How to Report a HIPAA Breach to OCR: Step-by-Step Guide

Determine Breach Size

Confirm whether an incident is a reportable breach

Start by deciding if the event involves unsecured Protected Health Information and meets the definition of a breach under the HIPAA Breach Notification Rule. If the PHI was rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, properly encrypted or destroyed), notification is typically not required. Document your analysis either way.

Perform a defensible Risk Assessment Process

Assess: the nature and sensitivity of the PHI involved; who used or received the PHI; whether the PHI was actually acquired or viewed; and the extent to which you promptly mitigated the risk (for example, retrieving data, confirming a recipient did not view it, or resetting credentials). Keep contemporaneous notes—this supports Covered Entities Compliance and shows diligence.

Count unique affected individuals

Tally the number of unique individuals whose unsecured PHI was compromised. De-duplicate records and include anyone whose data could reasonably have been accessed. This total determines your reporting path: 500 or more individuals triggers large-breach requirements; fewer than 500 follows the small-breach path. Also note if 500 or more individuals in a single state or jurisdiction are affected, separate media notice is required.

Notify Affected Individuals

Meet the Breach Notification Timeline

Provide written notice to each affected individual without unreasonable delay and no later than 60 calendar days after discovery of the breach. Use first-class mail to the last known address, or email if the individual has agreed to electronic notice.

Include all required content

Your notice must include: a brief description of what happened (including the dates of breach and discovery, if known); the types of PHI involved (for example, names, dates of birth, account numbers); steps individuals should take to protect themselves; what you are doing to investigate, mitigate harm, and prevent recurrence; and clear contact information (toll-free number and email or postal address).

Provide substitute and media notice when needed

If you lack up-to-date contact information for fewer than 10 people, use alternative notice (such as telephone). If contact information is insufficient for 10 or more individuals, provide substitute notice via a conspicuous website posting or major print/broadcast media for at least 90 days. If 500 or more individuals in a single state or jurisdiction are affected, also notify prominent media outlets in that area within 60 days of discovery.

Report to OCR Promptly

Follow the correct pathway based on breach size

• 500 or more individuals: Report to the Office for Civil Rights (OCR) without unreasonable delay and in no case later than 60 calendar days from discovery.
• Fewer than 500 individuals: Log the breach and submit it to OCR no later than 60 days after the end of the calendar year in which the breach was discovered.

Clarify reporting roles

Covered entities submit the OCR report. Business associates must notify the covered entity without unreasonable delay (no later than 60 days) and share the information needed for the covered entity to notify individuals, media (if applicable), and OCR. Your business associate agreement may set shorter internal deadlines—follow those as part of Covered Entities Compliance.

Use OCR Breach Portal

Access and account setup

Use the OCR Breach Portal to submit HIPAA breach reports. Create or sign in to your account, then choose whether you are reporting as a covered entity or business associate and whether the breach affects 500 or more individuals or fewer than 500.

Complete the online form accurately

Work through each screen methodically. Save progress frequently and review entries for accuracy before submission. Keep a copy of everything you submit; it will guide your response if OCR requests additional information.

Provide Required Breach Information

Core details OCR expects

• Entity information: legal name, type (covered entity or business associate), address, and primary contact.
• Incident details: type of breach (for example, hacking/IT incident, unauthorized access/disclosure, theft, loss, improper disposal), location of the breached information (network server, email, paper records, device), and a concise description of what happened.
• Dates and counts: date of breach, date of discovery, and the number of individuals affected.
• PHI specifics: categories of PHI involved (such as names, SSNs, diagnoses, treatment data, account or financial information).
• Mitigation and safeguards: steps taken to contain and mitigate harm; current and planned security measures; and whether law enforcement requested a delay in notification.
• Involved parties: whether a business associate was involved and any relevant details.
• Attachments: supporting documentation (police report number, forensic summary, sample notification letters).

After submission

Upon successful submission, you will receive an OCR Breach Tracking Number. Retain it with your breach file and use it in any follow-up correspondence or amendments.

Confirm Breach Submission

Verify and monitor

Check for the confirmation email and record the OCR Breach Tracking Number. Verify that all affected individuals were notified on time and that any required media notice occurred. For large breaches, OCR may list the event on its public portal; ensure your posted information is accurate.

Maintain documentation and update OCR

Keep all breach-related documentation and communications for at least six years. If you learn new material facts after submission (for example, a corrected individual count), promptly file an update through the OCR Breach Portal. Be prepared to respond to OCR inquiries and implement corrective actions and workforce training as part of continuous compliance.

Conclusion

To report a HIPAA breach to OCR effectively, determine whether unsecured PHI was compromised, quantify affected individuals, notify them within the Breach Notification Timeline, and submit a complete, accurate report through the OCR Breach Portal. Keep thorough records, use a structured Risk Assessment Process, and align each step with the HIPAA Breach Notification Rule to demonstrate strong Covered Entities Compliance.

FAQs

What is the deadline for reporting a HIPAA breach to OCR?

For breaches affecting 500 or more individuals, you must report to OCR without unreasonable delay and no later than 60 calendar days after discovery. For breaches involving fewer than 500 individuals, you must log them and report to OCR within 60 days after the end of the calendar year in which they were discovered. These timeframes align with the Breach Notification Timeline in the HIPAA Breach Notification Rule.

How do I determine if a breach affects 500 individuals or more?

Count the number of unique individuals whose unsecured Protected Health Information was compromised in the incident. De-duplicate multiple records for the same person and include anyone whose PHI could reasonably have been accessed. If the total is 500 or more, follow the large-breach pathway; also check whether 500 or more individuals in any single state or jurisdiction are affected, which triggers separate media notice. Use your documented Risk Assessment Process to validate that the incident is a breach before counting.

What information is required when submitting a breach report to OCR?

You will provide entity and contact information; a narrative of what happened; breach type and location; dates of breach and discovery; the number of individuals affected; the types of PHI involved; mitigation steps and safeguards; whether law enforcement requested a delay; and any business associate involvement. After submission, OCR issues an OCR Breach Tracking Number for your records.

How do I access the OCR Breach Portal?

Go to the U.S. Department of Health and Human Services, Office for Civil Rights website and navigate to the HIPAA breach reporting section. From there, access the OCR Breach Portal, create or sign in to your account, and select the appropriate report type (500 or more, or fewer than 500). If needed, search for “OCR Breach Portal” to find the entry point quickly.