Avoid Penalties: HIPAA 60-Day Breach Notice Best Practices and Examples

Breach Notification Deadline Compliance

When Unsecured Protected Health Information is compromised, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Discovery occurs on the first day you (or your business associate) know of the incident—or should have known by exercising reasonable diligence. The clock can start with a business associate’s discovery.

Before notifying, complete and document a Breach Risk Assessment. A breach is presumed unless you can demonstrate a low probability of compromise by evaluating: the nature and extent of PHI, the unauthorized person who used or received it, whether the PHI was actually acquired or viewed, and the extent of mitigation (for example, verified destruction or retrieval).

If PHI was protected under Encryption Safe Harbor—meaning it was properly encrypted or destroyed per accepted guidance—no breach notification is required. Still, record your analysis and retain it.

Best practices

• Activate your incident response plan within 24 hours; assign privacy, security, legal, and communications leads.
• Timebox forensic scoping and data-mining so drafting can begin before day 30; issue rolling notices if needed.
• Track the statutory 60-day deadline and any law-enforcement holds in a centralized timeline.
• Document every decision and the Breach Risk Assessment to demonstrate Covered Entity Obligations were met.

Examples

• Stolen laptop that was fully encrypted: falls under Encryption Safe Harbor—no notification required; keep your assessment on file.
• Misdirected fax quickly retrieved from an authorized provider who confirms non-use: risk can be low; document the analysis to support no notification.
• Ransomware on a file server containing ePHI: presume a breach unless your assessment shows a low probability of compromise; proceed toward notification planning.

Notification Content Requirements

Your notice must be clear, concise, and written in plain language. Include only what individuals need to understand the event and protect themselves—avoid technical jargon.

Required elements

• What happened and when (date of breach and date of discovery).
• What types of Unsecured Protected Health Information were involved (for example, name, address, medical record number, diagnosis, treatment, insurance details, or Social Security number).
• What steps individuals should take to protect themselves (credit monitoring, fraud alerts, password changes, or provider-specific actions).
• What you are doing to investigate, mitigate harm, and prevent recurrence (containment, vendor controls, policy updates, training).
• How to contact you for more information (toll-free phone, email, and mailing address; include hours of operation).

Best practices

• Use headings and bullets for readability; offer translation or large-print versions when feasible.
• Align all notices (individual, HHS, and media) so facts and timelines match.
• Offer protective services proportionate to risk (for example, credit monitoring when SSNs are involved).

Example notice snippet

On September 12, we discovered that an unauthorized actor accessed a scheduling system on September 9. The information involved may have included your name, date of birth, patient account number, and appointment details; no Social Security numbers or payment card data were affected. We contained the incident the same day, engaged cybersecurity experts, and enhanced multifactor authentication. To learn more, call 1-800-000-0000 Monday–Friday, 8 a.m.–6 p.m.

Approved Methods of Notification

Send individual notices by first-class mail to the last known address. You may use email if the individual consented to electronic notice. For urgent situations involving imminent misuse, you may supplement with telephone or other expedient means.

Substitute Notice Requirements

• If fewer than 10 individuals have insufficient or outdated contact information, use an alternative method reasonably calculated to reach them (for example, email, phone, or other agreed means).
• If 10 or more individuals are unreachable, provide substitute notice by a conspicuous website posting for at least 90 days or by major print/broadcast media in affected areas. Include a toll-free number active for at least 90 days.

Best practices

• Verify addresses against recent returns and patient portal data before mailing.
• Maintain a 90-day website banner template you can deploy quickly for substitute notice.
• Log every mailing batch, bounce, and re-mail to prove reasonable diligence.

Examples

• Address verification shows 14 outdated addresses: post a homepage banner for 90 days and staff a dedicated toll-free line.
• Email is the preferred delivery for portal-enrolled patients: send electronic notices and mail to those without consent on file.

Reporting Breaches to HHS

For 500 or more affected individuals in a single breach, submit a Secretary of Health and Human Services Notification without unreasonable delay and no later than 60 calendar days from discovery. For fewer than 500 affected individuals, log the incident and report it to HHS no later than 60 days after the end of the calendar year in which the breach was discovered (generally by March 1).

What to include

• Covered entity or business associate identity and contact details.
• Number of affected individuals and the types of PHI involved.
• Incident dates, discovery date, and a concise description of what happened.
• Whether a business associate was involved and mitigation steps taken.

Best practices

• Use consistent numbers and dates across the individual notice, HHS submission, and media statement.
• If counts evolve, update your HHS report promptly and maintain version history.
• Keep a year-end breach log to ensure timely submission for sub-500 incidents.

Examples

• Single phishing incident affecting 612 individuals: submit the HHS report as soon as facts are known, and no later than day 60.
• Three small incidents affecting 45, 88, and 123 individuals discovered this year: record each and file them with HHS by March 1 next year.

Media Notification Procedures

If a breach affects more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and within 60 calendar days of discovery. Media notices should mirror individual notices and avoid sensitive specifics that could invite further harm.

Best practices

• Coordinate with legal and communications teams to balance transparency with privacy.
• Prepare a short press statement, a detailed Q&A, and a spokesperson brief to ensure consistent messaging.
• Time media outreach so it does not precede individual notices unless necessary to prevent imminent harm.

Example

A clinic discovers a breach impacting 1,200 residents of one county. The clinic mails individual notices, files the HHS report, and issues a press statement to major local outlets within the 60-day window, all reflecting the same dates and facts.

Business Associate Breach Reporting

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovering a breach. The notice must identify each affected individual and provide information the covered entity needs to notify patients and meet HHS reporting duties.

Covered Entity Obligations

• Maintain current business associate agreements that set faster contractual notice windows (for example, 5–10 days) and data-handback requirements.
• Decide in advance whether the business associate or the covered entity will send individual notices and handle call-center operations.
• Audit business associate security controls and incident response readiness annually.

Example

A billing vendor detects unauthorized access to a statement archive. Under the BAA, the vendor alerts the covered entity within five days, provides a list of affected individuals and data elements, and supports printing and mailing under the covered entity’s letterhead.

Penalties for Non-Compliance

Office for Civil Rights Enforcement applies a tiered civil penalty framework that scales with culpability and corrective action. Common triggers include late notifications, inadequate Breach Risk Assessment, failure to follow Substitute Notice Requirements, weak policies, and poor workforce training. Resolutions often include corrective action plans, monitoring, and significant monetary settlements.

How to avoid penalties

• Encrypt laptops, mobile devices, and backups to benefit from Encryption Safe Harbor.
• Maintain a breach playbook with day-by-day tasks, templates, and approval paths.
• Train staff on spotting and escalating incidents; run periodic tabletop exercises.
• Centralize evidence (forensics, timelines, drafts) to demonstrate reasonable diligence.
• Align all outbound notices and HHS submissions to prevent inconsistencies.

Conclusion

Timely action, thorough documentation, and clear communication are your best defenses. By completing a rigorous Breach Risk Assessment, meeting the 60-day deadlines, selecting the right notification methods, and coordinating HHS and media steps, you reduce harm to individuals and minimize enforcement risk.

FAQs

What is the deadline for HIPAA breach notifications?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Breaches affecting 500 or more individuals also require notification to HHS (and, when applicable, media) within the same 60-day window. For breaches affecting fewer than 500 individuals, report them to HHS no later than 60 days after the end of the calendar year in which they were discovered.

What information must be included in breach notifications?

Explain what happened and when, the types of Unsecured Protected Health Information involved, steps individuals should take, what you are doing to investigate and mitigate, and how to reach you. Keep language clear and actionable, and provide a toll-free number and email for questions.

How should breaches affecting hundreds of individuals be reported to HHS?

If a single breach affects 500 or more individuals, submit a Secretary of Health and Human Services Notification without unreasonable delay and no later than day 60. If it affects hundreds but fewer than 500 individuals, record the incident and file it with HHS no later than 60 days after the end of that calendar year.

What are the penalties for failing to notify within 60 days?

Late or incomplete notices can lead to civil monetary penalties under the tiered framework, corrective action plans, and ongoing oversight by Office for Civil Rights Enforcement. Penalties increase with willful neglect and failure to implement corrective measures, and they can be accompanied by reputational damage and additional remediation costs.