How Long Do You Have to Report a HIPAA Violation? The 60‑Day Rule and Other Deadlines Explained

When you discover a potential HIPAA violation that constitutes a breach of unsecured protected health information (PHI), multiple timelines begin under the Breach Notification Rule. The overarching requirement for a covered entity or business associate is to notify “without unreasonable delay,” and in no case later than 60 calendar days after discovery. Below is a clear breakdown of each notification deadline and how to meet it.

Reporting to Affected Individuals

When the 60‑day clock starts

The clock starts on the date of discovery—when the breach is known, or by exercising reasonable diligence would have been known, to you or any workforce member (other than the person committing the incident). Count calendar days, not business days. Do not wait for final forensics if you can provide accurate core details sooner; you can supplement later.

Notification method and required content

You must send written notice by first‑class mail to the individual’s last known address (or by email if the individual has agreed to receive electronic notices). The notice must include: a brief description of what happened and the discovery date, the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate harm, and how to contact you for more information.

Substitute notice when contact information is insufficient

• Fewer than 10 individuals: Use an alternative method such as telephone, email, or another means of written notice.
• 10 or more individuals: Post a conspicuous notice on your website home page for at least 90 days or provide notice in major print or broadcast media where affected individuals likely reside; include a toll‑free number active for at least 90 days.

Remember, the Notification Deadline to individuals is “without unreasonable delay” and never later than day 60 from discovery, even when substitute notice is required.

Reporting to HHS for Large Breaches

If a single breach affects 500 or more individuals, you must submit an HHS Breach Report without unreasonable delay and in no case later than 60 calendar days after discovery. File through the HHS reporting portal and include available details (e.g., number of individuals, incident type, states affected, and mitigation steps). You may update the report as your investigation develops.

The 60‑day period is measured from the date the breach is discovered. If a business associate discovers the breach, that discovery date also starts the covered entity’s 60‑day period to notify individuals and HHS.

Annual Reporting for Small Breaches

For breaches affecting fewer than 500 individuals, you still must notify each affected individual within 60 days of discovery. However, reports to HHS for these “small breaches” are aggregated and submitted annually—no later than 60 days after the end of the calendar year in which the breaches were discovered (typically by March 1 of the following year). Maintain an internal Breach Reporting Log with incident dates, counts, and summaries so you can timely prepare the annual submission.

Notifying Local Media

If a breach affects more than 500 residents of a single state or jurisdiction, you must provide notice to prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery. A press release usually satisfies this requirement. Media notice is in addition to, not a substitute for, individual notifications.

Business Associate Reporting Obligations

A business associate must notify the covered entity of a breach without unreasonable delay and no later than 60 calendar days after the business associate discovers it. The notice must identify each affected individual (to the extent possible) and include information the covered entity needs to provide individual notices, media notices, and the HHS Breach Report.

Crucially, the covered entity’s 60‑day clock to notify individuals is tied to the business associate’s discovery date—not the date the business associate gets around to telling you. Many business associate agreements set shorter contractual time frames (for example, 5–15 days) to ensure the covered entity can meet its regulatory Notification Deadline.

Law Enforcement Delay Provisions

If a law enforcement official states that a notice would impede a criminal investigation or cause damage to national security, you must delay notifications as follows:

• Written request from law enforcement: Delay for the time specified in the writing.
• Oral request: Document the statement and delay for up to 30 days unless a written request extending the delay is received during that period.

During any Law Enforcement Delay, continue containment, forensics, and preparation so you can issue notices immediately once the delay is lifted.

Documentation and Compliance Requirements

Maintain thorough documentation for at least six years: your risk assessment supporting breach determination, decision logs, copies of individual notices, media releases, HHS filings, proof of mailings and returned mail, and any law enforcement communications. Keep an up‑to‑date Breach Reporting Log to track small incidents for annual reporting and to evidence compliance with the Breach Notification Rule.

Before notifying, confirm that an incident is in fact a “breach.” Apply HIPAA’s four‑factor risk assessment: (1) the nature and extent of PHI involved, (2) the unauthorized person who used or received the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated. If PHI was properly encrypted or destroyed in accordance with HIPAA guidance, it is not “unsecured” and breach notification may not be required.

Conclusion

In short, act fast: notify affected individuals and—when applicable—HHS and local media without unreasonable delay, and never later than 60 days from discovery. Coordinate closely with any business associate, document every step, and use your Breach Reporting Log to meet annual small‑breach reporting. Following these timelines keeps you aligned with HIPAA’s Breach Notification Rule and reduces regulatory risk.

FAQs.

What is the 60-day rule for reporting HIPAA breaches?

The 60‑day rule requires you to provide breach notifications “without unreasonable delay” and in no case later than 60 calendar days after discovering a breach of unsecured PHI. This deadline applies to notices to affected individuals and, for breaches involving 500 or more individuals, to the HHS Breach Report and any required media notice.

When must business associates report a HIPAA violation?

A business associate must notify its covered entity without unreasonable delay and no later than 60 calendar days after the business associate discovers the breach. Importantly, the covered entity’s 60‑day timeline to notify individuals runs from the business associate’s discovery date, so contracts often require a much shorter notice window to the covered entity.

How does law enforcement affect HIPAA breach notifications?

If a law enforcement official determines that notification would impede an investigation or harm national security, you must delay notification. A written statement controls the length of the delay; an oral statement permits a documented delay of up to 30 days unless a written statement is provided sooner extending it. Once the delay is lifted, resume notifications immediately.

What are the consequences of late HIPAA violation reporting?

Late or incomplete reporting can lead to OCR investigations, corrective action plans, civil monetary penalties, contractual exposure with business partners, and reputational harm. Regulators also view missed Notification Deadlines as evidence of inadequate compliance programs, which can increase enforcement risk and remediation obligations.