HIPAA Breach Reporting Explained: 60-Day Timelines, OCR Reporting, Media Notices

Breach Notification to Affected Individuals

If a breach of unsecured protected health information occurs, you must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. This notification timeline is an outer limit; you should move faster whenever feasible.

Who sends the notice

The covered entity is responsible for individual notifications as part of covered entity compliance with the Breach Notification Rule. A business associate may send notices on the covered entity’s behalf if your business associate agreement delegates that task, but the covered entity remains accountable.

How to notify individuals

• Written notice by first-class mail to the individual’s last known address is the default.
• Email is permitted if the individual has agreed to electronic notice.
• If the individual is deceased, send the notice to the next of kin or personal representative when known.
• For urgent situations where potential harm is imminent, you may supplement written notice with telephone or other immediate means.

Permissible law-enforcement delay

If a law-enforcement official states that notice would impede an investigation or threaten national security, you may delay notification for the requested period. Keep the request (written or properly documented oral request) on file and resume notice when the delay expires.

What “unsecured” means

Unsecured protected health information is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals (for example, PHI that was not properly encrypted or destroyed). If the PHI was secured under HHS-recognized methods, breach notification may not be required.

Reporting Breaches to the Secretary of HHS

You must report breaches to the Department of Health and Human Services through the Office for Civil Rights (OCR). For breaches affecting 500 or more individuals, report to the Secretary without unreasonable delay and in no case later than 60 calendar days after discovery—generally contemporaneous with individual notice.

For breaches affecting fewer than 500 individuals, track them on a log and submit the report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered. You may aggregate multiple small incidents in that annual submission.

Practical steps

• Use the OCR breach portal to submit required details (organization, incident dates, number affected, and a description consistent with the content elements below).
• Align your HHS submission with the individual notice to keep facts consistent and reduce follow-up inquiries.
• Retain documentation showing your notification timelines and decisions.

Media Notification Requirements

If a breach affects more than 500 residents of a single state or other jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery. Media notice is in addition to individual notice and HHS reporting.

If individuals are spread across multiple states and no one state or jurisdiction has more than 500 affected residents, media notice is not required. When required, the media notice should mirror the content provided to individuals and avoid disclosing unnecessary PHI.

As with individual notices, a documented law-enforcement delay may postpone media notification for the specified period.

Definition of Discovery of a Breach

Discovery occurs on the first day a breach is known to the covered entity or business associate, including any employee, officer, or agent other than the person who committed the breach—or would have been known by exercising reasonable diligence. The 60-day clock runs in calendar days from that discovery date.

Breach confirmation and risk assessment

When an incident occurs, you must determine whether it is a breach under the Breach Notification Rule. Perform a risk assessment considering the nature and extent of the PHI, who received it, whether it was actually viewed or acquired, and the extent of mitigation. If there is a low probability that PHI was compromised, notification may not be required; document your analysis.

Substitute Notice for Insufficient Contact Information

If you lack sufficient or up-to-date contact information for some individuals, provide substitute notice by the 60-day deadline.

• Fewer than 10 individuals: use an alternative method such as telephone, alternative email, or other reasonable means.
• 10 or more individuals: provide a conspicuous posting on your website homepage for at least 90 days or notice in major print or broadcast media in areas where affected individuals likely reside. Include a toll-free number active for at least 90 days so people can determine if they were affected.

Substitute notice is only for those you cannot reach directly; continue to send standard notices to everyone else.

Content of Breach Notifications

Your notices must be in plain language and include all required elements so individuals can act promptly. Ensure consistency across individual, media, and HHS submissions.

Required elements

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• A description of the types of unsecured protected health information involved (for example, names, Social Security numbers, diagnoses, prescriptions).
• Steps individuals should take to protect themselves (such as monitoring accounts, placing fraud alerts, changing passwords).
• What you are doing to investigate the breach, mitigate harm, and prevent future incidents.
• Contact information for questions: a toll-free number, email address, website, or postal address.

Avoid including unnecessary PHI in the notice itself. Use plain, direct language and avoid technical jargon.

Reporting Breaches by Business Associates

Business associate reporting is required when a business associate discovers a breach. The BA must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. Subcontractors must notify the BA, who then notifies the covered entity.

The BA’s notice must identify each affected individual to the extent possible and provide any information the covered entity needs to complete individual, media, and HHS notifications (incident dates, types of PHI, mitigation steps, and contact information). Many BAAs require shorter internal deadlines; follow the contract if it is stricter.

A covered entity may delegate individual and media notifications to the BA by agreement, but the covered entity should oversee content, timing, and recordkeeping to ensure covered entity compliance with HIPAA’s notification timelines.

Conclusion

Act quickly, document decisions, and align individual, HHS, and media notices with the Breach Notification Rule. Doing so limits harm to patients, demonstrates diligence to the Department of Health and Human Services, and reduces the risk of civil monetary penalties if OCR investigates.

FAQs.

What is the 60-day deadline for HIPAA breach notifications?

It is the maximum time allowed to notify affected individuals after discovery of a breach of unsecured protected health information—measured in calendar days and subject to the “without unreasonable delay” standard. The same outer limit applies to HHS reporting for breaches affecting 500 or more, and to media notification when required. Smaller breaches may be logged and reported to HHS within 60 days after the end of the calendar year.

How does the OCR enforce HIPAA breach reporting?

OCR investigates reported breaches, audits policies and practices, and may require corrective action plans and ongoing monitoring. Where noncompliance is found, OCR can impose civil monetary penalties based on a tiered culpability framework. Factors include the nature and extent of the violation, timeliness of notice, harm caused, and your cooperation and remediation.

When is media notification required under HIPAA?

When a breach involves more than 500 residents of a single state or other jurisdiction. You must notify prominent media outlets serving that area without unreasonable delay and within 60 calendar days of discovery, in addition to notifying individuals and reporting to HHS.

What are the obligations of business associates in breach reporting?

Business associates must notify the covered entity of a discovered breach without unreasonable delay and no later than 60 calendar days, identify affected individuals to the extent possible, and supply details the covered entity needs to complete required notices. BAAs may impose shorter internal deadlines or delegate external notifications to the BA; in all cases, both parties should coordinate to meet HIPAA timelines.