Compliance Guide: HHS OCR Enforcement of the HIPAA Breach Notification Rule

Breach Notification Deadlines

The HIPAA Breach Notification Rule requires you to notify affected individuals of a breach of unsecured Protected Health Information without unreasonable delay and no later than 60 calendar days after discovery. Discovery occurs on the first day the breach is known—or would have been known with reasonable diligence—to your organization.

For breaches affecting 500 or more individuals, you must meet the individual notice deadline and coordinate parallel notifications to the Office for Civil Rights and, when applicable, the media. For fewer than 500 individuals, you still must notify each affected person promptly, and you must log the incident for annual reporting.

• Individuals: Notice without unreasonable delay, not to exceed 60 days from discovery.
• HHS (500+ individuals): Report without unreasonable delay, not to exceed 60 days from discovery.
• HHS (<500 individuals): Report within 60 days after the end of the calendar year in which the breach was discovered.

Your notices must include a brief description of what happened (including breach and discovery dates), the types of information involved, steps individuals should take, what you are doing to investigate and mitigate harm, and how individuals can contact you. A thorough, documented risk assessment supports defensible decisions about whether an incident constitutes a breach under the HIPAA Breach Notification Rule.

Media Notification Requirements

If a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days from discovery. This media notice complements—rather than replaces—direct individual notices.

If contact information is insufficient or out of date for 10 or more affected individuals, you must provide substitute notice. Acceptable methods include a conspicuous website posting for at least 90 days or a major print or broadcast media notice, paired with a toll‑free number for individuals to learn whether they were impacted.

Media and substitute notices should mirror individual notice content: what happened, the types of Protected Health Information involved, steps individuals can take, your mitigation and prevention efforts, and your contact channels. Clear, plain language helps individuals act quickly to reduce potential harm.

Business Associates' Responsibilities

Business Associates are directly obligated to report breaches of unsecured Protected Health Information to the Covered Entity without unreasonable delay and no later than 60 days from discovery. Your report should include the identities of affected individuals and all information the Covered Entity needs to complete individual and media notifications.

Business Associate Agreements must spell out breach reporting processes, timing, and cooperation duties. As a Business Associate, you are also directly liable for Security Rule safeguards and certain Privacy Rule provisions, making your security program—and its documented Risk Analysis Requirement—central to compliance and timely breach response.

Practical steps include establishing incident intake channels, documenting investigations, preserving evidence, and maintaining up‑to‑date contact data so the Covered Entity can meet notification deadlines. Coordinated testing between Covered Entities and Business Associates reduces errors and delays when a real incident occurs.

Enforcement and Penalties

OCR enforces the HIPAA Breach Notification Rule through complaint investigations and Compliance Reviews, using its investigative tools—including data requests, interviews, and Subpoena Authority—to obtain records and testimony. Findings can lead to resolution agreements with corrective action plans, monitoring, or civil money penalties.

Civil and Criminal Penalties depend on the level of culpability, the nature and extent of the violation, the number of individuals affected, the harm caused, prior compliance history, and the timeliness and completeness of breach notifications. OCR may refer potential criminal violations (such as intentional misuse of PHI) to the Department of Justice.

Strong governance, a current enterprise‑wide risk analysis, and demonstrable mitigation efforts often reduce enforcement exposure. Conversely, failure to perform a Risk Analysis Requirement, delayed notifications, or inadequate content in notices are frequent aggravating factors in enforcement outcomes.

OCR Enforcement Actions

OCR commonly resolves breach notification cases through settlement agreements that require targeted remediation, workforce training, policy updates, technical safeguards, and multi‑year reporting. Where warranted, OCR imposes civil money penalties, particularly when willful neglect or repeated noncompliance is evident.

Enforcement themes include late or missing notices, incomplete notice content, failure to timely notify OCR, and weak security controls that reflect a missing or inadequate risk analysis. You should anticipate robust evidence requests, potential on‑site reviews, and verification of corrective actions before a case is closed.

To prepare, maintain an incident response playbook, evidence‑ready logs, contracts that clearly allocate Business Associate reporting duties, and a tested communications plan covering individuals, OCR, and media. These artifacts help demonstrate diligence during OCR reviews.

Reporting to HHS

Use the HHS breach reporting portal to submit required information. For incidents involving 500 or more individuals, file without unreasonable delay and no later than 60 days after discovery. For incidents involving fewer than 500 individuals, submit your annual report within 60 days after the end of the calendar year in which the breach was discovered.

Your report should identify the Covered Entity or Business Associate, the number of affected individuals, the breach type and location, dates of breach and discovery, a brief narrative of what happened, mitigation steps, and media or substitute notice details where applicable. Maintain copies of submissions and confirmations for audit readiness.

OCR's Annual Reports

Each year, OCR compiles and publishes analyses of reported breaches and enforcement results. These annual reports highlight trends such as leading breach causes, common control failures, and recurring issues in notice timing and content. You can use these insights to benchmark your program and prioritize risk reduction.

Build an internal review cycle that maps OCR’s findings to your controls, closes documentation gaps, and tests breach notification workflows. By aligning with patterns surfaced in OCR’s Annual Reports, you demonstrate a proactive compliance posture that reduces both breach impact and enforcement risk.

In summary, timely, complete notifications; a documented, enterprise‑wide risk analysis; clear Business Associate coordination; and disciplined reporting to HHS form the core of compliance. These practices position you to satisfy the HIPAA Breach Notification Rule and withstand OCR scrutiny.

FAQs.

What federal entity enforces the HIPAA Breach Notification Rule?

The U.S. Department of Health and Human Services’ Office for Civil Rights enforces the HIPAA Breach Notification Rule, including investigations, Compliance Reviews, settlements, and civil money penalties.

How does OCR investigate breach notification violations?

OCR assesses complaints and breach reports, issues information requests, conducts interviews, and may perform on‑site reviews. It can compel evidence using its Subpoena Authority, evaluate your risk analysis and response, and require corrective actions or impose penalties.

What penalties can arise from failure to comply with the breach notification rule?

Penalties range from resolution agreements with corrective action plans and monitoring to tiered civil money penalties. In egregious cases involving intentional misuse of PHI, OCR can refer matters for criminal prosecution, leading to potential Criminal Penalties.

When must breaches be reported to the Secretary of HHS?

For breaches affecting 500 or more individuals, report without unreasonable delay and no later than 60 days from discovery. For fewer than 500 individuals, log the incident and submit it to HHS within 60 days after the end of the calendar year in which the breach was discovered.