HIPAA Reporting Requirements: When to Notify HHS OCR, Individuals, and Media

Breach Definition and Notification Criteria

What counts as a breach of protected health information

Under the HIPAA breach notification rule, a breach is any impermissible acquisition, access, use, or disclosure of unsecured protected health information (PHI) that compromises its security or privacy. A breach is presumed unless you complete a documented risk assessment showing a low probability that the PHI has been compromised.

Incidents that are not breaches

• Unintentional access or use by a workforce member, in good faith and within scope of authority, that does not further misuse PHI.
• Inadvertent disclosure between authorized persons within the same covered entity or business associate, with no further impermissible use.
• Disclosures where the recipient could not reasonably retain the information.
• PHI secured by encryption safe harbor (or by proper destruction) consistent with recognized standards; secured PHI is not “unsecured” and thus does not trigger notification.

When notification is required

Notification is required when there is a breach of unsecured PHI. If required, you must notify affected individuals, the Secretary of HHS through the Office for Civil Rights (OCR), and, in some cases, prominent media outlets. Business associates must notify the covered entity. The notification timeline runs from the date of discovery, not from completion of the investigation.

Key thresholds and discovery

• Individuals: notify each affected individual.
• HHS/OCR: always notify; timing depends on the number of affected individuals.
• Media: notify if 500 or more residents of a single state or jurisdiction are affected.
• Discovery date: the day the breach is first known—or would have been known with reasonable diligence—to the covered entity or, in some cases, its agent. For covered entity compliance, start counting as soon as any party identifies the breach.

Individual Notification Timelines

Deadline and standard

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Build your notification timeline around that outer limit and document any delays you cannot avoid.

Form and method of notice

• Written notice by first-class mail to the individual (or next of kin/guardian if the individual is deceased). Email is permitted if the individual has agreed to electronic notice.
• If you have insufficient or outdated contact information for fewer than 10 individuals, use alternative means such as telephone, email, or other written notice.
• If you lack contact information for 10 or more individuals, provide substitute notice by a conspicuous website posting or major media notice for at least 90 days and maintain a toll-free number active for the same period.

Content requirements

Each notice must plainly describe what happened (including breach and discovery dates), the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate harm, and how to contact you. Clear, actionable content demonstrates covered entity compliance and helps individuals respond effectively.

Law enforcement delay

If a law enforcement official states that notice would impede a criminal investigation or cause damage to national security, you must delay notifications for the time specified, or until the official lifts the request.

Secretary of HHS Notification Procedures

How and when to notify HHS OCR

• Breaches involving 500 or more individuals: notify HHS OCR without unreasonable delay and no later than 60 calendar days after discovery. Submit electronically through the HHS OCR breach reporting portal.
• Breaches involving fewer than 500 individuals: maintain a log and submit the report to HHS OCR no later than 60 days after the end of the calendar year in which the breach was discovered.

Information to include

Provide a concise description of the incident, number of individuals affected, types of PHI involved, your risk assessment protocol and mitigation steps, and your primary contact. Update your submission as new information becomes available.

Counting and coordination

Count all affected individuals for HHS reporting, regardless of state of residence. Coordinate your internal notification timeline so individual notices and OCR reporting align, especially for large incidents.

Law enforcement delay

As with individual notices, law enforcement requests can delay OCR reporting. Retain written documentation of the request and the period of delay.

Media Notification Requirements

Trigger and timing

Notify prominent media outlets when a breach involves 500 or more residents of a single state or jurisdiction. Provide the notice without unreasonable delay and no later than 60 calendar days after discovery, in addition to individual notices and OCR reporting.

Scope and content

Issue a press release or equivalent media announcement that includes the same core elements as the individual notice. Use clear language; avoid technical jargon. Coordinate messages to prevent confusion and to support an orderly response by affected individuals.

Multi-state incidents

Apply the 500-resident threshold separately for each state or jurisdiction. A single breach can trigger media notification in multiple states if each state’s resident count meets or exceeds 500.

Business Associate Notification Obligations

Immediate upstream notice

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. Many business associate agreements require shorter deadlines (for example, 24–10 days); follow the most stringent applicable term.

Information to provide

• Identification of each affected individual, if possible, and the types of PHI involved.
• Known details about the breach, including dates of breach and discovery and whether PHI was actually acquired or viewed.
• Mitigation steps taken and recommendations for the covered entity’s notices.
• Ongoing updates as more facts emerge. Subcontractors must notify the business associate, which then notifies the covered entity.

Responsibility for individual notices

Unless a contract assigns notice duties to the business associate, the covered entity issues individual notices. Either way, the 60-day clock is tight—coordinate early and document responsibilities to maintain covered entity compliance.

Risk Assessment and Documentation

Risk assessment protocol

Evaluate and document four factors to determine the probability of compromise: (1) the nature and extent of PHI involved (types, sensitivity, likelihood of re-identification), (2) the unauthorized person who used or received the PHI, (3) whether PHI was actually acquired or viewed, and (4) the extent to which risks have been mitigated. If the result is anything other than low probability, proceed with notification.

Documentation and retention

• Maintain written risk assessments, forensic findings, notification decisions, and copies of all notices.
• Record the discovery date, notification timeline, and any law enforcement delay.
• Retain required documentation for at least six years to demonstrate compliance.

Preventive controls and encryption safe harbor

Implement strong access controls, workforce training, vendor oversight, and tested incident response. Encrypt PHI at rest and in transit to qualify for the encryption safe harbor, and apply secure disposal standards to minimize breach risk. Prevention reduces both harm and enforcement penalties.

State Law Considerations and Enforcement

HIPAA preemption and stricter state rules

HIPAA sets a federal floor. If state law is more stringent—such as a shorter notification timeline, broader definitions of personal information, or Attorney General reporting—you must meet the state requirement in addition to HIPAA. In multi-state incidents, plan to the shortest applicable deadline.

Attorney General and other notices

Many states require notice to the state Attorney General or consumer protection agency once thresholds are met. Some states require specific content, translations, or credit monitoring offers. Map these obligations in advance so your notification timeline remains achievable.

Enforcement and penalties

HHS OCR enforces HIPAA through investigations, technical assistance, resolution agreements, corrective action plans, and civil monetary penalties that scale by culpability and are subject to annual caps. State Attorneys General may also bring actions, and contractual remedies may apply. Strong risk management, encryption, and timely, accurate notices help reduce enforcement penalties.

Conclusion

Effective HIPAA reporting hinges on accurate breach determination, a defensible risk assessment protocol, and disciplined execution of each notification pathway—individuals, HHS OCR, and media—within the required timeline. Build encryption and governance into daily operations so that, if an incident occurs, you can move quickly, meet each requirement, and protect the people whose PHI you hold.

FAQs

Which agency handles HIPAA breach reports?

The U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) receives HIPAA breach reports and enforces the breach notification rule. You submit reports to OCR and cooperate with any follow-up investigation.

When must individuals be notified of a breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering a breach of unsecured PHI. Notices must be written, clear, and include required content; law enforcement may request a temporary delay.

What triggers media notification under HIPAA?

Media notification is required when a breach involves 500 or more residents of a single state or jurisdiction. You must notify prominent media outlets without unreasonable delay and within 60 calendar days, in addition to notifying individuals and HHS OCR.

How does state law affect HIPAA notification timelines?

State law can impose shorter timelines and additional notice obligations. Because HIPAA is a floor, you must comply with the most stringent applicable requirement and coordinate notices so all federal and state deadlines are met.