay applies to notices to individuals, the media, and the Secretary.

• Written request: Delay for the time period specified by the law enforcement official.
• Oral request: Delay for up to 30 days, but obtain a written statement during that period; if none is received, proceed when the 30 days expire.
• Document the request and the dates carefully; once the delay ends, complete all required notifications without unreasonable delay.

Bottom line: start from whether UPHI was involved, determine discovery date, act quickly to contain and mitigate, and meet the correct breach notification deadline—immediate (within 60 days) for large breaches and annual summary for small breaches—using the HHS Breach Reporting Portal.

FAQs

What are the deadlines for breach notification under 45 CFR 164.408?

For breaches involving 500 or more individuals, notify the Secretary without unreasonable delay and no later than 60 calendar days after discovery. For breaches involving fewer than 500 individuals, submit a consolidated notice for all such breaches discovered in the calendar year no later than 60 days after that year ends. Any approved law enforcement delay pauses these timelines until the delay is lifted.

How must covered entities submit breach notifications?

Use the HHS Breach Reporting Portal. Choose the pathway for either 500 or more individuals or fewer than 500, enter the required details (dates, counts, description, types and location of UPHI, mitigation and corrective actions), and submit. You may update or amend your submission if new information emerges, and you should retain supporting records to demonstrate compliance.

When can notification be delayed due to law enforcement requests?

When a law enforcement official states that a notification would impede a criminal investigation or harm national security. A written statement sets the delay period; an oral statement permits a delay of up to 30 days while you obtain a written request. Keep documentation and provide all required notices without unreasonable delay once the authorized delay ends.