HIPAA Breach Notification to HHS: Deadlines, Requirements, and How to Submit

Reporting Breaches Affecting 500 or More Individuals

When a breach of Unsecured Protected Health Information affects 500 or more individuals, Covered Entities must notify the U.S. Department of Health and Human Services (HHS) without unreasonable delay and no later than 60 calendar days from discovery. “Discovery” occurs on the first day the breach is known to the entity or would have been known with reasonable diligence, including knowledge by any workforce member or agent other than the person committing the breach.

You must also notify affected individuals and, if 500 or more residents of a single state or jurisdiction are impacted, follow Media Notification Requirements by notifying prominent media outlets within the same 60-day window. If a law enforcement official states that notice would impede an investigation or cause harm to national security, you may delay notifications for the time specified in a written statement, or up to 30 days based on an oral request that you document.

Submit the report to HHS through the HHS Breach Reporting Portal. Do not wait for a completed investigation to start the clock. If certain details are not yet known, file timely with what you have and submit updates as new facts are confirmed.

• Activate incident response immediately, secure systems, and preserve evidence.
• Verify whether the data was “unsecured” (for example, unencrypted to accepted standards) under the Breach Notification Rule.
• Launch and document a four-factor risk assessment to confirm breach status and scope.
• Coordinate individual, HHS, and media notices to meet parallel deadlines.

Reporting Breaches Affecting Fewer than 500 Individuals

For breaches impacting fewer than 500 individuals, you must still notify each affected individual without unreasonable delay and within 60 calendar days of discovery. However, reporting to HHS may be aggregated: maintain a breach log and submit those events to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered.

Keep a separate entry for each incident in your annual submission via the HHS Breach Reporting Portal. If multiple small breaches occur throughout the year, you will report them all in one annual filing. Continue to preserve evidence, complete your risk assessment, and implement mitigation as you would for a larger breach.

• Maintain a contemporaneous log that records discovery dates, individual counts, states of residence, and final determinations.
• Ensure your log is accurate—HHS expects exact counts and dates, not estimates.

Notification Submission Process

HHS collects breach information electronically. Preparing complete, consistent information will reduce back-and-forth and help you meet deadlines. The following sequence fits both large-breach and annual-submission workflows.

Step 1: Determine report type

• 500 or more individuals: submit an individual breach report promptly.
• Fewer than 500 individuals: include each breach on your year-end submission.

Step 2: Assemble required data

• Entity details: legal name of the Covered Entity, type (health plan, provider, HIE, or clearinghouse), and primary contact.
• Business Associates: whether a Business Associate was involved and its name and role.
• Timeline: date of breach, date of discovery, and reason for any delay.
• Scope: number of individuals affected and their states of residence.
• Nature of incident: theft, loss, unauthorized access/disclosure, hacking/IT incident, or improper disposal; location of PHI (e.g., email, EHR, paper records, laptop).
• Data elements: types of Unsecured Protected Health Information involved (e.g., names, addresses, Social Security numbers, diagnoses, medications, images).
• Mitigation: steps taken to contain the breach, reduce harm, and prevent recurrence.
• Notices: dates and methods of individual notice, and whether media notice was required and completed.

Step 3: File via the HHS Breach Reporting Portal

• Enter all required fields and provide a clear, factual narrative of what happened.
• Submit on time even if investigations continue; update the record as new material information emerges.
• Save the submission confirmation and a PDF copy for your Security Incident Documentation file.

Content of Breach Notification

Individual notice content

Under the Breach Notification Rule, your notice to individuals must be written in plain language and include:

• A brief description of what happened, including the breach and discovery dates.
• The types of Unsecured Protected Health Information involved.
• Steps individuals should take to protect themselves (e.g., credit monitoring, password changes, vigilance for phishing).
• What you are doing to investigate, mitigate harm, and protect against future incidents.
• How to contact you for questions (toll-free number, email, or postal address).

Method and timing of individual notice

• Send written notice by first-class mail, or by email if the individual agreed to electronic notice.
• If you have insufficient or outdated contact information for fewer than 10 individuals, use an alternative method such as telephone.
• If contact information is insufficient for 10 or more individuals, provide substitute notice via a conspicuous website posting or major print/broadcast media for at least 90 days and maintain a toll-free call center for the same period.
• Use urgent means (such as telephone) in addition to written notice if immediate action is needed to prevent harm.

HHS notice content

Your HHS submission mirrors the above and adds operational details: the number of individuals affected, states of residence, whether a Business Associate was involved, the type and location of the breach, mitigation steps, and whether media notice was required. Keep the narrative concise and factual; avoid speculation. Update the record if your individual count or analysis changes.

Additional State and Media Reporting Requirements

Media Notification Requirements apply when a breach affects 500 or more residents of a single state or jurisdiction. In that case, you must notify prominent media outlets serving that area without unreasonable delay and within 60 days of discovery. This media notice supplements, not replaces, individual notices.

State breach notification laws may also apply and can be stricter than HIPAA. Many states require notifying the attorney general or consumer protection authority, impose shorter timelines (often 30–45 days), and may mandate notice to consumer reporting agencies at higher thresholds. Evaluate both HIPAA and state requirements for every incident and follow the most stringent applicable timeline.

Business Associate Breach Notification

Business Associates must notify the Covered Entity without unreasonable delay and no later than 60 calendar days after discovery of a breach. The notice must include, to the extent possible, the identities of affected individuals and all information the Covered Entity needs to provide its notices. If a subcontractor Business Associate is involved, it must notify its upstream Business Associate, who then notifies the Covered Entity.

Your Business Associate Agreement should specify roles for individual, HHS, and media notices. Some Covered Entities require the Business Associate to draft notices or provide services like call centers and credit monitoring; others require the Business Associate to notify on the Covered Entity’s behalf. Whatever the allocation, the Covered Entity remains ultimately responsible for compliance under the Breach Notification Rule.

Documentation and Compliance Requirements

Maintain comprehensive Security Incident Documentation for at least six years. Your file should include incident detection records, investigation notes, forensic outputs, the four-factor risk assessment, final breach determination, copies of all notices, HHS submission confirmations, media notifications, call-center scripts, and remediation actions. Strong documentation is your evidence that you met every deadline and requirement.

• Policies and training: keep current breach response plans; train workforce members and Business Associates on reporting and escalation.
• Technical and administrative safeguards: harden email and endpoints, enforce MFA, encrypt devices, tighten access controls, and complete post-incident audits.
• Safe harbor reminder: if PHI was properly encrypted or destroyed per accepted standards, it is not Unsecured Protected Health Information and breach notification is generally not required.
• Continuous improvement: analyze root causes and implement corrective actions; document and test your improvements.

Conclusion

Timely, accurate HIPAA Breach Notification to HHS is achievable when you act quickly, document thoroughly, and follow the Breach Notification Rule step by step. Determine whether PHI was unsecured, complete your risk assessment, notify individuals and—when required—HHS and the media within 60 days, and maintain a defensible record of every decision and action you take.

FAQs

What is the deadline for reporting breaches to HHS?

For breaches affecting 500 or more individuals, report to HHS without unreasonable delay and no later than 60 calendar days from discovery. For breaches affecting fewer than 500 individuals, log each incident and submit them to HHS no later than 60 days after the end of the calendar year in which they were discovered. Individual notices to affected people are still due within 60 days of discovery in both scenarios.

How do business associates report breaches?

Business Associates must notify the Covered Entity without unreasonable delay and within 60 calendar days of discovery, providing the identities of affected individuals and other required details. The Covered Entity then provides individual, HHS, and any media notices unless the Business Associate Agreement assigns some or all of those tasks to the Business Associate to perform on the Covered Entity’s behalf.

What information must be included in the breach notification?

Your notices should explain what happened (including breach and discovery dates), identify the types of Unsecured Protected Health Information involved, advise individuals on steps to protect themselves, and describe what you are doing to investigate, mitigate harm, and prevent recurrence. Include clear contact information and, for HHS submissions, operational details like the incident type, number of individuals affected, states of residence, and whether a Business Associate was involved.

What are the exceptions to the breach definition under HIPAA?

HIPAA recognizes three narrow exceptions: an unintentional access or use by a workforce member in good faith within the scope of authority without further improper use; an inadvertent disclosure between authorized persons within the same Covered Entity, Business Associate, or organized health care arrangement without further improper use; and disclosures where you have a good-faith belief the unauthorized recipient could not reasonably have retained the information. Additionally, if PHI is secured (for example, properly encrypted or destroyed), it is not Unsecured Protected Health Information and breach notification is generally not required.