HIPAA Breach Notification Rule: 60-Day Deadline and HHS OCR Requirements

Overview of the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and their business associates to notify specific parties after a breach of unsecured protected health information (PHI). If PHI is properly encrypted or destroyed per federal guidance, it is not “unsecured,” and notification is generally not required.

A “breach” is presumed when there is an impermissible use or disclosure of PHI unless you can document a low probability of compromise through a risk assessment. That assessment should evaluate the nature and extent of PHI involved, who used or received it, whether it was actually acquired or viewed, and the extent of mitigation.

Business associates must promptly inform the affected covered entity, and the covered entity is responsible for notifying individuals, HHS OCR, and, when applicable, the media. Effective breach notification procedures translate these legal requirements into clear, repeatable operational steps.

Timelines for Notification Compliance

The 60-day deadline runs from the breach discovery date—the first day you know, or by exercising reasonable diligence should know, that a breach occurred. Notices must be provided without unreasonable delay and in no case later than 60 calendar days from discovery.

• Individuals: Notify affected individuals as soon as practicable, never beyond 60 days from the breach discovery date.
• Business associates: Notify the covered entity without unreasonable delay and no later than 60 days, providing the identities of impacted individuals and details needed for downstream notices.
• HHS OCR: For breaches affecting 500 or more individuals, report to HHS within 60 days of discovery. For fewer than 500 individuals, log the event and submit to HHS within 60 days after the end of the calendar year in which the breach was discovered.
• Media: If 500 or more residents of a single state or jurisdiction are affected, notify prominent media outlets within 60 days.
• Substitute notice: When contact information is insufficient or outdated for 10 or more individuals, post a conspicuous website notice (or provide major media notice) for at least 90 days and maintain a toll‑free number for 90 days.
• Law enforcement delay: If a law enforcement official determines that notice would impede an investigation or threaten national security, delay notices for the time period specified.

Many state breach laws impose additional or shorter deadlines for certain data types. Align your HIPAA breach notification procedures to meet the most stringent applicable timeline.

Notification Requirements for Affected Individuals

Provide written notice by first‑class mail to the individual (or next of kin or personal representative) or by email if the individual has agreed to electronic notices. Use clear, plain language and ensure accessibility for your populations.

Required content elements

• A brief description of what happened, including the date of the breach and the breach discovery date, if known.
• A description of the types of unsecured protected health information involved (for example, names, dates of birth, addresses, account numbers, diagnoses).
• Steps affected individuals should take to protect themselves from potential harm.
• What your organization is doing to investigate, mitigate harm, and prevent future incidents.
• Contact methods for questions or assistance (toll‑free number, email, website, or postal address).

For fewer than 10 individuals with insufficient contact information, use an alternative form of notice (such as phone or other means). For 10 or more, provide substitute notice via a website posting for at least 90 days or a major media announcement, and maintain a toll‑free call center for the same period.

Reporting Obligations to HHS OCR

Use the HHS OCR breach portal to submit reports. For incidents involving 500 or more individuals, report within 60 days of discovery. Include the number of affected individuals, the location and type of incident, the categories of PHI involved, key dates, mitigation steps, and your current status. Update the submission if new material facts emerge.

For breaches affecting fewer than 500 individuals, maintain a breach log and report each incident to HHS no later than 60 days after the end of the calendar year in which the breach was discovered. Business associates do not report directly to HHS unless they are also covered entities; instead, they must timely inform the relevant covered entity.

Media Notification for Large Breaches

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify one or more prominent media outlets serving that area within 60 days of discovery. This media notice complements, but does not replace, individual notices and the HHS OCR submission.

Media notices should be factual and include the same core elements required for individual notifications, without disclosing names. Coordinate messaging across press releases, call scripts, and website statements to ensure accuracy and consistency.

Documentation and Workforce Training

Maintain documentation for at least six years, including policies, risk assessments, breach determinations, notifications, HHS submissions, and any law enforcement delay requests. Consistent records demonstrate reasonable diligence and support compliance decisions.

What to document

• Incident timeline, including the breach discovery date and investigative actions.
• Risk assessment supporting your breach determination and mitigation steps.
• Copies of all notices sent, with dates, recipients, and delivery methods.
• HHS OCR report confirmations and subsequent updates.
• Business associate communications and contract (BAA) obligations fulfilled.
• Workforce training rosters, materials, and sanctions applied when appropriate.

Training focus areas

• Prompt incident reporting and escalation to privacy and security officials.
• How to recognize and contain suspected breaches (e.g., phishing, misdirected emails, lost devices).
• Standard breach notification procedures and scripts for consistent responses.
• Business associate coordination and handoffs to meet HIPAA timelines.

Consequences of Non-Compliance

HHS OCR enforces the Rule through investigations, resolution agreements, and civil monetary penalties. Findings often require corrective action plans with multi‑year monitoring. Delayed notices, incomplete content, missing breach logs, or inadequate risk assessments are common triggers for enforcement.

• Potential outcomes include civil monetary penalties, corrective action plans, reputational harm, class‑action litigation, and parallel enforcement by state attorneys general.
• Common pitfalls: waiting the full 60 days without justification, failing to treat email or mailing errors as potential breaches, not documenting the low‑probability‑of‑compromise analysis, and weak business associate oversight.
• Risk reduction: encrypt portable devices, minimize PHI in outbound communications, test your incident response, and rehearse the first 72 hours after discovery.

Conclusion

The HIPAA Breach Notification Rule centers on timely, well‑documented responses to incidents involving unsecured protected health information. If you know your breach discovery date, follow the 60‑day outer limit without delay, deliver complete notices, report to HHS OCR as required, and maintain records and training that prove due diligence.

FAQs.

What is the 60-day deadline for HIPAA breach notification?

The 60‑day deadline is the outer limit to notify after the breach discovery date. You must notify affected individuals without unreasonable delay and never later than 60 calendar days from discovery. For 500 or more individuals, you must also notify HHS OCR within 60 days and, when 500 or more residents of a state or jurisdiction are impacted, notify the media within the same timeframe.

How does the HHS OCR enforcement affect covered entities?

HHS OCR investigates reported breaches and can require corrective action plans and impose civil monetary penalties when violations are found. OCR typically examines your risk analysis, breach notification procedures, timeliness and content of notices, workforce training, and business associate management to determine compliance and appropriate remedies.

When is media notification required under HIPAA?

Media notification is required when a breach involves 500 or more residents of a single state or jurisdiction. You must notify a prominent media outlet within 60 days of discovery, in addition to notifying affected individuals and reporting to HHS OCR.

What documentation is necessary for breach notifications?

Keep a complete incident file: the risk assessment supporting your breach determination, the breach discovery date and timeline, copies of notices sent, HHS OCR reports and confirmations, business associate communications, and evidence of workforce training. Retain these records for at least six years to demonstrate compliance with HIPAA requirements.