HIPAA Breach Notification Timeline: 60-Day Rule and Deadlines for Individuals, HHS, and Media

The HIPAA breach notification timeline centers on a strict 60-day rule. When an impermissible disclosure or use of Protected Health Information (PHI) is discovered, you must move quickly, apply the required risk assessment factors, and send timely notices to affected individuals, the Secretary of Health and Human Services (HHS), and, when triggered, the media.

Breach Definition and Risk Assessment

What counts as a breach

A breach is the impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. A breach is presumed unless you demonstrate a low probability that the PHI has been compromised based on a documented risk assessment.

Regulatory exceptions

Not every privacy incident is a breach. Exceptions include: unintentional access or use by a workforce member acting in good faith and within scope; inadvertent disclosure between authorized persons within the same organization; and disclosures where the recipient is not reasonably able to retain the information.

Discovery and when the clock starts

“Discovery” occurs on the first day the breach is known—or would have been known with reasonable diligence—by your organization or its agents. The 60 calendar days begin at discovery, and you must act “without unreasonable delay,” not waiting until day 60 if earlier notice is feasible.

Risk Assessment Factors

• The nature and extent of PHI involved, including types of identifiers and likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which risks have been mitigated (for example, obtaining a satisfactory return or destruction of data).

Document how each factor supports a “low probability” conclusion or, if not, proceed with breach notification. Keep this analysis as part of your compliance record.

Individual Notification Requirements

Timeline and urgency

Provide written notice to each affected individual without unreasonable delay and no later than 60 calendar days from discovery. For urgent situations involving imminent misuse, you may also notify by telephone or other immediate means.

Method of notice

Send letters by first-class mail to the last known address, or by email if the individual has agreed to electronic notice. If a single individual’s contact data is insufficient, use an alternative method reasonably calculated to reach that person.

Substitute Notice

• Fewer than 10 individuals with insufficient contact info: use alternative means such as telephone, email, or other appropriate channels.
• 10 or more individuals with insufficient or outdated contact info: provide conspicuous substitute notice via your website home page or major print/broadcast media in areas where affected individuals likely reside. Maintain a toll‑free phone number for at least 90 days so people can learn whether they were impacted.

Content requirements

Your letter must use clear, plain language and include: a brief description of what happened (including dates of breach and discovery); the types of PHI involved; steps individuals should take to protect themselves; what your organization is doing to investigate, mitigate harm, and prevent recurrence; and contact methods (toll‑free phone, email, website, or postal address).

HHS Notification Deadlines

When and to whom

Notify the Secretary of Health and Human Services through the breach reporting process. For breaches affecting 500 or more individuals, notify HHS without unreasonable delay and no later than 60 calendar days from discovery. For breaches affecting fewer than 500 individuals, log them and submit to HHS no later than 60 days after the end of the calendar year in which they were discovered.

Information to include

Provide the covered entity or business associate name, number of affected individuals, breach dates and discovery date, a description of the incident and types of PHI involved, mitigation steps, and your media and individual notification status. Update submissions as new details emerge.

Media Notification Protocols

Trigger threshold and deadline

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days from discovery.

Form and content

Issue a press release or equivalent statement that mirrors the individual notice content. Coordinate timing so media, HHS, and individual notices align and are accurate.

Law enforcement delay

If a law enforcement official states that notice would impede an investigation or harm national security, you may delay notifications. A written statement controls for the time it specifies; an oral statement permits a temporary delay, typically up to 30 days, pending written confirmation.

Business Associate Obligations

Reporting to the covered entity

Business associates must notify the covered entity of any breach of unsecured PHI without unreasonable delay and no later than 60 calendar days from discovery. Include the identification of each affected individual and all available information the covered entity needs to provide notices.

Contractual expectations

Because the covered entity’s 60-day clock runs from its own discovery, agreements should require shorter business associate reporting windows (for example, 5–10 days), continuous updates as facts develop, and clear allocation of who drafts and sends notices.

Scope and mitigation

Business associates must investigate impermissible disclosures, contain and mitigate harm, preserve evidence, and support the covered entity’s risk assessment and notification process.

Encryption Safe Harbor Provisions

Unsecured vs. secured PHI

The breach rule applies to unsecured PHI. PHI is “secured” when rendered unusable, unreadable, or indecipherable to unauthorized persons through approved encryption methodologies or destruction methods recognized by HHS guidance.

Encryption methodologies

Strong encryption for data at rest and in transit, paired with robust key management, generally qualifies for safe harbor. If the encryption key is compromised, or encryption is improperly implemented, the incident may still be reportable.

Destruction methods

For paper, use shredding, pulping, or incineration. For electronic media, use secure wipe or physical destruction consistent with industry standards to ensure PHI cannot be reconstructed.

Documentation and Penalties

What to document

Maintain written risk assessments, incident and decision logs, copies of individual, HHS, and media notices, evidence of mitigation, and any law enforcement delay requests. Retain policies, procedures, training records, and business associate agreements. Keep breach-related documentation for at least six years.

Civil Penalties for HIPAA Violations

OCR enforces HIPAA with a tiered civil monetary penalty structure that scales from “did not know” to “willful neglect not corrected,” with annual inflation adjustments. Factors include the nature and extent of the violation, number of individuals affected, duration, harm caused, and your organization’s compliance posture. Remedies often include corrective action plans alongside monetary penalties.

FAQs

What is the 60-day rule for HIPAA breach notification?

It requires you to provide breach notifications without unreasonable delay and in no case later than 60 calendar days from discovery. The timeline applies to individual notices and, when thresholds are met, to HHS and media notifications.

How are media notified of a HIPAA breach?

If 500 or more residents of a state or jurisdiction are affected, issue a press release or similar statement to prominent media outlets serving that area. Do so without unreasonable delay and no later than day 60, and ensure the content matches what individuals receive.

When must business associates report a breach?

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovering the breach, providing all details the covered entity needs to issue timely notices. Contracts should set shorter internal deadlines to support compliance.

What documentation is required after a HIPAA breach?

Keep a written risk assessment, incident log, copies of all notices, mitigation and remediation records, and any law enforcement delay requests, plus relevant policies, procedures, training, and business associate agreements. Retain breach documentation for at least six years.