Annual and Immediate OCR HIPAA Breach Reporting: Requirements and Submission Checklist

Breach Notification Rule Overview

The HIPAA Breach Notification Rule applies when there is an impermissible disclosure or use of unsecured protected health information that compromises privacy or security. A breach is presumed unless you document through a risk assessment that there is a low probability the PHI was compromised. Encryption consistent with recognized standards generally places PHI outside the “unsecured” category.

Obligations are shared by covered entities and business associates, but the covered entity is ultimately responsible for notifying affected individuals, the Office for Civil Rights (OCR), and, when applicable, the media. Your breach notification timeline must be “without unreasonable delay” and never later than 60 calendar days from discovery.

What triggers notification

• Acquisition, access, use, or disclosure of PHI not permitted by the Privacy Rule (an impermissible disclosure).
• PHI is unsecured (e.g., lost, stolen, or exposed data not properly encrypted or destroyed).
• No exception applies (e.g., good-faith workforce access without further use, inadvertent internal disclosure, or information not reasonably retained by an unauthorized recipient).

Individual notification essentials

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• Use first-class mail or email (if the individual agreed), and provide substitute notice if addresses are insufficient.
• Include what happened, the types of PHI involved, steps individuals should take, what you are doing to mitigate harm, and contact information.

Submission checklist

• Confirm incident meets the definition of a breach of unsecured protected health information.
• Complete the four-factor risk assessment and document findings.
• Start individual notification and determine whether OCR and media notices are required.
• Map applicable state breach reporting regulations that may impose shorter deadlines or added recipients.

Reporting Breaches Affecting 500 or More Individuals

For large breaches, you must report to OCR via the HHS breach reporting portal without unreasonable delay and in no case later than 60 calendar days from discovery. Submit updates as new details emerge; do not wait to have every fact before filing your initial report.

Information to include in the OCR report

• Covered entity or business associate identification and primary contact.
• Breach date and discovery date, and the total number of affected individuals.
• Types of PHI involved (e.g., Social Security numbers, diagnoses, claims data).
• How the breach occurred (theft, hacking/IT incident, improper disposal, misdirected communication, unauthorized access).
• Whether the PHI was encrypted or otherwise secured and what safeguards were in place.
• Mitigation steps taken, notification status, and corrective actions to prevent recurrence.

Individual notice remains mandatory

Even when reporting to OCR, you must still deliver timely individual notices. If contact information is insufficient for 10 or more people, provide substitute notice (e.g., website posting and/or media notice) consistent with rule requirements.

Submission checklist (large breaches)

• File through the HHS breach reporting portal within 60 days of discovery.
• Assemble affected population counts by state or jurisdiction to inform media obligations.
• Retain the portal confirmation and any subsequent updates.
• Coordinate parallel obligations under state breach reporting regulations.

Annual Reporting for Breaches Affecting Fewer Than 500 Individuals

Small breaches must be logged throughout the year and reported to OCR no later than 60 days after the end of the calendar year in which they were discovered. You may submit individual entries or a consolidated annual submission through the HHS breach reporting portal.

Individual notification to each affected person is still required within 60 days of discovery, regardless of breach size. Your annual report should mirror your internal breach log and reflect corrective actions taken.

What to capture in your log

• Incident and discovery dates, location (systems, vendors), and root cause.
• Number of individuals impacted and the types of PHI exposed.
• Mitigation, remediation, and whether the event meets any exception.
• Evidence of notifications sent and dates sent.

Submission checklist (annual report)

• Compile all reportable small breaches discovered during the year.
• Verify counts, dates, and narrative descriptions against your log.
• Submit via the HHS breach reporting portal within 60 days after year-end.
• Archive confirmations and maintain cross-references to case files.

Media Notification Requirements

You must notify prominent media outlets serving a state or jurisdiction when a breach affects more than 500 residents of that area. This notification must occur without unreasonable delay and no later than 60 days from discovery, and should align with the content provided to individuals.

Media notice is separate from substitute notice for insufficient addresses. Use media thoughtfully to reach affected residents and to provide accurate, consistent information.

Submission checklist (media notice)

• Determine affected residents by state or jurisdiction to assess the 500-resident threshold.
• Prepare a clear statement of what happened, the PHI involved, and remediation steps.
• Coordinate timing with individual and OCR notifications to maintain consistency.
• Retain copies of press statements and records of media outreach.

Business Associate Breach Reporting Obligations

Business associates must notify the covered entity of any breach without unreasonable delay and no later than 60 days from discovery. Contracts may require faster notice and specific content; follow your business associate agreement.

The notice to the covered entity should identify all affected individuals (if known), describe the impermissible disclosure, outline the types of PHI involved, and include dates, mitigation steps, and a contact point for follow-up. If delegated to issue notifications, the business associate must meet all timelines and content standards.

Submission checklist (for business associates)

• Activate your incident response plan and preserve evidence.
• Provide the covered entity with incident facts, affected counts, and PHI types.
• Share ongoing investigation results and mitigation actions.
• Support the covered entity’s OCR, media, and individual notifications.

Risk Assessment for Breach Determination

Conduct and document a four-factor risk assessment to evaluate whether there is a low probability that PHI has been compromised. This assessment must be specific to the incident and reflect objective evidence.

The four required factors

• Nature and extent of the PHI involved, including identifiers and risk of re-identification.
• The unauthorized person who used the PHI or to whom it was disclosed.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk to the PHI has been mitigated.

Applying the assessment

• Document how each factor supports your conclusion and retain supporting artifacts.
• Consider whether encryption, prompt retrieval, or binding assurances reduced risk.
• If low probability cannot be demonstrated, treat the event as a reportable breach.

Documentation and Record-Keeping Practices

Maintain thorough records of breach investigations, risk assessments, notifications, portal submissions, and remediation. Keep policies, procedures, workforce training, and sanction records current and aligned with your incident response plan.

Retain documentation for at least six years from the date of creation or last effective date, whichever is later. Include correspondence with business associates and evidence of compliance with state breach reporting regulations.

Submission checklist: what to retain

• Incident reports, forensic findings, and the completed risk assessment.
• Copies of individual notices, media statements, and OCR portal confirmations.
• Mitigation and corrective action plans, including timelines and accountability.
• Contractual communications with business associates and subcontractors.
• Updated policies, procedures, and training attestations tied to the event.

Conclusion

To meet HIPAA’s requirements, act quickly, document every step, and align your breach notification timeline to the 60-day outer limit. Use the HHS breach reporting portal for immediate reports of large breaches and for annual submissions of smaller incidents. Coordinate with business associates and account for state breach reporting regulations to ensure complete, timely compliance.

FAQs.

What is the deadline for reporting large HIPAA breaches to OCR?

You must report breaches affecting 500 or more individuals to OCR without unreasonable delay and no later than 60 calendar days after discovery, using the HHS breach reporting portal.

How should breaches affecting fewer than 500 individuals be reported?

Log each incident and submit it to OCR through the HHS breach reporting portal no later than 60 days after the end of the calendar year in which it was discovered. Individual notices to affected people are still due within 60 days of discovery.

When is media notification required following a HIPAA breach?

Notify prominent media outlets when a breach involves more than 500 residents of a single state or jurisdiction. Provide media notice without unreasonable delay and no later than 60 days from discovery, consistent with individual notice content.

What records must be maintained after a breach investigation?

Keep the risk assessment, incident log, copies of notices, OCR portal confirmations, mitigation and corrective action documentation, workforce training and sanction records, and relevant business associate communications for at least six years.