HIPAA Violation Reporting Requirements Explained: Who Must Report, Deadlines, and How to Comply

Covered Entities and Business Associates

HIPAA violation reporting requirements are driven by the Breach Notification Rule, which requires prompt action when unsecured Protected Health Information (PHI) is compromised. The Department of Health and Human Services sets the federal standards, and you must align your internal response plan with these rules from discovery through final submission.

Who is covered

• Covered entities: health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions.
• Business associates: vendors and subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity. Business Associate Agreements (BAAs) define their duties, including incident reporting timelines and cooperation requirements.

What counts as a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. There are limited exceptions (e.g., good‑faith, unintentional access by a workforce member; inadvertent disclosure among authorized persons; or where the recipient could not reasonably retain the information). If PHI is secured (for example, properly encrypted), notice is generally not required.

When the clock starts

“Discovery” occurs on the first day the incident is known—or would have been known with reasonable diligence—by the covered entity or its agents. From that date, statutory deadlines run in calendar days. Covered entity obligations include notifying affected individuals, HHS, and sometimes the media; business associates must notify the covered entity and support downstream notifications.

Reporting Breaches Affecting 500 or More Individuals

For large breaches, you must act quickly and in a coordinated way.

Notice to HHS

Notify the Secretary of the Department of Health and Human Services without unreasonable delay and in no case later than 60 calendar days after discovery. Submit through the designated reporting process and keep proof of submission as part of your compliance documentation.

What to include

• A brief description of what happened, including the date of the breach and the date of discovery.
• The number of individuals affected and the types of PHI involved (for example, names, Social Security numbers, diagnoses, treatment information, insurance IDs).
• Whether the information was actually viewed or acquired, and mitigation steps taken.
• Actions you are taking to protect individuals and prevent future incidents.
• Primary contact information for questions (toll‑free number, email, or postal address).

Program readiness

Complete and preserve a written risk assessment, document containment and remediation activities, and align public statements with the content of individual notices to ensure accuracy and consistency.

Reporting Breaches Affecting Fewer Than 500 Individuals

Small breaches still carry strict duties, even if HHS reporting is deferred.

Annual reporting to HHS

Maintain a breach log and report to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered. Submit all qualifying incidents for that year in a single annual filing and retain transmission confirmations.

Maintain a complete log

• Incident description, dates of breach and discovery, and number of affected individuals.
• Types of PHI involved and whether the data was actually viewed or acquired.
• Mitigation steps and corrective actions implemented.
• Copies of individual notices and any substitute or media notices used.

Individual notices are still time‑sensitive

Even for breaches under 500, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. HHS reporting timing does not change that individual notice deadline.

Notification to Affected Individuals

Timing and method

Send notice without unreasonable delay and in no case later than 60 calendar days after discovery. Deliver by first‑class mail to the last known address or by email if the individual has agreed to electronic notice. For minors or deceased individuals, notify the appropriate personal representative when applicable.

Substitute notice

• If contact information is insufficient for fewer than 10 individuals, use alternative means such as telephone, email, or another written form.
• If contact information is insufficient for 10 or more individuals, provide substitute notice via a conspicuous website posting for at least 90 days or through major print or broadcast media, and offer a toll‑free number active for at least 90 days.

Content requirements

• A brief description of the incident, including date of breach and discovery.
• Categories of PHI involved (for example, financial data, clinical details, identifiers).
• Steps the individual should take to protect themselves (such as placing fraud alerts or monitoring accounts).
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• How to contact you for more information (toll‑free number, email, postal address).

Law enforcement delay

If a law enforcement official states that notice would impede an investigation or threaten national security, you must delay notifications for the period specified by that official. Document the request and its duration.

Media Notification

If a breach affects more than 500 residents of a single state or jurisdiction, you must provide notice to prominent media outlets serving that area without unreasonable delay and in no case later than 60 calendar days after discovery. The media notice should mirror the content of the individual notice and be coordinated with your privacy and communications teams.

Business Associate Notification

Timeline and pathway

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. BAAs often impose shorter contractual deadlines (for example, 5–15 days) and additional cooperation requirements—comply with the stricter standard in your agreement.

What the BA must provide

• Identification of each affected individual, if possible.
• Dates of breach and discovery, a description of what happened, and the types of PHI involved.
• Known or suspected unauthorized recipients and whether the PHI was actually viewed or acquired.
• Mitigation steps taken and recommended protective actions for individuals.

Agency relationships matter

If a business associate is acting as the covered entity’s agent, the breach is deemed discovered by the covered entity when the business associate discovers it. This can accelerate the covered entity’s 60‑day clock, so ensure your reporting channels enable immediate escalation.

Documentation Requirements

Risk assessment and decision record

Document your analysis of whether there is a low probability that PHI has been compromised. Evaluate at least four factors: the nature and extent of PHI involved, the unauthorized person who used or received it, whether the PHI was actually acquired or viewed, and the extent to which risk has been mitigated. Tie your notification decision to this analysis.

Retention period

Maintain Compliance Documentation—policies, procedures, risk assessments, notices, media statements, HHS submissions, breach logs, BA communications, and law enforcement delay requests—for at least six years from the date of creation or last effective date, whichever is later.

Records to maintain

• Incident intake forms, investigation notes, containment actions, and root‑cause analysis.
• Copies of individual, media, and substitute notices, plus proof of distribution.
• HHS confirmations, annual small‑breach reports, and correspondence.
• Business Associate Agreements and evidence of BA/subcontractor notifications.
• Technical evidence of safeguards (for example, encryption status) and corrective measures.
• Training rosters and sanctions applied for workforce noncompliance.

Practical compliance checklist

• Establish an incident response plan that maps every step to the Breach Notification Rule.
• Use intake channels that enable rapid triage and “discovery” tracking.
• Pre‑draft notification templates and media statements to meet 60‑day deadlines.
• Encrypt PHI and apply robust access controls to reduce breach risk and scope.
• Audit BAs, enforce clear reporting timelines in BAAs, and verify subcontractor flow‑downs.
• Track State Breach Reporting Laws and follow whichever standard is more stringent.

Conclusion

To comply with HIPAA violation reporting requirements, identify who must act, start the 60‑day clocks at discovery, notify individuals (and when applicable HHS and the media), and preserve thorough records. Strong governance, tested workflows, and disciplined documentation make timely compliance repeatable.

FAQs

Who is responsible for reporting HIPAA violations?

Covered entities are responsible for notifying affected individuals, the Department of Health and Human Services, and, when applicable, the media. Business associates must notify the covered entity and provide details needed for downstream notices. Workforce members should escalate incidents internally per policy, and any person may file a complaint with HHS about suspected HIPAA violations.

What is the deadline for reporting a breach affecting over 500 individuals?

You must provide notice without unreasonable delay and in no case later than 60 calendar days after discovery. This 60‑day deadline applies to notices to affected individuals, to HHS, and, where required, to prominent media outlets serving the affected state or jurisdiction.

What information must be included in breach notifications?

Each notice should include: a description of what happened (with dates), the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate the breach and prevent recurrence, and clear contact information (toll‑free number, email, or postal address) for questions.

How do state laws affect HIPAA reporting requirements?

HIPAA sets a federal floor. If State Breach Reporting Laws impose stricter standards—such as shorter timelines, additional recipients (like a state attorney general), or extra content elements—you must follow the more stringent requirement alongside HIPAA. When timelines differ, use the shortest applicable deadline.