HHS Breach Report Submission: How to Report a HIPAA Breach to HHS OCR

Determine Reporting Deadlines

If you discover a potential breach of unsecured protected health information (PHI), your first task is to confirm whether HIPAA breach notification is required and to identify the correct breach reporting deadline for notifying the HHS Office for Civil Rights (OCR). The deadline depends on how many individuals were affected and when you discovered the incident.

• 500 or more individuals: Report to HHS OCR without unreasonable delay and in no case later than 60 calendar days from the date of discovery. The 60-day clock counts calendar days, starting the day after discovery.
• Fewer than 500 individuals: Maintain a breach log and submit your HHS notice no later than 60 days after the end of the calendar year in which the breach was discovered (typically by March 1 of the following year).
• Business associates: Notify the covered entity without unreasonable delay and no later than 60 days from discovery. With authorization, a business associate may complete the electronic breach submission on the covered entity’s behalf.
• Law enforcement delay: If a law enforcement official determines that notification would impede an investigation or threaten national security, document the request and delay notifications consistent with the official’s written statement or documented oral request.

Set internal targets (for example, draft within 15 days and finalize by day 30) to ensure adequate time to complete the breach notification form, obtain approvals, and meet the applicable deadline.

Access Breach Reporting Portal

Use the HHS OCR Breach Portal to make an electronic breach submission. The portal routes you to the correct workflow based on your role and the breach size, helping you provide a complete and timely HHS breach report submission.

1. Open the HHS Office for Civil Rights Breach Notification Portal.
2. Select “Start a new breach report” (wording may vary) and choose whether the incident affected 500 or more or fewer than 500 individuals.
3. Indicate whether you are filing as a covered entity or a business associate (filing on behalf of a covered entity, if authorized).
4. Review portal instructions and any attestation notices, then proceed to the online breach notification form.
5. Have supporting details ready (timeline, scope, mitigation, and contacts) so you can complete the form accurately in one session.

Before you begin, gather internal documentation you may reference during data entry (risk assessment summary, investigation timeline, counts by state, and mitigation steps). Avoid uploading unnecessary PHI; include only what OCR requests.

Complete Breach Notification Form

The breach notification form collects structured information OCR needs to evaluate the incident and your response. Provide precise, consistent entries; if certain facts are still evolving, enter your best current information and plan to update the report later, if needed.

Organization and point of contact

• Legal name of the covered entity (and business associate, if applicable), type of entity, and mailing address.
• Primary point of contact: name, title, phone, and email. This person receives OCR breach reporting feedback and all follow‑up.
• Relationship details if a business associate is filing on behalf of a covered entity.

Incident timeline and scope

• Dates: when the breach occurred (or date range) and date of discovery.
• Number of individuals affected (enter your best current count) and jurisdictions involved (states/territories).
• Whether the breach involved unsecured PHI and, if applicable, whether data were encrypted at the time of the incident.

How the breach occurred and what was involved

• Type of breach (for example, hacking/IT incident, unauthorized access/disclosure, theft, loss, improper disposal, or other).
• Location of information (e.g., email, EHR/server, paper records, laptop, portable device, cloud repository).
• Type of PHI involved (such as names, addresses, dates of birth, medical record numbers, diagnoses, treatment information, Social Security numbers, driver’s license numbers, or financial data).

Safeguards, mitigation, and notifications

• Security measures in place at the time (encryption, access controls, MFA, audit logging) and any gaps identified.
• Corrective actions and mitigation steps taken (credential resets, containment, retrieval of data, vendor coordination, workforce retraining).
• Consumer protections offered (credit monitoring, identity repair, call center support).
• Patient notification status and dates; media notice status for breaches affecting 500+ in a state/jurisdiction.
• Any law enforcement delay request and its duration, if applicable.

Attachments and attestations

• Upload only requested supporting documents (for example, a summary of your risk assessment). Redact unnecessary PHI.
• Complete the attestation certifying the accuracy of the submission. An authorized official should review before submission.

Submit Breach Report

Before finalizing, review all entries for internal consistency (dates align, counts match narrative, and contact details are correct). Confirm the breach reporting deadline is met for the applicable category and that your narrative clearly explains the incident and remediation.

When ready, certify and submit the breach notification form. Maintain copies of your completed form, any uploaded materials, and a record of when the electronic breach submission was made. If you later learn new material facts, plan to update the report promptly.

Receive Breach Tracking Number

After successful submission, the portal displays a unique breach tracking number and typically emails a confirmation to your designated point of contact. Save this number in your incident file; you will use it to reference the matter, provide updates, and respond to OCR inquiries.

• Quote the breach tracking number in all correspondence with OCR.
• Use the number to submit corrections or supplemental details if counts change or new facts emerge.
• Monitor the contact email (and spam folder) for OCR breach reporting feedback or requests for additional information.

Contact OCR for Assistance

If you need help using the portal, encounter technical issues, or must correct an error after submission, use the contact options provided within the HHS OCR Breach Portal. You may also reach out to the appropriate OCR regional office for process guidance. When contacting OCR, include your organization’s name, date of submission, and the breach tracking number to expedite assistance.

Summary

To complete an HHS breach report submission efficiently: determine the correct breach reporting deadline, access the HHS Office for Civil Rights Breach Portal, complete the breach notification form with accurate, concise details, submit the report electronically, and retain the breach tracking number for follow‑up. Proactive documentation and timely updates help ensure a compliant HIPAA breach notification process and a smoother OCR review.

FAQs

What is the deadline for reporting a HIPAA breach to HHS OCR?

For breaches affecting 500 or more individuals, report to HHS OCR without unreasonable delay and no later than 60 calendar days from discovery. For breaches affecting fewer than 500 individuals, report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.

How do I access the HHS OCR Breach Portal?

Go to the HHS Office for Civil Rights Breach Notification Portal, choose to start a new breach report, select the correct size category (500+ or fewer than 500), and identify your role as a covered entity or business associate to open the online form.

What information is required on the breach notification form?

You will provide organization and contact details, breach dates and scope, the number of individuals affected, how the incident occurred, where the information resided, the types of PHI involved, safeguards in place, mitigation and corrective actions, notification status, and any law enforcement delay. You will also attest to the accuracy of the submission and may upload limited supporting documentation.

How do I receive confirmation of my breach report submission?

After you submit the form, the portal displays an on‑screen confirmation with a unique breach tracking number and typically sends a confirmation email to your designated point of contact. Retain this number for future updates and OCR correspondence.