HIPAA Breach Reporting: Who Covered Entities Notify, When, and How

The HIPAA Breach Notification Rule requires covered entities and their business associates to notify specific audiences when a breach of unsecured Protected Health Information (PHI) occurs. Knowing who to notify, when to act, and how to structure notices keeps you compliant and protects affected individuals.

This guide walks you through every required recipient, the HIPAA compliance timeline from discovery to notice, acceptable delivery methods, and the exact contents your notices must include—plus the special role of business associates and how state media notification requirements can add to your obligations.

Notification to Affected Individuals

Who must be notified

You must notify each affected individual whose unsecured PHI was involved in a breach. If an individual has a personal representative, notify that representative. If the individual is deceased, send notice to the next of kin or personal representative when appropriate.

When to notify (HIPAA Compliance Timeline)

• Discovery triggers the clock: “Discovery” is the first day the breach is known, or reasonably should have been known, to your organization.
• Send notices without unreasonable delay and no later than 60 calendar days after discovery.
• Perform and document a breach risk assessment. A breach of unsecured PHI is presumed reportable unless you can demonstrate a low probability of compromise based on the factors in the Breach Notification Rule.

Substitute notice when contact details are insufficient

• For fewer than 10 individuals with outdated or insufficient contact information: use an alternative form of notice such as telephone, email, or other means.
• For 10 or more individuals: provide a conspicuous website posting for at least 90 days or notice via major print or broadcast media in areas where affected individuals likely reside. Include a toll-free number active for at least 90 days.

Urgent situations

If possible misuse of PHI presents imminent risk of harm, you may supplement written notice with telephone or other rapid methods to mitigate harm quickly.

Notification to the Secretary of HHS

Thresholds and timing

• Breaches involving 500 or more individuals: notify the Secretary of Health and Human Services (HHS) without unreasonable delay and no later than 60 calendar days from discovery.
• Breaches involving fewer than 500 individuals: maintain a breach log and submit it to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered.

What to provide

Report the nature of the breach, the number of individuals affected, the types of PHI involved, dates of breach and discovery, mitigation steps, and your contact information. Keep documentation supporting your risk assessment and all notifications as part of your compliance record.

Notification to Media Outlets

When media notice is required

If a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery. This media notice is in addition to individual notices and your report to HHS.

Content and coordination

The media notice should mirror the individual notice in substance—clear, plain language describing what happened, what information was involved, what you are doing in response, and how individuals can get help. Coordinate timing so all required notices are consistent and accurate.

State Media Notification Requirements

Some states impose additional triggers or timelines for media notification (and attorney general or consumer protection notices). When state law is stricter or adds recipients, follow both HIPAA and the state rule.

Responsibilities of Business Associates

Business Associate Breach Reporting to covered entities

• Business associates must notify the covered entity of any breach of unsecured PHI without unreasonable delay and no later than 60 calendar days after discovery.
• The notice must include, to the extent possible, identification of each affected individual and any available details needed for the covered entity to provide individual, HHS, and media notifications.

Subcontractors and delegation

Business associates must flow down breach reporting obligations to their subcontractors. A covered entity may delegate individual or media notices to a business associate by contract, but the covered entity remains responsible for ensuring all required notifications occur on time.

Risk assessment and documentation

Business associates perform their own risk assessments under the Breach Notification Rule and must retain documentation, cooperate with investigations, and support mitigation and remediation activities.

Methods of Breach Notification

Primary delivery methods

• First-class mail to the individual’s last known address.
• Email if the individual has agreed to electronic notice; if the email bounces, use another permitted method.

Substitute and supplemental methods

• Conspicuous website posting for at least 90 days with a toll-free number (for 10 or more individuals lacking valid contact information).
• Major media notice targeted to the geography of affected individuals (as substitute notice or when the 500-resident media threshold is met).
• Telephone or other immediate means when there is potential imminent misuse of PHI.

Tone and clarity

Use clear, plain language free of jargon. Provide actionable steps individuals can take and ensure accessibility for people with disabilities and those with limited English proficiency where feasible.

Contents of Breach Notification

Required elements for individual and media notices

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• A description of the types of Unsecured PHI involved (for example, names, addresses, dates of birth, Social Security numbers, medical record numbers, diagnoses, treatment information, or health plan details).
• Steps individuals should take to protect themselves (such as monitoring accounts, placing fraud alerts, or changing passwords).
• What you are doing to investigate the breach, mitigate harm, and prevent future incidents (for example, containment, enhanced security controls, workforce training).
• Your contact information for questions or assistance, including a toll-free number, email address, website, or postal address.

Supplemental and corrective notices

If new material facts emerge after your initial notice, send a supplemental notice promptly. Maintain copies of all notices and supporting evidence as part of your HIPAA compliance timeline and audit trail.

Conclusion

In practice, HIPAA breach reporting centers on three audiences—affected individuals, the Secretary of HHS, and, for large resident impacts, the media. Start the clock at discovery, complete a documented risk assessment, and issue clear notices using approved methods within the 60-day window. Coordinate with business associates, account for state media notification requirements, and include every required element to meet the Breach Notification Rule and protect the people you serve.

FAQs.

Who must covered entities notify after a HIPAA breach?

You must notify affected individuals (or their personal representatives), the Secretary of Health and Human Services (HHS), and, if 500 or more residents of a single state or jurisdiction are affected, prominent media outlets serving that area. If a business associate is involved, it must report the breach to the covered entity, which ensures all required notifications are completed.

When must breach notifications be sent to affected individuals?

Send notices without unreasonable delay and no later than 60 calendar days after discovery of the breach. “Discovery” is when the incident is known or should reasonably have been known. Use substitute notice if contact details are insufficient, and consider telephone outreach when there is imminent risk of harm.

What triggers the requirement to notify the Secretary of HHS?

Any breach of unsecured PHI triggers HHS notification. If the breach affects 500 or more individuals, report to HHS without unreasonable delay and within 60 days of discovery. If fewer than 500 individuals are affected, log the breach and submit it to HHS no later than 60 days after the end of the calendar year in which it was discovered.

Are business associates required to report breaches directly?

Business associates report breaches to the covered entity without unreasonable delay and within 60 days of discovery. They do not report directly to HHS or the media unless the business associate agreement delegates that responsibility. In turn, subcontractors must report to the business associate, which then reports to the covered entity.

When is media notification required following a breach?

Media notice is required when a breach affects 500 or more residents of a single state or jurisdiction. It must be provided without unreasonable delay and no later than 60 days from discovery and should mirror the content of the individual notice. Check state media notification requirements, which may impose additional triggers or timelines.