HIPAA Violation Reporting Guidelines: How to Report a Violation, What to Include, and Deadlines

Reporting to the Secretary of HHS

Under HIPAA’s Breach Notification Requirements, covered entities—and, through them, business associates—must report breaches of unsecured Protected Health Information (PHI) to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Unsecured” means the PHI was not rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, unencrypted data).

Who must report

Covered entities (health plans, most health care providers, and clearinghouses) report directly to HHS. Business associates must notify the covered entity, which then submits the report to HHS. Your internal policies should name who is responsible and how incidents escalate.

When to report

• Breaches affecting 500 or more individuals: report to HHS without unreasonable delay and no later than 60 calendar days after discovery.
• Breaches affecting fewer than 500 individuals: track incidents on a log and submit Annual Reporting to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered.

How to report

Use HHS’s breach reporting process to submit details for each incident. Prepare a concise incident summary, the discovery date, the number of affected individuals, and the steps taken to mitigate harm and prevent recurrence. Keep documentation supporting your risk assessment and notification decisions.

Reporting to Affected Individuals

You must notify each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery of a breach of unsecured PHI. Notice should be written in plain language so people can act quickly to protect themselves.

Method of notice

• Primary method: first-class mail to the individual (or the personal representative). If the individual has agreed to electronic notice, email may be used.
• If contact information is insufficient or out of date for fewer than 10 individuals, use an alternative method such as telephone or other appropriate means.

Substitute notice for 10 or more individuals

• Provide a conspicuous posting on your website home page or notice through major print or broadcast media in areas where affected individuals likely reside.
• Substitute notice must remain in place for at least 90 days and include a toll-free number active for the same period so individuals can determine whether they were affected.

Special timing rules

Discovery occurs on the first day the breach is known—or would have been known with reasonable diligence—to the covered entity, business associate, or any workforce member or agent. If a law enforcement official determines that notice would impede a criminal investigation or cause damage to national security, you must delay notifications for the period specified by the official.

Business associate to covered entity notice

Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovery, and must identify each affected individual and provide information the covered entity needs to send timely, complete notices.

Reporting to the Media

If a breach involves more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. Media notice supplements, but does not replace, individual notification.

What to include and how to minimize PHI

Keep the announcement factual and limited to the required elements. Do not include more PHI than necessary. Coordinate the media statement with your individual notices to ensure consistency and accuracy.

Content of Notifications

HIPAA specifies what your notifications must contain. Build templates so you can populate them quickly and consistently during an incident.

Required elements for notices to individuals

• A brief description of what happened, including the date of the breach and the date of discovery (if known).
• A description of the types of unsecured PHI involved (for example, full name, Social Security number, diagnosis, treatment information).
• Steps individuals should take to protect themselves (for example, monitoring accounts, placing fraud alerts, changing passwords).
• A brief description of what you are doing to investigate the incident, mitigate harm, and prevent future breaches.
• Contact methods for questions or more information (toll-free phone number, email address, website, or postal address).

Information for HHS and media notices

Reports to HHS and media announcements should reflect the same core facts while avoiding unnecessary PHI. Include the scope of the incident, the number of affected individuals, the general type of PHI involved, mitigation steps, and a contact point for inquiries.

Filing a Complaint with OCR

Anyone who believes a covered entity or business associate is not complying with HIPAA may file a complaint with the HHS Office for Civil Rights.

Who can file and when

Individuals, patients, workforce members, and others may file. Complaints generally must be filed within 180 days of when you knew (or should have known) of the alleged violation; OCR may extend this for good cause.

What to include

• Your name and contact information (you may request that OCR keep your identity confidential).
• The name of the covered entity or business associate and, if applicable, the specific department or practice.
• A clear description of what happened, key dates, and how it affected you or others.
• Any supporting documentation, such as letters, emails, or policies.

What happens next

OCR reviews the complaint for jurisdiction and may open an investigation. Outcomes can include technical assistance, a corrective action plan, or civil monetary penalties. Covered entities are subject to a strict retaliation prohibition for participating in the complaint process.

Whistleblower Protections

HIPAA bars covered entities and business associates from intimidating, threatening, coercing, discriminating against, or retaliating against any person for asserting rights, filing a complaint, or participating in an investigation related to HIPAA compliance.

Good-faith disclosures

Workforce members may, in good faith, disclose PHI to a health oversight agency, public health authority, attorney general, or an attorney retained by the workforce member when they believe the covered entity or business associate has engaged in unlawful conduct or otherwise violated professional or clinical standards. Limit disclosures to what is necessary for the concern.

Practical steps to protect yourself

• Document your concerns and the basis for your good-faith belief.
• Route disclosures to appropriate oversight bodies or your personal legal counsel.
• Avoid sharing more PHI than necessary to raise the concern.

Reporting Deadlines

• Individuals: notify without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI.
• Secretary of HHS (500 or more individuals): notify without unreasonable delay and no later than 60 calendar days after discovery.
• Secretary of HHS (fewer than 500 individuals): log incidents and submit Annual Reporting no later than 60 days after the end of the calendar year in which the breaches were discovered.
• Media (more than 500 residents of a state or jurisdiction): notify without unreasonable delay and no later than 60 calendar days after discovery.
• Business associate to covered entity: notify without unreasonable delay and no later than 60 calendar days after discovery.
• Law enforcement delay: permitted if a law enforcement official states that notice would impede an investigation or cause harm; delay lasts for the time specified by the official.

Key takeaways

Act fast, document each step, and communicate clearly. Notify affected individuals, HHS, and—when required—the media within HIPAA’s notification timeframes. Include only the required content, keep substitute notice ready, and enforce strong anti-retaliation and whistleblower safeguards. Consistent preparation makes compliance smoother when a breach occurs.

FAQs

How soon must a HIPAA breach be reported to the Secretary of HHS?

If a breach affects 500 or more individuals, report to HHS without unreasonable delay and in no case later than 60 calendar days after discovery. For breaches affecting fewer than 500 individuals, maintain a breach log and submit Annual Reporting to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered.

What information should be included in breach notifications?

Each notice should describe what happened (including the breach and discovery dates), the types of PHI involved, steps individuals should take to protect themselves, what the organization is doing to investigate and mitigate, and clear contact information for questions.

How can individuals file a complaint with OCR?

File a complaint with the HHS Office for Civil Rights via its complaint process or by mailing a written complaint. Include your contact information, the name of the covered entity or business associate, a detailed description of the events with dates, and any supporting documents. Complaints generally must be filed within 180 days of when you knew of the issue.

What protections exist for whistleblowers?

HIPAA prohibits retaliation for reporting concerns, filing a complaint, or participating in an investigation. Workforce members who act in good faith may disclose concerns—including limited PHI—to appropriate oversight bodies or to their own attorney, provided disclosures are no broader than necessary.