HIPAA Breach Reporting Requirements: Deadlines, Who to Notify, and How to Report

Breach Definition and Examples

What counts as a breach of unsecured PHI

Under the HIPAA Breach Notification Rule, a breach is the acquisition, access, use, or disclosure of unsecured Protected Health Information (PHI) in a way not permitted by the Privacy Rule that compromises the security or privacy of the PHI. PHI is “unsecured” when it is not rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, when it lacks strong encryption).

Exceptions and safe harbor

• Unintentional good-faith access or use by a workforce member within scope of authority, if not further misused.
• Inadvertent disclosure by an authorized person to another authorized person within the same covered entity, business associate, or organized health care arrangement, if not further misused.
• Disclosures where the recipient could not reasonably have retained the information.

If PHI is properly encrypted or otherwise secured per HHS guidance, notification is generally not required (the “safe harbor”).

Risk assessment to determine notification

You must presume a breach unless a documented risk assessment shows a low probability of compromise, considering at least: (1) the nature and extent of PHI involved, (2) the unauthorized person who used or received it, (3) whether PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated.

Illustrative examples

• Lost or stolen unencrypted laptop or thumb drive containing appointment lists.
• Misdirected email with lab results to the wrong patient or outside provider.
• Ransomware or other cyberattack that exfiltrates ePHI from your EHR or backups.
• Workforce “snooping” in a celebrity’s chart without a treatment need.
• Improper disposal of paper records in regular trash rather than secure shredding.

Covered Entities and Business Associates

Who is a covered entity

Covered entities include health plans, most health care providers who transmit health information electronically in standard transactions, and health care clearinghouses. Covered Entity Compliance requires policies, workforce training, and technical safeguards to prevent, detect, and correct impermissible uses and disclosures.

Business associate responsibilities

Business associates and their subcontractors create, receive, maintain, or transmit PHI on your behalf. Business Associate Responsibilities include safeguarding PHI, conducting Incident Investigation, and notifying the covered entity of breaches without unreasonable delay and no later than 60 calendar days after discovery, supplying all known details (including the identities of affected individuals, when available).

Agreements and agency considerations

Your business associate agreement (BAA) should set prompt internal reporting timelines (often far shorter than 60 days) so you can meet external deadlines. If a business associate is acting as your agent under federal common law, its discovery of a breach may be imputed to you for timing purposes, so build rapid escalation into contracts and playbooks.

Individual Breach Notification Requirements

Timing and “discovery”

Provide Timely Notification to each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. A breach is “discovered” on the first day it is known—or would have been known with reasonable diligence—by your organization (or, in some cases, by your agent business associate). Start the clock when your security or privacy team reasonably should have known, not after a lengthy investigation.

How to notify individuals

• Written notice by first-class mail to the last known address, or by email if the individual has agreed to electronic notice.
• For deceased individuals, send notice to the next of kin or personal representative, when available.
• Provide notices in plain language and accessible formats upon request.

Documentation

Maintain documentation of your risk assessment, Incident Investigation steps, decision to notify (or not), copies of all notices, and proof of mailing or email transmission. Retain records for at least six years for compliance purposes.

Notification to Health and Human Services

When and how to notify the Secretary of Health and Human Services

• Breaches affecting 500 or more individuals: Notify the Secretary of Health and Human Services without unreasonable delay and no later than 60 calendar days from discovery, using HHS’s online breach reporting portal.
• Breaches affecting fewer than 500 individuals: Log each incident during the year and submit to the Secretary no later than 60 days after the end of the calendar year (typically by March 1 of the following year).

What to include in the HHS report

Provide your organization’s details, the breach type and location (e.g., email, paper, network server), number of affected individuals, a general description of the event and mitigation, and whether law enforcement requested a delay. Ensure consistency with the individual notices you sent.

Media and Substitute Notice Procedures

Media notice for large breaches

If a breach affects more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and within 60 calendar days of discovery. A press release is a common method. This media notice supplements, but does not replace, individual notices.

Substitute notice when contact information is insufficient

• For fewer than 10 individuals with out-of-date or insufficient contact information: Use an alternative form of notice, such as telephone, email, or other means.
• For 10 or more such individuals: Provide substitute notice by a conspicuous website posting for at least 90 days or by major print or broadcast media in areas where affected individuals likely reside. Include a toll-free number active for at least 90 days so individuals can determine if they were affected.

Content Requirements of Breach Notifications

Required elements of each notice

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• A description of the types of PHI involved (for example, name, address, date of birth, medical record number, diagnoses, treatment information, Social Security number).
• Steps individuals should take to protect themselves (for example, monitoring accounts or placing fraud alerts).
• A description of what you are doing to investigate, mitigate harm, and prevent future incidents (such as enhanced monitoring, technical safeguards, or workforce training).
• Contact procedures for individuals to ask questions or obtain additional information, including a toll-free number, email address, website, or postal address.

Notices must be written in plain language, culturally and linguistically appropriate, and provided in accessible formats when required.

Reporting Multiple Breaches

Annual reporting for small incidents

When individual breaches each affect fewer than 500 people, you must log them during the year and file them collectively with HHS no later than 60 days after December 31. Each incident must be listed separately in the annual submission; a single “roll-up” without itemization is not sufficient.

Concurrent obligations for large incidents

For any breach with 500 or more affected individuals, file with HHS within 60 days of discovery and issue media notice if 500+ residents of any one state or jurisdiction are impacted. Do this in addition to sending individual notices.

Coordinating across multiple parties

If a business associate caused or discovered the breach, coordinate so that one party (as designated in the BAA) sends required notifications on behalf of all. Align counts, narratives, and timelines to avoid inconsistencies across notices to individuals, HHS, and the media.

Key takeaways

• Track discovery dates and act quickly—60 calendar days is a hard outer limit for most HIPAA notifications.
• Notify individuals, the Secretary of Health and Human Services, and, for large regional incidents, the media.
• Document your Incident Investigation and risk assessment to demonstrate Covered Entity Compliance.
• Use substitute notice rules when contact information is insufficient, and annual reporting for small breaches.

FAQs

What are the deadlines for HIPAA breach reporting?

Notify affected individuals without unreasonable delay and no later than 60 calendar days from discovery. Notify the Secretary of Health and Human Services within 60 days for breaches affecting 500 or more individuals, and for fewer than 500, submit by 60 days after the end of the calendar year. Provide media notice within 60 days if 500+ residents of a state or jurisdiction are affected. Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovery.

Who must be notified in a HIPAA breach?

You must notify each affected individual, the Secretary of Health and Human Services (timing depends on breach size), and, for incidents affecting 500+ residents of a state or jurisdiction, prominent media outlets serving that area. Depending on circumstances, you may also need substitute notice when contact information is insufficient. Other laws (such as state breach statutes) may require additional notifications.

How should breaches involving more than 500 individuals be reported?

Send individual notices and report the breach to the Secretary of Health and Human Services via the HHS online breach reporting portal within 60 calendar days of discovery. If 500+ residents of any single state or jurisdiction are affected, issue a media notice in that area within the same 60-day window. Coordinate timing and content across all notices to ensure consistency.

What information must be included in a HIPAA breach notification?

Each notice must include: what happened and when, the types of PHI involved, steps individuals should take to protect themselves, what your organization is doing to investigate, mitigate, and prevent future incidents, and clear contact information (such as a toll-free number, email, website, or address) for questions. Notices must be in plain language and accessible upon request.