HIPAA Annual Breach Reporting: Requirements, Deadline, and How to File with HHS

When a privacy or security incident compromises Protected Health Information (PHI), HIPAA’s Breach Notification Rule sets clear obligations for notifying individuals and the Department of Health and Human Services (HHS). This guide explains the breach reporting requirements, the annual deadline, and how to submit to HHS using the OCR Breach Reporting portal.

Breach Reporting Requirements

Under the Breach Notification Rule, covered entities must notify affected individuals, and they must notify HHS about each breach of unsecured PHI. Business associates must alert the covered entity without unreasonable delay; the covered entity is responsible for the HHS report (a business associate may submit on the covered entity’s behalf if authorized).

A “breach” generally means an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. You must perform and document a risk assessment and, unless you determine a low probability of compromise, proceed with required notifications.

• Who reports to HHS: covered entities (or an authorized business associate on their behalf).
• What gets reported: each qualifying incident involving unsecured PHI, including key facts about what happened and mitigation steps taken.
• Recordkeeping: maintain a log of breaches affecting fewer than 500 individuals for annual OCR reporting.

The “discovery” date—when the breach is known or should reasonably have been known—starts the reporting clock for both individual notice and HHS notification.

Reporting Deadlines

Breaches affecting 500 or more individuals

Report to HHS without unreasonable delay and in no case later than 60 calendar days after discovery. Individual notifications (and, when required, media notice) follow the same timing standard.

Breaches affecting fewer than 500 individuals

Report to HHS on an annual basis—no later than 60 days after the end of the calendar year in which the breaches were discovered (for example, breaches discovered in 2025 must be reported by March 1, 2026). You must still notify impacted individuals without unreasonable delay.

Reporting Methods

Prepare your submission

• Identify the covered entity and, if applicable, the business associate involved.
• Document discovery date, number of individuals affected (or best estimate), types of PHI, how the breach occurred, and mitigation/corrective actions.
• Assemble a point of contact who can respond promptly to OCR inquiries.

Use the OCR Breach Reporting portal

Access the Reporting Portal, select whether you are a covered entity or business associate, and choose the option for “500 or more” or “fewer than 500” individuals. Complete the required fields, attest to accuracy, and submit.

Save your Transaction Number

After submission, you receive a Transaction Number. Retain it; you will need it to reference the report, provide updates, or respond to OCR follow-up.

Follow through

Monitor for OCR communications, answer questions promptly, and maintain documentation supporting your report and remediation steps.

Handling Multiple Breaches

Enter each discrete breach event separately. For incidents affecting 500 or more individuals, submit individual reports within 60 days of discovery—grouping is not permitted. For incidents affecting fewer than 500 individuals, you may submit all entries during the annual reporting window, but each breach still requires its own report in the portal.

Maintain a year-round breach log capturing discovery date, affected count, PHI elements, cause, mitigation, and status. This makes the annual OCR Breach Reporting process faster and more accurate.

Addressing Reporting Uncertainty

If you have not finalized the affected count or certain details by the reporting deadline, submit the best information available using a good‑faith, documented methodology. Clearly indicate that figures are preliminary, then update your submission as your investigation refines the numbers.

• Provide a reasonable estimate if exact counts are pending.
• Use the Transaction Number to supplement or correct your report.
• Document assumptions and steps taken with reasonable diligence.

Contacting HHS for Assistance

For questions about how to complete the online forms or technical issues with the Reporting Portal, contact the portal’s help resources. For policy questions—such as how to classify an incident or whether an exception applies—reach out to the Office for Civil Rights (OCR), referencing your Transaction Number if a report is already on file.

Key takeaways

• Report large breaches (500+) to HHS within 60 days of discovery; report smaller breaches annually.
• Use the OCR Breach Reporting portal and retain your Transaction Number for updates.
• When details are uncertain, submit timely with best‑available facts and update promptly.

FAQs.

What is the deadline for reporting breaches affecting fewer than 500 individuals?

You must report them to HHS no later than 60 days after the end of the calendar year in which they were discovered—for example, breaches discovered in 2025 are due by March 1, 2026.

How do covered entities submit breach reports to HHS?

Submit through the OCR Breach Reporting portal, selecting the appropriate option for breach size. Complete the required fields, attest, and submit; the system will issue a Transaction Number for tracking and updates.

Can multiple breaches be reported together?

You may submit multiple entries during the annual filing period for breaches affecting fewer than 500 individuals, but each incident must be entered as a separate report. Breaches affecting 500 or more individuals must be reported individually within 60 days of discovery.

What should be done if the number of affected individuals is uncertain?

File by the deadline with a documented, good‑faith estimate and note that the figures are preliminary. Use your Transaction Number to supplement or correct the report as your investigation clarifies the final count.