OCR HIPAA Breach Reporting Explained: Who Must Report, When, and How

Breach Notification Rule Overview

The HIPAA Breach Notification Rule requires timely notice following a breach of unsecured Protected Health Information (PHI). Covered Entities—health care providers, health plans, and health care clearinghouses—and their Business Associates must investigate incidents, determine whether a breach occurred, and meet specific reporting deadlines set by the Office for Civil Rights (OCR).

“Unsecured” PHI means the data was not properly encrypted or destroyed. If PHI is secured to recognized standards, the safe harbor may remove the duty to notify. When notification is required, you must inform affected individuals, and depending on scope, notify OCR and sometimes the media. A documented risk analysis guides whether an incident qualifies as a breach and frames what you report.

Reporting to OCR Requirements

Who reports to OCR? The Covered Entity is responsible for reporting; Business Associates notify the Covered Entity, which then fulfills OCR reporting obligations. Your Business Associate Agreement can assign tasks, but accountability to OCR ultimately rests with the Covered Entity.

Size matters for timelines. For a breach affecting 500 or more individuals, you must notify OCR without unreasonable delay and no later than 60 calendar days from discovery. For breaches affecting fewer than 500 individuals, you record each incident on a yearly log and report all such breaches to OCR no later than 60 days after the end of the calendar year in which they occurred. These reporting deadlines run from the date the breach is discovered, so prompt internal escalation is essential.

Reporting Process and Submission

Step 1: Contain, investigate, and preserve evidence

Immediately stop further impermissible use or disclosure, secure systems, and preserve logs. Begin your internal investigation and document each action you take.

Step 2: Determine if PHI was involved and scope the impact

Confirm whether PHI was accessed, acquired, used, or disclosed. Identify data elements (for example, names, diagnoses, treatment details, Social Security numbers) and count affected individuals to understand whether large-breach thresholds apply.

Step 3: Conduct a breach risk assessment

Apply HIPAA’s Risk Assessment Factors to decide if there is a low probability that PHI was compromised. If not, treat the incident as a breach and proceed with required notifications.

Step 4: Prepare individual notifications

Draft clear notices to affected individuals. Include a description of the breach (including dates and discovery date), the types of PHI involved, steps individuals should take, what you are doing to mitigate harm and prevent recurrence, and contact information for questions. Deliver by first-class mail or email if the individual has agreed to electronic notice.

Step 5: Submit to OCR via its breach portal

Use OCR’s online portal to file. Select the correct option (500 or more vs. fewer than 500), then provide:

• Covered Entity information and point of contact
• Discovery date and breach date (if known)
• Number of affected individuals and locations (states/jurisdictions)
• Type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure)
• Types of PHI involved and whether the PHI was encrypted or otherwise secured
• Detailed description of the incident and safeguards implemented
• Attachments such as sample individual notices or forensic summaries, if available

Retain the submission confirmation and all supporting documentation. If new facts emerge, update your submission to keep OCR informed.

Step 6: Strengthen safeguards and close the loop

Complete mitigation steps, update policies, train workforce members, and document corrective actions. Your write-up should map each action to the risks identified in your assessment.

Media Notification Obligations

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days from discovery. The media notice should mirror the individual notice content but must not include PHI. Coordinate with legal and communications teams to ensure accuracy and consistency.

When contact information is insufficient for 10 or more affected individuals, provide substitute notice—such as a conspicuous website posting or major print/broadcast notice—and maintain a toll-free number for at least 90 days so individuals can get information.

State Notification Requirements

HIPAA does not preempt more stringent state data breach laws. Many states impose additional requirements, shorter reporting deadlines (some as short as 30 days), or mandate notice to state regulators or consumer reporting agencies. You must:

• Identify the state of each affected individual’s residence
• Apply the most protective rule (the shortest timeline and the most comprehensive content/recipient set)
• Send any required notices to state authorities or credit bureaus when thresholds are met

Build a state-law checklist into your incident response plan so you never miss a state-specific obligation while meeting federal Reporting Deadlines.

Business Associate Reporting Duties

Business Associates must notify the Covered Entity of a breach of unsecured PHI without unreasonable delay and no later than 60 calendar days after discovery. The notice should identify each affected individual (or enable identification) and include all information the Covered Entity needs to provide individual, media, and OCR notices. If some details are unavailable at first, the Business Associate must provide them as they are discovered.

Your Business Associate Agreement should define how quickly the Business Associate must escalate potential incidents, what information to include, and who is responsible for drafting and sending notices. Clear roles prevent missed Reporting Deadlines and help ensure accurate filings with the Office for Civil Rights.

Risk Assessment for Breach Determination

HIPAA presumes an impermissible use or disclosure of PHI is a breach unless you demonstrate a low probability that the PHI has been compromised. You determine that probability by documenting the following Risk Assessment Factors:

• Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification
• The unauthorized person who used the PHI or to whom the disclosure was made
• Whether the PHI was actually acquired or viewed
• The extent to which risks have been mitigated (for example, obtaining a signed attestation of destruction or confirming a misdirected email was not accessed)

HIPAA includes limited exceptions (e.g., certain unintentional, good-faith workforce disclosures or intra-organization disclosures) and a safe harbor for PHI that was properly encrypted or destroyed. Regardless of outcome, keep thorough documentation of your analysis and decision.

Conclusion

Effective OCR HIPAA breach reporting hinges on swift containment, a defensible risk assessment, and disciplined execution of notices to individuals, OCR, and—when required—the media. Define roles with Business Associates, track state-law nuances, and prioritize timely, accurate information so you meet every requirement on time and reduce risk to individuals and your organization.

FAQs.

Who is required to report a HIPAA breach to OCR?

The Covered Entity reports to the Office for Civil Rights. Business Associates must notify the Covered Entity and provide details needed for the Covered Entity’s notices. Your Business Associate Agreement may authorize a Business Associate to submit on your behalf, but responsibility for compliance remains with the Covered Entity.

When must a breach affecting 500 or more be reported?

You must notify OCR without unreasonable delay and no later than 60 calendar days from the date of discovery. You must also notify affected individuals within the same timeframe, and if 500 or more residents of a single state or jurisdiction are affected, notify prominent media outlets within 60 days.

How do business associates report breaches?

Business Associates report to the Covered Entity without unreasonable delay and no later than 60 days after discovery, identifying affected individuals and supplying all information the Covered Entity needs for individual, OCR, and media notices. If permitted by contract, a Business Associate may file to OCR on the Covered Entity’s behalf, but the Covered Entity oversees compliance.

What factors determine if an incident qualifies as a breach?

Apply HIPAA’s Risk Assessment Factors: the nature and extent of PHI involved, who received or used it, whether it was actually acquired or viewed, and the extent of mitigation. Unless you document a low probability of compromise—or an exception or encryption safe harbor applies—the incident is a reportable breach.