HIPAA Breach Documentation Requirements: Complete Compliance Checklist and Timeline

Breach Discovery and Initial Response

What “discovery” means

A breach is “discovered” on the first day you know about it or would have known with reasonable diligence. Your organization is deemed to know of the breach when any workforce member or agent (other than the person committing it) becomes aware of it. Start your incident log on that date.

Immediate actions (first 24–72 hours)

• Contain the incident: disable accounts, revoke access, isolate affected systems, and secure devices.
• Preserve evidence: capture system logs, emails, tickets, and audit trails for HIPAA Security Rule documentation.
• Confirm whether PHI was “unsecured” (e.g., unencrypted) and the scope of exposure.
• Notify your privacy and security officers and convene your response team.
• Launch a Protected Health Information Risk Assessment to evaluate notification obligations.
• Begin breach risk mitigation strategies: reset credentials, patch vulnerabilities, and retrieve or certify destruction of misdirected PHI when possible.
• Check for any law enforcement hold that may justify a brief delay of notices; document the request and duration.

Compliance checklist and timeline

• Day 0: Record the discovery date; open an incident file and assign an owner.
• Days 1–10: Complete preliminary fact gathering and four-factor risk assessment; decide if notification is required.
• Days 1–30: Draft notices, validate contact data, and prepare substitute notice plans if needed.
• By Day 60: Send individual notices without unreasonable delay and no later than 60 calendar days from discovery. If 500+ residents of a state or jurisdiction are affected, prepare media notice for the same deadline.
• Secretary of HHS: For 500+ individuals, submit concurrent Notification to Secretary of HHS within 60 days of discovery; for fewer than 500, log and report within 60 days after the end of the calendar year.
• Post-incident: Implement remediation, sanctions if appropriate, and document closure for covered entity breach reporting.

Notification Timelines and Procedures

Individuals

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Use first-class mail (or email if the person agreed). If fewer than 10 individuals lack valid contact details, use alternative means. If 10 or more lack valid contact details, post a conspicuous website notice or use major print/broadcast media for at least 90 days and provide a toll-free number.

Secretary of HHS

• 500 or more individuals affected: Submit Notification to Secretary of HHS without unreasonable delay and no later than 60 days from discovery.
• Fewer than 500 individuals: Maintain a breach log and submit to HHS within 60 days after the end of the calendar year in which the breaches were discovered.

Media notice

If a breach involves more than 500 residents of a single state or jurisdiction, provide notice to prominent media outlets serving that area without unreasonable delay and no later than 60 days from discovery.

Law enforcement delay

You may delay notifications if a law enforcement official states that notice would impede an investigation or threaten national security. Keep the written request (or document a documented oral request for up to 30 days) and track the specified delay period.

Risk Assessment and Evaluation

Apply the four-factor analysis

To determine whether there is a low probability that PHI has been compromised, evaluate and document:

• Nature and extent of PHI involved (identifiers, clinical details, and re-identification risk).
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (e.g., retrieval, confidentiality assurances, deletion certificates).

If your Protected Health Information Risk Assessment supports a low probability of compromise, you may forgo notification; retain the analysis and rationale in your incident file. If not, proceed with Breach Notification Rule compliance steps.

Encryption and security controls

If PHI was properly encrypted or securely destroyed in accordance with HHS guidance, it is not “unsecured PHI,” and breach notification is generally not required. Document the control in place at the time of the incident (algorithm, key management, device status) as part of HIPAA Security Rule documentation.

Documentation and Record Retention

What to document for every incident

• Incident report: discovery date/time, systems and locations, description of events, and containment actions.
• Risk assessment: your four-factor analysis, data elements involved, unauthorized recipients, and mitigation steps.
• Determination: whether the event meets breach criteria and the decision to notify or not, with rationale.
• Notices: copies of individual, media, and Notification to Secretary of HHS submissions, including dates sent.
• Logs: counts of affected individuals by state/jurisdiction, substitute notice details, and returned mail handling.
• Remediation: corrective actions, policy updates, workforce training, and sanctions where applicable.
• Supporting evidence: audit logs, screenshots, retrieval or deletion attestations, and communications with business associates.

Documentation retention period

Retain breach documentation, policies, procedures, risk analyses, notices, and related HIPAA Security Rule documentation for at least six years from the date of creation or the date last in effect, whichever is later. If state or contractual requirements are longer, follow the strictest period.

Business Associate Notification Obligations

Business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 calendar days after discovery. Your business associate agreement should specify a shorter internal target (e.g., 5–15 days) and the exact information to provide: identification of each affected individual, types of PHI involved, what happened, when it happened, and what mitigation steps have been taken.

Business associates must also flow these duties to subcontractors, cooperate in investigation and breach risk mitigation strategies, and maintain their own documentation and logs for the required retention period. Covered entities remain responsible for covered entity breach reporting unless your agreement assigns that task to the business associate.

Notification Content Standards

Required elements (plain-language notice)

• A brief description of what happened, including the date of the breach and the date of discovery (if known).
• The types of information involved (for example, names, dates of birth, diagnoses, medications, treatment details, Social Security or account numbers).
• Steps individuals should take to protect themselves (monitoring accounts, placing fraud alerts or credit freezes, changing passwords, watching for phishing).
• What you are doing to investigate the breach, mitigate harm, and prevent future incidents.
• How to reach you for questions (toll-free number, email, postal address, and website as appropriate).

Recommended enhancements

• Offer of credit monitoring or identity protection when financial identifiers were exposed.
• Clear timelines for available support and any enrollment deadlines.
• Accessibility: translation, large print, and TTY/relay information as needed.

Compliance with State Laws and Media Notification

HIPAA sets baseline national requirements, but many states impose additional or faster obligations for health information or personal data. When both apply, follow the more stringent rule—often a shorter timeline, extra regulator notices, or specific content requirements. Coordinate with counsel to ensure Breach Notification Rule compliance alongside state mandates.

For media notification, if more than 500 residents of a single state or jurisdiction are affected, issue a press release or direct outreach to prominent media in that area without unreasonable delay and no later than 60 days from discovery. Align media content with the individual notice, avoid including sensitive details, and be prepared to answer follow-up questions consistently with your documented facts.

Conclusion

Meet HIPAA breach documentation requirements by acting quickly, applying the four-factor analysis, sending accurate and timely notices, and preserving a complete record for the documentation retention period. Build templates, train teams, and rehearse your process so you can execute covered entity breach reporting and Notification to Secretary of HHS on time and with confidence.

FAQs

What are the mandatory timeframes for HIPAA breach notification?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. If a breach involves more than 500 residents of a state or jurisdiction, notify prominent media within the same 60-day window. Notify the Secretary of HHS within 60 days for breaches affecting 500 or more individuals; for fewer than 500, report within 60 days after the end of the calendar year. Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovery.

What must be included in the breach notification to individuals?

Include a brief description of what happened (with breach and discovery dates, if known), the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate, and how to contact you (toll-free number, email, address, and website if used). Write in plain language and provide accessibility accommodations as needed.

How long must HIPAA breach documentation be retained?

Maintain breach-related records, policies, procedures, risk assessments, notices, logs, and corrective action evidence for at least six years from creation or last effective date, whichever is later. If state law, contract, or organizational policy requires a longer period, follow the longest applicable requirement.

What obligations do business associates have in breach notification?

Business associates must investigate, mitigate, and notify the covered entity of a breach without unreasonable delay and no later than 60 calendar days after discovery, providing available details about affected individuals, PHI types, incident timing, and mitigation efforts. They must flow these duties to subcontractors and keep complete documentation for the required retention period; the covered entity typically handles individual, media, and HHS notifications unless the agreement assigns that role to the business associate.