HIPAA Breach Notification Checklist: Meet the 60-Day HHS OCR Deadline

This HIPAA breach notification checklist helps you meet the 60-day HHS OCR deadline with confidence. Use it to structure covered entity notification, HHS Secretary reporting, media outlet notification, business associate obligations, substitute notice criteria, and the documentation you need to prove compliance.

Breach Notification Deadline Requirements

Start the clock: breach discovery timeline

• Discovery occurs the first day you know, or reasonably should know, that unsecured PHI was compromised—this is Day 0 of your breach discovery timeline.
• Knowledge by any workforce member or agent (other than the person committing the incident) is imputed to the organization, so escalate immediately.

The 60-day rule and “without unreasonable delay”

• You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery.
• Calendar days include weekends and holidays; do not wait for a final investigation report if you can provide a complete notice sooner.
• Set an internal target (for example, 30–45 days) to leave room for quality checks and printing/mailing timelines.

Required content for individual notice

• A concise description of what happened, including the breach and discovery dates.
• The types of PHI involved (for example, names, addresses, dates of birth, medical record numbers, diagnoses, or account numbers).
• Steps individuals should take to protect themselves (credit monitoring, fraud alerts, password changes, etc.).
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• How to contact you: a toll-free number, email, postal address, or website.

Delivery methods for covered entity notification

• Provide written notice by first-class mail to the individual’s last known address, or by email if the individual has agreed to electronic notice.
• In cases requiring urgent action, you may supplement with telephone or other appropriate means, but this does not replace the written notice.

Permissible law enforcement delay

• If law enforcement states that notice would impede a criminal investigation or threaten national security, delay all required notifications for the period specified by law enforcement.
• Document the request (oral requests permit a short, time-limited delay; written requests control for the period specified).

Reporting to HHS Secretary Guidelines

HHS Secretary reporting thresholds and timing

• 500 or more affected individuals: report to the HHS Secretary without unreasonable delay and no later than 60 calendar days after discovery.
• Fewer than 500 affected individuals: log each breach and submit to the HHS Secretary no later than 60 days after the end of the calendar year in which the breach was discovered.

Submission essentials

• Report each incident via the HHS breach reporting portal, providing entity information, incident description, number of affected individuals, location/type of breach, and mitigation steps.
• Ensure consistency between your HHS Secretary reporting and your individual notices (dates, counts, and descriptions should match).

Tip: Build a checklist to cross-verify counts, discovery date, substitute notice usage, and whether media outlet notification was required, so your HHS Secretary reporting aligns end-to-end.

Media Notification Obligation

When media outlet notification is required

• If the breach involves 500 or more residents of a single state or jurisdiction, you must provide notice to prominent media outlets serving that area.
• Send media notices without unreasonable delay and no later than 60 calendar days after discovery—on the same timeline as individual notices.

What to include and how to coordinate

• Media notices must contain the same core content as individual notices and be written in plain language.
• Coordinate press statements, consumer FAQs, call-center scripts, and website postings to ensure message consistency and to reduce confusion.

Business Associate Breach Reporting

Business associate obligations and timing

• Business associates must notify the covered entity without unreasonable delay and in no case later than 60 calendar days after discovery.
• Business associate obligations often include shorter contractual timelines (for example, 5–15 days); follow the strictest applicable requirement.

What business associates must provide

• Identification of each affected individual and the facts known at the time (what happened, when, and what PHI was involved).
• Ongoing updates as more information becomes available so the covered entity can meet the 60-day HHS OCR deadline.
• Documentation supporting the risk assessment, mitigation steps, and any subcontractor involvement.

Coordination with covered entities

• Clarify in the BAA who drafts, prints, and mails individual notices; who reports to the HHS Secretary; and who handles media outlet notification.
• Maintain a single timeline to align business associate and covered entity actions and avoid late or duplicative notices.

Substitute Notice Procedures

When contact information is insufficient

• Fewer than 10 individuals with insufficient or outdated contact information: use an alternative method reasonably calculated to reach the person (for example, telephone, email, or other appropriate means).
• 10 or more individuals with insufficient or outdated contact information: provide substitute notice by a conspicuous website posting for at least 90 days or by notice in major print or broadcast media where the affected individuals likely reside.

Additional substitute notice requirements

• If using a website or media substitute notice, include a toll-free number active for at least 90 days so individuals can determine whether their information was involved.
• Apply substitute notice rules to undeliverable emails as well as returned mail; track counts to determine whether you cross the 10-person threshold.

Ensuring Timely Notifications

Operational timeline you can rely on

• Day 0–1: Confirm discovery date, preserve evidence, and launch your risk assessment to confirm whether notification is required.
• Day 2–7: Quantify affected individuals, validate addresses/emails, and draft plain-language notices.
• Day 8–21: Finalize content, secure translations if needed, and approve call-center and web copy.
• Day 22–35: Print and mail (or email) notices; prepare media outlet notification if required.
• By Day 60: Complete all individual notices, required media notices, and HHS Secretary reporting for incidents affecting 500+ individuals.

Checklist to prevent “unreasonable delay”

• Assign a single owner for the breach discovery timeline and the 60-day clock.
• Stand up cross-functional huddles (privacy, security, legal, compliance, communications, and vendors) within 24 hours.
• Pre-approve notice templates and vendor SLAs; test address hygiene, printing, and postage lead times quarterly.
• If law enforcement requests a delay, record who requested it, when, and the exact period; restart the plan when the delay expires.

Documentation and Compliance Practices

HIPAA documentation requirements to evidence compliance

• Maintain written policies and procedures covering covered entity notification, HHS Secretary reporting, media outlet notification, substitute notice criteria, and business associate obligations.
• Retain all documentation (including risk assessments, notices, mailing proofs, media copies, call scripts, and logs) for at least six years from creation or last effective date.

Risk assessment and “breach” confirmation

• Evaluate the nature and extent of PHI involved, the unauthorized person who used/received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.
• Document exceptions (for example, certain unintentional or inadvertent disclosures, or situations where the recipient could not reasonably retain the information) and encryption “safe harbor.”

Training, testing, and continuous improvement

• Train workforce members annually and upon role change; emphasize rapid internal reporting to trigger Day 0 accurately.
• Conduct tabletop exercises at least annually to validate timing, handoffs, decision criteria, and vendor readiness.
• Audit sample incidents to ensure your notices are timely, accurate, and written in plain language.

Conclusion

To meet the 60-day HHS OCR deadline, anchor on a clear discovery date, move quickly but accurately, coordinate across teams and vendors, and document every decision. Consistent processes for covered entity notification, HHS Secretary reporting, media notices, business associate coordination, and substitute notice will keep you compliant and build trust with your patients and members.

FAQs.

What is the deadline for notifying individuals about a HIPAA breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. Weekends and holidays count, so start your clock on the day the breach is discovered and target earlier internal deadlines to avoid last-minute risks.

When must breaches be reported to the HHS Secretary?

For breaches affecting 500 or more individuals, report to the HHS Secretary without unreasonable delay and no later than 60 calendar days after discovery. For fewer than 500 individuals, log each incident and submit the report no later than 60 days after the end of the calendar year in which you discovered the breach.

How do business associates notify covered entities of breaches?

Business associates must notify the covered entity without unreasonable delay and in no case later than 60 calendar days after discovery. They should provide the identities of affected individuals, a description of what happened, the PHI involved, mitigation steps, and ongoing updates so the covered entity can complete required notifications on time.

What are the substitute notice requirements if contact information is insufficient?

If fewer than 10 individuals have insufficient or outdated contact information, use an alternative method reasonably calculated to reach them (such as telephone). If 10 or more are affected, provide substitute notice by a conspicuous website posting for at least 90 days or by notice in major print or broadcast media where affected individuals likely reside, and include a toll-free number active for at least 90 days.