HIPAA Breach Reporting to HHS OCR: Steps, Timelines, and Examples

Breach Reporting Requirements

HIPAA Breach Reporting to HHS OCR applies when unsecured protected health information is compromised. A breach is presumed any time there is PHI unauthorized access, acquisition, use, or disclosure that compromises security or privacy, unless you document a low probability of compromise based on a formal risk assessment.

“Unsecured” means the PHI was not rendered unusable, unreadable, or indecipherable to unauthorized individuals (for example, data not properly encrypted or media not properly destroyed). If PHI is secured according to recognized encryption or destruction methods, the incident is generally not reportable to HHS.

Covered entities must notify affected individuals, HHS OCR, and in some cases the media. Business associates must notify the relevant covered entities without unreasonable delay and provide all details the covered entity needs to complete HHS reporting.

How to determine if you have a reportable breach

• Confirm PHI was involved and determine whether it was unsecured protected health information.
• Assess the incident using the four-factor risk assessment (nature and extent of PHI, unauthorized person, whether PHI was actually acquired/viewed, and mitigation).
• Document the breach discovery date—when you first knew or reasonably should have known of the incident; your reporting timeline compliance is measured from this date.

Reporting Deadlines for Different Breach Sizes

Breaches affecting 500 or more individuals

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after the breach discovery date.
• Report to HHS OCR via the breach notification portal without unreasonable delay and no later than 60 calendar days after discovery.
• If 500 or more residents of a state or jurisdiction are affected, issue media breach notification within the same 60-day window (details below).

Breaches affecting fewer than 500 individuals

• Notify each affected individual without unreasonable delay and no later than 60 calendar days after the breach discovery date.
• Log the incident and report it to HHS OCR no later than 60 days after the end of the calendar year in which the breach was discovered (for example, incidents discovered in 2025 are due by March 1, 2026).

Deadline examples to guide planning

• Discovery on January 15, 2025 (700 individuals): individual notices and OCR report are due by March 16, 2025.
• Discovery on July 3, 2025 (42 individuals): individual notices are due by September 1, 2025; OCR report is due by March 1, 2026.

Tip: Start your internal 60-day countdown on the breach discovery date, not the date your investigation concludes. Build calendar reminders and executive checkpoints to maintain reporting timeline compliance.

Electronic Reporting Process

HHS requires electronic submission through its breach notification portal. Prepare a concise, factual narrative and the data elements OCR asks for, then follow these steps.

Step-by-step

1. Confirm reportability: finalize your risk assessment and determine whether the incident involves unsecured protected health information.
2. Quantify scope: count impacted individuals, identify states/jurisdictions, and record both the breach date(s) and the breach discovery date.
3. Assemble required details:
   • Covered entity and, if applicable, business associate information.
   • Type of incident (e.g., hacking/IT incident, loss, theft, improper disposal, unauthorized access/disclosure).
   • Location of the breach (e.g., network server, email, EHR, paper/films, portable device).
   • Types of PHI involved (e.g., names, addresses, dates of birth, medical record numbers, diagnoses, financial identifiers).
   • Number of individuals affected (estimate if necessary, then update as your investigation refines counts).
   • Mitigation actions taken and whether individual notices have been completed.
   • Any applicable law enforcement delay documentation.
4. Submit via the breach notification portal:
   • For 500 or more: file within 60 days of discovery.
   • For fewer than 500: add to your annual report to be submitted within 60 days after year-end.
5. Retain proof and update: save the confirmation, track OCR correspondence, and file supplemental updates if new material facts emerge. Maintain all documentation for at least six years.

Media Notification Obligations

If a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after the breach discovery date. Media breach notification supplements—never replaces—direct notices to individuals.

Content and methods

• Issue a press release or equivalent notice that includes: a brief description of the incident, the types of information involved, steps individuals should take, what you are doing to investigate and mitigate harm, and how to contact you.
• Use clear, plain language; avoid technical jargon; provide a toll-free number or email for questions.

Substitute notice when contact information is insufficient

• If contact information for 10 or more individuals is insufficient, post a conspicuous website notice for 90 days or use major print/broadcast media where the affected individuals likely reside, and provide a toll-free number active for 90 days.

Common Examples of HIPAA Breaches

• Lost or stolen unencrypted laptop, smartphone, or USB drive containing PHI (unsecured protected health information).
• Ransomware or other hacking/IT incidents that encrypt or exfiltrate PHI from EHRs, file shares, or cloud storage.
• Misdirected communications: emails, faxes, or mailings sent to the wrong patient or recipient with PHI included.
• Workforce snooping: employees accessing records of friends, family members, or public figures without a job-related need.
• Improper disposal: paper charts or films discarded without shredding; devices discarded without secure wipe or destruction.
• Third-party/vendor incidents: billing service or EHR vendor exposes PHI; the business associate notifies the covered entity to trigger reporting.
• Mailbox compromises: phishing leads to unauthorized inbox access with ePHI in messages or attachments.

Note: If the PHI was properly encrypted and the encryption keys were not compromised, the event may not constitute a reportable breach. Always document your analysis and mitigation actions.

FAQs

What is the deadline for reporting a HIPAA breach to HHS OCR?

For breaches affecting 500 or more individuals, you must report to HHS OCR without unreasonable delay and no later than 60 calendar days after the breach discovery date. For smaller incidents, you report to OCR no later than 60 days after the end of the calendar year in which the breach was discovered.

How are breaches affecting fewer than 500 individuals reported?

You must notify each affected individual within 60 calendar days of discovery, then log the incident and submit it to HHS OCR within 60 days after the end of that calendar year via the electronic breach notification portal.

When must media notification be issued after a breach?

If a breach affects 500 or more residents of a single state or jurisdiction, you must provide media breach notification without unreasonable delay and no later than 60 calendar days after the breach discovery date, in addition to individual notices and the OCR report.

What examples qualify as a reportable HIPAA breach?

Common reportable events include PHI unauthorized access due to hacking or ransomware, lost or stolen unencrypted devices, misdirected emails or mailings containing PHI, workforce snooping, improper disposal of PHI, vendor incidents exposing PHI, and mailbox compromises. Incidents involving properly encrypted PHI without key compromise are typically not reportable.