Healthcare Security Incident Reporting: HIPAA Requirements, Timelines, and Best Practices

HIPAA Breach Notification Rule

What counts as a breach

Under HIPAA, a breach is the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by the Privacy Rule that compromises its security or privacy. The rule presumes a breach unless you determine, through a documented assessment, that there is a low probability the PHI was compromised.

Unsecured protected health information and safe harbor

Notification duties apply only when unsecured protected health information is involved. PHI is considered “secured” when it is rendered unusable, unreadable, or indecipherable to unauthorized individuals—typically via strong encryption or proper destruction. If PHI is securely encrypted or destroyed in accordance with recognized guidance, the safe harbor generally eliminates breach notification.

Breach risk assessment

You must conduct and retain a breach risk assessment for every potential incident. Evaluate at least four factors: the nature and extent of PHI involved, the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. This analysis drives your decision to notify and informs your incident response documentation.

Individual notification: content, method, and breach notification timelines

For notifiable breaches, covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. “Discovery” occurs on the first day the breach is known or should reasonably have been known to the organization, including through a workforce member.

• Content: describe what happened (including dates), the types of PHI involved, steps individuals should take, your mitigation and prevention actions, and how to contact you for help.
• Method: provide written notice by first-class mail or email if the individual has agreed to electronic notice. For fewer than 10 people with insufficient contact details, use an alternative method (e.g., phone). For 10 or more, provide a conspicuous substitute notice (e.g., website posting or media), including a toll-free number for at least 90 days.
• Law enforcement delay: if a law enforcement official states that notice would impede an investigation or cause damage to national security, delay notifications for the period specified.

Reporting to HHS Secretary

Thresholds and timelines

HHS Secretary reporting is required for all notifiable breaches, with timing based on the number of affected individuals. For breaches affecting 500 or more individuals in a single state or jurisdiction, you must report without unreasonable delay and no later than 60 days after discovery. For breaches affecting fewer than 500 individuals, you may log them and submit to HHS within 60 days after the end of the calendar year in which the breaches were discovered.

Submission details

Prepare for HHS Secretary reporting by compiling the incident description, discovery and breach dates, number of individuals affected, types of PHI involved, your breach risk assessment outcome, mitigation steps, and contact information. Maintain credentials and role-based access for your reporting portal, and ensure your counts and jurisdictions are accurate to avoid duplicate or fragmented filings.

Practical tips for accuracy

• Start drafting your HHS submission as soon as you confirm a notifiable event; refine as the investigation matures.
• Centralize evidence (forensics notes, system logs, emails) to support your narrative and timeline.
• Coordinate with counsel and your privacy officer to ensure consistency between individual notices and HHS Secretary reporting.

Media Notification Requirements

When media notice is required

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. This is in addition to individual notices and HHS Secretary reporting.

Form and content

Issue a clear press release that mirrors the individual notice: what happened, what types of PHI were involved, steps affected people should take, your mitigation and prevention actions, and contact channels. Coordinate timing so media notification aligns with the mailing of individual notices, and ensure message consistency to prevent confusion.

Coordination and exceptions

If law enforcement requests a delay, hold the media notification for the approved period. Keep records of the request and your release timing as part of your incident response documentation.

Business Associate Reporting Obligations

Obligations to covered entities

Business associates must notify the covered entity of any breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery. The notice should identify each affected individual and include information the covered entity needs to provide individual, media, and HHS Secretary reporting.

Contractual timelines and scope

Business associate agreements (BAAs) often set shorter internal deadlines (e.g., 24–15 days) and may require reporting of security incidents that fall short of a breach. Honor the stricter BAA standard and escalate suspected incidents immediately so the covered entity can meet breach notification timelines.

Delegated notifications

Some BAAs authorize the business associate to deliver individual and media notices on the covered entity’s behalf. If delegated, align content with the covered entity’s branding and ensure that call centers, FAQs, and remediation services (e.g., credit monitoring, identity protection) are ready on day one.

Internal Reporting Procedures

Intake and triage

Make it easy for workforce members to report lost devices, misdirected mailings, phishing, or suspicious access. Use a single intake channel, apply clear severity criteria, and route immediately to your privacy and security leads. Early triage preserves the 60-day window for action.

Investigation and containment

Secure affected systems, revoke compromised credentials, and preserve logs and images for analysis. Interview involved personnel, identify the data elements at risk, and determine whether PHI was actually acquired or viewed. Document each step to support your breach risk assessment.

Decision and escalation

Conclude the risk assessment, decide if the event is a notifiable breach, and get leadership sign-off. If notifiable, prepare content for individuals, HHS Secretary reporting, and any required media notice. Track tasks and deadlines in a centralized checklist to ensure nothing slips.

Incident Response Phases

1) Preparation

Maintain current policies, contact lists, and decision trees. Pre-draft notification templates and train staff on reporting lines. Validate encryption, backups, and segmentation to reduce the likelihood of unsecured PHI exposure.

2) Detection and analysis

Monitor for alerts from SIEM, DLP, EDR, and access logs. Correlate events, scope affected systems and records, and start the breach risk assessment. Establish the discovery date to anchor breach notification timelines.

3) Containment

Isolate impacted endpoints, block malicious traffic, and disable affected accounts. Coordinate with vendors and business associates to close gaps while preserving forensic integrity and chain of custody.

4) Eradication and recovery

Remove malware, patch vulnerabilities, rotate keys, and validate system integrity. Restore from clean backups and monitor for recurrence. Record corrective and preventive actions that will appear in your notifications.

5) Notification and coordination

Finalize individual notices, HHS Secretary reporting, and any media release. Synchronize timing, proofread all content, and test your contact channels. If law enforcement is involved, confirm any authorized delay in writing.

6) Post-incident improvement

Hold a lessons-learned review, update procedures, and strengthen controls. Track remediation commitments to closure and integrate them into your risk management plan.

Compliance Documentation Practices

What to document

• Incident response documentation: discovery date, timelines, containment steps, forensics, decisions, and approvals.
• Breach risk assessment worksheets and evidence supporting a “low probability of compromise,” if applicable.
• Copies of individual notices, media releases, and HHS Secretary reporting submissions.
• BAAs, vendor communications, and any delegated-notice arrangements.
• Policies, procedures, training records, sanctions, and proof of technical safeguards (e.g., encryption status).

Retention and accessibility

Retain required HIPAA documentation for at least six years from creation or last effective date, whichever is later. Keep a breach log for incidents affecting fewer than 500 individuals and make it easily retrievable for annual HHS Secretary reporting and audits.

Defensible records

Maintain a clear, time-stamped chronology of actions, decisions, and who performed them. Strong documentation demonstrates reasonable diligence, supports compliance reviews, and helps you refine future breach notification timelines and practices.

In short, build repeatable processes that surface incidents quickly, complete a rigorous breach risk assessment, and execute timely notices to individuals, the media when required, and through HHS Secretary reporting—backed by thorough records that stand up to scrutiny.

FAQs.

What are the HIPAA timelines for breach notification?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For HHS Secretary reporting, file within 60 days of discovery if 500 or more individuals are affected; otherwise, log breaches under 500 and submit within 60 days after the end of the calendar year. Media notification is also due within 60 days when 500 or more residents of a state or jurisdiction are affected.

How does a business associate report a security incident?

Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI, supplying all details needed for notices. Many BAAs impose shorter deadlines and may require reporting broader “security incidents,” so follow the stricter, contract-defined requirements.

When is media notification required for a breach?

Issue media notice when a breach affects 500 or more residents of a single state or jurisdiction. Provide it without unreasonable delay and no later than 60 days after discovery, and align the message with individual notices and HHS Secretary reporting.

What records must be kept for HIPAA compliance?

Keep incident response documentation, breach risk assessments, copies of all notices, HHS Secretary submissions, BAAs, policies and procedures, training and sanctions records, and evidence of safeguards such as encryption. Retain HIPAA-required documentation for at least six years from creation or last effective date.