Guide: What Happens After a HIPAA Breach Report to HHS OCR

Breach Reporting Requirements

A HIPAA breach involves the impermissible use or disclosure of Protected Health Information (PHI) that compromises its security or privacy. Under the Breach Notification Rule, you must evaluate any suspected incident involving unsecured PHI to determine whether notification is required.

Covered Entities and Business Associates share duties. Covered Entities notify affected individuals, the Secretary of Health and Human Services (through the Office for Civil Rights, or OCR), and in some cases the media. Business Associates must notify the relevant Covered Entity about breaches they discover, including the identities of affected individuals and the scope of PHI involved.

Exceptions exist, such as unintentional access by authorized workforce members acting in good faith, or disclosures where the recipient could not reasonably retain the information. If PHI is secured (for example, properly encrypted), the incident may fall outside breach notification obligations.

Breach Reporting Process

Once you detect a potential breach, act quickly to contain the incident and mitigate harm. Secure systems, preserve logs, and launch a documented investigation. Conduct a risk assessment to decide if the incident likely compromised PHI and triggers notification duties.

If notification is required, prepare: a description of what happened, the types of PHI involved, steps individuals should take, measures you are taking to investigate and mitigate, and contact information. Use OCR’s online portal to file the report to the Secretary of Health and Human Services. Maintain records of your decisions, timelines, and corrective actions.

Business Associates should coordinate with Covered Entities to ensure consistent facts and messaging. Update Notice of Privacy Practices if needed and implement corrective measures such as retraining, access changes, and technical safeguards.

Breach Reporting Deadlines

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500 or more residents of a single state or jurisdiction, notify prominent media outlets and report to OCR within the same 60-day window.

For breaches affecting fewer than 500 individuals, you still must notify each affected individual without unreasonable delay. You may aggregate and submit the report to OCR no later than 60 days after the end of the calendar year in which the breaches were discovered.

Business Associates must notify the relevant Covered Entity without unreasonable delay and no later than 60 days from discovery, providing the information the Covered Entity needs to complete notifications.

Breach Confirmation Procedures

Confirming a breach centers on a four-factor risk assessment: (1) the nature and extent of PHI involved, including identifiers and likelihood of re-identification; (2) the unauthorized person who used or received the PHI; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated.

Document your analysis, including evidence of encryption, access controls, or recovery of the information. If you determine a low probability of compromise based on the assessment, record the rationale. If not, proceed with notifications and corrective actions as required by the Breach Notification Rule.

OCR Investigation Process

After you submit a breach report, OCR triages the matter to decide whether to open an investigation or conduct a compliance review. If it proceeds, OCR typically requests policies, procedures, risk analyses, training records, Business Associate Agreements, incident logs, and evidence of notifications.

OCR evaluates adherence to the Privacy, Security, and Breach Notification Rules and may provide technical assistance, seek voluntary corrective action, or negotiate a resolution agreement with a corrective action plan. Some matters advance into broader compliance audits when systemic gaps are suspected.

Investigations can take months. Throughout, respond promptly, preserve evidence, and demonstrate remediation, including risk management, workforce training, and technology updates.

Public Disclosure of Breaches

For incidents affecting 500 or more individuals, OCR lists the breach on its public breach portal, often called the “Wall of Shame.” Entries typically include the organization’s name, number of individuals affected, breach type, and the location of PHI involved. Listings remain visible while OCR reviews and after closure for public transparency.

This disclosure is separate from individual and media notifications. Even when posted publicly, you must still complete all required notifications and corrective measures.

Enforcement Actions and Penalties

Following an investigation, OCR may close the case with technical assistance, enter into a resolution agreement with a corrective action plan, or impose civil monetary penalties. HIPAA Enforcement Actions consider factors such as the nature and extent of the violation, the resulting harm, the entity’s history of compliance, and efforts to mitigate.

Penalty tiers range based on culpability—from reasonable cause to willful neglect—and amounts scale with the duration and severity of noncompliance. In addition, state attorneys general may bring civil actions, and certain egregious conduct may be referred for criminal enforcement. Robust risk analysis, timely breach response, and documented remediation can significantly reduce enforcement exposure.

Conclusion

After a HIPAA breach report to HHS OCR, your obligations extend beyond filing a form. You must notify affected parties on time, document a defensible risk assessment, cooperate with OCR’s review, remediate root causes, and strengthen your program to withstand Compliance Audits. Consistent, well-evidenced actions are your best defense against severe penalties.

FAQs

Who is responsible for investigating HIPAA breaches?

OCR investigates reported breaches for compliance with the Privacy, Security, and Breach Notification Rules. Covered Entities and Business Associates must investigate internally, document findings, and cooperate with OCR’s requests during any review or formal investigation.

What steps does OCR take after receiving a breach report?

OCR screens the report, may request additional information, and decides whether to open an investigation or compliance review. It evaluates policies, risk analyses, safeguards, notifications, and remediation, then closes the matter with technical assistance, a resolution agreement with corrective action plan, or civil monetary penalties.

How are breaches publicly disclosed?

Breaches affecting 500 or more individuals are posted on OCR’s public breach portal, listing the organization, number affected, breach type, and PHI location. This is in addition to required individual and, when applicable, media notifications.

What penalties can be imposed for HIPAA violations?

Penalties range from technical assistance and corrective action plans to tiered civil monetary penalties, depending on the level of culpability and harm. Aggravating or mitigating factors, prior history, and remediation efforts influence the final outcome of HIPAA Enforcement Actions.