How to Comply with HIPAA Breach Notification Rules: Requirements, Timelines, and Reporting

You can meet HIPAA’s Breach Notification Rule by knowing exactly when a Protected Health Information Breach is presumed, how to apply the Breach Risk Assessment, and who must receive Covered Entity Notification. This guide explains the requirements, deadlines, and reporting steps so you can act quickly and defensibly.

Breach Notification Requirements

When the rule applies

The Breach Notification Rule applies to breaches of unsecured protected health information (PHI)—that is, PHI not rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, through strong encryption and proper key management). If PHI is secured, the breach notification obligations generally do not apply.

What counts as a breach

A breach is an acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA’s Privacy Rule that compromises the security or privacy of the PHI. Three narrow exceptions exist: (1) unintentional, good-faith access by a workforce member within scope; (2) inadvertent disclosure between authorized persons within the same organization; and (3) disclosures where the recipient could not reasonably retain the information.

Breach Risk Assessment

Unless an exception applies, you must conduct and document a Breach Risk Assessment to determine if there is a low probability that the PHI has been compromised. Consider: (1) the nature and extent of PHI involved (sensitivity, identifiers, re-identification risk); (2) the unauthorized person who used or received the PHI; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated (for example, confirmed return or destruction).

Required recipients and content

If notification is required, you must notify affected individuals, the Secretary of Health and Human Services (HHS), and, in some cases, the media. Individual notices must include a brief description of the incident, the date of the breach and its discovery, the types of PHI involved, steps individuals should take to protect themselves, actions you are taking to investigate and mitigate, and contact information for questions.

Covered Entity Notification is primary: business associates generally report to the covered entity, which then issues any required individual, media, and Secretary of Health and Human Services Reporting.

Individual Notice Timelines

The Unreasonable Delay Standard

Provide written notice to each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. “Discovery” occurs on the first day the breach is known—or by exercising reasonable diligence would have been known—to the organization (including its agents).

Permissible methods

• Primary method: first-class mail to the individual’s last known address; electronic mail if the individual has agreed to receive notices electronically.
• Urgent situations: in addition to written notice, you may use telephone or other means if potential imminent misuse requires faster outreach.
• Deceased individuals: notify the personal representative or next of kin.

Substitute notice rules

• Fewer than 10 individuals with insufficient or out-of-date contact information: use an alternative form of notice (e.g., telephone, email, or other appropriate means).
• 10 or more such individuals: provide a conspicuous website posting for at least 90 days or a notice in major print or broadcast media in the affected area, plus a toll-free number active for at least 90 days.

Law enforcement delays

If a law enforcement official states that notice would impede a criminal investigation or threaten national security, you must delay notification for the time specified in a written request (or up to 30 days based on an oral statement, pending written confirmation).

Media Notice Obligations

When media notice is required

If a breach involves more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and in no case later than 60 calendar days from discovery. This notice should include the same core content as individual notices.

Coordinating multi-state incidents

When affected individuals reside in multiple states, assess whether any single state or jurisdiction crosses the 500-resident threshold. If so, issue a media notice for each such state or jurisdiction while ensuring content consistency with individual notices.

Notification to the Secretary of HHS

Secretary of Health and Human Services Reporting thresholds

• Breaches affecting 500 or more individuals: report to HHS without unreasonable delay and no later than 60 calendar days from discovery.
• Breaches affecting fewer than 500 individuals: log each incident and submit the annual report to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered (typically by March 1).

What the HHS submission should include

Prepare details such as the number of individuals affected, breach date and discovery date, a description of the incident (type and location, e.g., email, paper, lost device), the types of PHI involved, mitigation steps, and copies or summaries of the notice content. Update your submission if new, material facts emerge.

Business Associate Responsibilities

Reporting to the covered entity

Upon discovery of a breach involving unsecured PHI, a business associate must notify the covered entity without unreasonable delay and no later than 60 calendar days. The report should identify each affected individual and provide all information the covered entity needs to make timely notifications.

The role of the Business Associate Agreement

Your Business Associate Agreement can require shorter internal reporting timelines (for example, 5–15 days), specify required incident details, define cooperation duties (for forensics, mitigation, and substitute notice), and allocate costs. Confirm that BAAs align with the HIPAA floor while supporting faster Covered Entity Notification when needed.

Documentation and Recordkeeping

Retention and audit readiness

Maintain written policies, procedures, breach logs, risk assessments, mitigation actions, copies of all notices, HHS submissions, media notices, and Business Associate communications for at least six years. Keep timestamped evidence of decision-making (including why an incident was or was not deemed a reportable breach).

Operational practices

• Use an incident response playbook with defined roles, decision trees for the Breach Risk Assessment, and pre-approved notice templates.
• Track discovery dates and statutory deadlines in a centralized system to avoid missing the 60-day outside limit.
• Test your process through tabletop exercises; train workforce members on prompt internal reporting.

Civil and Criminal Penalties

Failure to comply can result in significant civil monetary penalties per violation, with higher tiers for willful neglect, and potential criminal penalties for knowingly obtaining or disclosing PHI in violation of HIPAA. Strong documentation, timely notifications, and effective mitigation are central to reducing exposure.

State Law Compliance

Understand preemption and “more stringent” rules

HIPAA generally sets a federal floor; state laws that are more protective of individuals’ privacy or impose faster or additional notification duties are not preempted. Many states apply to “personal information” that can overlap with PHI and may require notice to state regulators or consumer reporting agencies.

Deadlines and recipients

Some states impose shorter or event-triggered timelines (for example, “without unreasonable delay” or within 30–45 days), specify content elements, or require notice to the attorney general or sector regulators. Map each incident against the states of residence for affected individuals and meet the earliest applicable deadline.

Harmonize your notices

When both HIPAA and state breach laws apply, craft notices that satisfy both frameworks simultaneously, align on the earliest deadline, and preserve proof of mailing, publication, and submission.

FAQs

What is the timeline for individual breach notifications?

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days from discovery of the breach. Track the discovery date carefully, as all other deadlines flow from that point.

When is media notification required under HIPAA?

Provide media notice when a breach impacts more than 500 residents of a single state or jurisdiction. Issue the notice without unreasonable delay and no later than 60 calendar days after discovery, and include the same core content as the individual notices.

How must business associates report breaches?

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery, identifying each affected individual and supplying the information the covered entity needs to notify individuals, HHS, and (if applicable) the media. Your Business Associate Agreement may set a shorter internal deadline.

What are the penalties for failing to comply with HIPAA breach notification rules?

Noncompliance can lead to substantial civil monetary penalties, with higher tiers for willful neglect, and potential criminal liability for knowingly obtaining or disclosing PHI unlawfully. Timely notifications, strong mitigation, and complete records significantly reduce enforcement risk.