60-Day HIPAA Breach Notice: Who to Notify, What to Report, When

The HIPAA Breach Notification Rule requires you to notify specific parties after discovering a breach of unsecured protected health information (PHI) without unreasonable delay and no later than 60 calendar days. This guide clarifies who must be notified, what to include, and exactly when each action is due.

Overview of the HIPAA Breach Notification Rule

What the 60-day rule requires

Once you discover a qualifying breach, you must provide covered entity breach notification to affected individuals, and, depending on scale, report to HHS OCR and certain media outlets. The 60-day period is a maximum; prompt, earlier notice is expected when feasible.

• Notify affected individuals without unreasonable delay and no later than 60 calendar days from discovery.
• Report to the HHS Secretary for large breaches (500+ individuals) within the same 60-day window.
• Report smaller breaches to HHS no later than 60 days after the end of the calendar year in which they were discovered.

What counts as a breach and exceptions

A breach is an impermissible use or disclosure of PHI that compromises its security or privacy. The rule presumes a breach unless you document a low probability of compromise via a four-factor risk assessment.

• Assess: the nature and extent of PHI involved; the unauthorized person; whether PHI was actually acquired or viewed; and mitigation achieved.
• Exceptions include certain good-faith or inadvertent disclosures and situations where the recipient could not reasonably retain the information.

Discovery and start of the clock

“Discovery” occurs on the first day the incident is known to you, your workforce, or your business associate—or would have been known with reasonable diligence. The 60 days are calendar days, not business days.

Unsecured protected health information

Unsecured protected health information is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, unencrypted or improperly destroyed data). If PHI is properly encrypted or destroyed per recognized guidance, the incident may fall outside the breach rule.

Notification Requirements for Affected Individuals

Who must receive notice

You must notify each affected individual. If an individual is deceased, notify the personal representative or, when appropriate, the next of kin.

Individual breach notification content

Your HIPAA breach notice must be clear, concise, and written in plain language. Include:

• A brief description of what happened, including the breach and discovery dates.
• The types of PHI involved (for example, names, Social Security numbers, diagnoses).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• How individuals can reach you for more information (toll-free phone, email, website, or postal address).

Methods of delivery and substitute notice

• Send written notice by first-class mail to the last known address, or by email if the individual has agreed to electronic notice.
• If fewer than 10 individuals are unreachable, use an alternative method such as telephone or another written form.
• If 10 or more individuals are unreachable, provide substitute notice via a conspicuous website posting or media, and maintain a toll-free number for at least 90 days.

Timing nuances and lawful delays

Send notices as soon as practicable within the 60-day limit. If a law enforcement official determines that notice would impede an investigation or threaten national security, you may delay notifications for the period the official specifies (or up to 30 days for an oral request unless extended in writing).

Reporting Obligations to HHS OCR

HHS Secretary breach reporting thresholds

• 500 or more individuals affected: Submit HHS Secretary breach reporting without unreasonable delay and in no case later than 60 calendar days from discovery.
• Fewer than 500 individuals affected: Log the breach and report it to HHS no later than 60 days after the end of the calendar year in which you discovered it.

What to include in the HHS report

• Entity information (covered entity or business associate) and point of contact.
• Breach dates, discovery date, and number of individuals affected.
• Location and medium of PHI (paper, email, network server, device) and types of data involved.
• Cause of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure).
• Mitigation, containment, and corrective actions taken.

Business associate to covered entity breach notification

A business associate must notify the covered entity without unreasonable delay and no later than 60 days after discovery. The notice should identify each affected individual and include any available details needed for timely individual and HHS notifications.

Coordinate with state requirements

Some state laws impose additional or faster timelines and may require attorney general or consumer reporting agency notices. Align HIPAA steps with state obligations so all deadlines are met together.

Media Notification Procedures for Large Breaches

When media outlet breach reporting is required

If a breach involves more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and within 60 calendar days of discovery. This media notice is in addition to individual notices and the HHS report.

Content and coordination

• Ensure the media statement mirrors the individual breach notification content and avoids unnecessary details.
• Designate a spokesperson and prepare consistent FAQs for journalists and the public.
• Document the date the notice was provided and the outlets contacted.

Practical tips

• Time the media release to follow or coincide with individual mailings to reduce confusion.
• Monitor coverage and correct inaccuracies promptly without disclosing additional PHI.

Documentation and Compliance Best Practices

Breach documentation requirements

• Incident timeline, investigation records, and the four-factor risk assessment supporting your notification decision.
• Copies of all notices (individual, HHS, media), mailing lists, returned mail logs, and substitute notice evidence.
• Call center scripts, training records, sanction actions, and remediation plans.
• Business associate agreements and vendor communications related to the event.

Retention and accessibility

Retain policies, procedures, and related breach records for at least six years from the date of creation or last effective date. Keep evidence organized and readily retrievable to respond to OCR inquiries.

Audit readiness

• Use a standardized breach playbook and forms to ensure consistency.
• Log all decision points, with approvals, timestamps, and responsible roles.
• Perform after-action reviews and update policies to reflect lessons learned.

Mitigation and Prevention Strategies Post-Breach

Immediate breach mitigation steps

• Contain the incident: isolate affected systems, revoke credentials, and disable lost or stolen devices.
• Preserve evidence for forensics while removing malware, patching vulnerabilities, and resetting access.
• Offer appropriate support to individuals (e.g., credit monitoring or identity protection) based on risk.

Long-term prevention measures

• Conduct a comprehensive security risk analysis and implement recognized security practices.
• Strengthen controls: encryption in transit and at rest, MFA, least privilege, DLP, MDM, and network segmentation.
• Enhance monitoring with centralized logging, alerting, and incident response runbooks and tabletop exercises.
• Improve vendor management with due diligence, BAAs, and periodic security reviews.

Training and governance

• Deliver role-based privacy and security training and test with phishing simulations.
• Reinforce the minimum necessary standard and prompt reporting of suspected incidents.
• Assign clear accountability across privacy, security, compliance, and communications teams.

By acting quickly, documenting thoroughly, and closing control gaps, you meet the HIPAA timelines, reduce harm, and strengthen resilience against future incidents.

FAQs.

What information must be included in a HIPAA breach notice?

Include what happened (with breach and discovery dates), the types of PHI involved, steps individuals should take, your mitigation and prevention actions, and clear contact information such as a toll-free number, email, website, or postal address.

Who must be notified under the 60-day HIPAA breach rule?

Notify each affected individual, HHS OCR (immediately for large breaches; annually for smaller ones), and, for breaches involving more than 500 residents of a state or jurisdiction, the relevant media outlets. Business associates must notify the covered entity so required notices can be sent.

When is media notification required for a breach?

Provide media notification when a breach affects more than 500 residents of a single state or jurisdiction. Send the notice without unreasonable delay and within 60 calendar days of discovery, in addition to individual notices and the HHS report.

How should covered entities document breach notifications?

Maintain a complete record: your risk assessment, decision rationale, copies of all notices, mailing and return logs, substitute notices, HHS submission confirmations, media communications, and remediation evidence. Keep these materials organized and retained for at least six years.