OCR HIPAA Breach Reporting Requirements: Timelines, Thresholds, and Documentation Checklist

If you maintain or transmit Protected Health Information, you must be ready to follow OCR HIPAA breach reporting requirements the moment an incident is discovered. This guide explains the timelines, thresholds, and documentation you need, with practical steps for Covered Entities and Business Associates.

Use it to move from discovery to notification confidently, complete a sound Breach Risk Assessment, and prepare accurate submissions through the HHS Breach Reporting Portal, including Annual Breach Reporting for smaller incidents.

Breach Reporting Timelines

When the clock starts (discovery)

The 60-day clock starts on the date the breach is discovered—or the date it reasonably should have been discovered with diligent monitoring. Knowledge by any employee or agent is imputed to the organization, so prompt internal escalation is essential.

Core deadlines you must meet

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• Report breaches affecting 500 or more individuals to OCR via the HHS Breach Reporting Portal without unreasonable delay and no later than 60 calendar days after discovery.
• Report breaches affecting fewer than 500 individuals to OCR using Annual Breach Reporting no later than 60 calendar days after the end of the calendar year in which the breach was discovered.
• Notify prominent media outlets when 500 or more residents of a single state or jurisdiction are affected, within the same 60-day window.
• Business Associates must notify their Covered Entity without unreasonable delay and no later than 60 calendar days after discovery.

Law enforcement delay

You may delay notifications if a law enforcement official states that doing so would impede an investigation or threaten national security. A written statement permits delay for the specified time; an oral statement permits a delay of up to 30 days while you obtain written confirmation.

Timing tips

• Count calendar days, not business days. Do not use the 60-day outer limit to justify avoidable delay.
• Start drafting notices early; you can update details as forensics refine dates, scope, or data types.
• Track the discovery date and the date each notification was sent to prove timeliness.

Notification to Affected Individuals

Who must be notified

Notify every individual whose Unsecured Protected Health Information was involved. PHI is “unsecured” if it was not rendered unusable, unreadable, or indecipherable (for example, through appropriate encryption) at the time of the incident.

Required content

• A brief description of what happened, including the date of the breach and date of discovery (if known).
• The types of PHI involved (for example, names, addresses, Social Security numbers, medical record numbers, diagnoses).
• Steps individuals should take to protect themselves.
• What you are doing to investigate the breach, mitigate harm, and prevent further incidents.
• How individuals can contact you for more information (toll‑free number, email, website, or postal address).

How to deliver the notice

• Send written notice by first‑class mail to the individual’s last known address.
• Send email notice if the individual has agreed to electronic delivery; use reasonable safeguards (for example, avoiding PHI in subject lines).
• Provide urgent telephone notice in addition to written notice if immediate action is needed to prevent imminent misuse.

Substitute Breach Notice

• If you have insufficient or out‑of‑date contact information for fewer than 10 individuals, use an alternative method (such as telephone) reasonably calculated to reach them.
• If contact information is insufficient for 10 or more individuals, provide a conspicuous website posting for at least 90 days or notice in major print or broadcast media in areas where affected individuals likely reside. Include a toll‑free number active for at least 90 days so people can determine if they were affected.

Media Notification Procedures

When media notice is required

Notify prominent media outlets serving the relevant state or jurisdiction when a breach involves 500 or more residents of that state or jurisdiction. Send the media notice without unreasonable delay and no later than 60 calendar days after discovery.

What to include

Provide the same core elements used for individual notices, written in plain language. A press release format is common. Coordinate timing so media coverage does not precede delivery of individual notices.

Avoid common pitfalls

• Apply the 500‑resident threshold per state or jurisdiction, not across all states in aggregate.
• Do not confuse media notice with Substitute Breach Notice. Media notice is triggered by the 500‑resident threshold; substitute notice is triggered by insufficient contact information.
• Document which media outlets were notified and when, and retain copies of press releases and confirmations of distribution.

Documentation and Recordkeeping Requirements

Retention period

Maintain required documentation for at least six years from the date of creation or last effective date, whichever is later. This includes policies, procedures, risk analyses, and all breach‑related records.

What to document for every incident

• Breach Risk Assessment showing how you concluded there was—or was not—a reportable breach, using the four‑factor analysis (nature and extent of PHI; unauthorized person; whether PHI was actually acquired or viewed; mitigation).
• Determination of whether PHI was secured or unsecured and evidence of encryption or destruction, if applicable.
• Copies of all notices sent to individuals, media, and the OCR submission confirmation (including Submission ID) from the HHS Breach Reporting Portal.
• Dates: discovery, risk assessment completion, decision to notify, notice dispatch, media notifications, and portal submission.
• Incident and forensics records, mitigation steps, call center scripts/FAQs, and remediation plans.
• Business Associate Agreements and communications with Business Associates about the event.
• Logs of smaller incidents maintained for Annual Breach Reporting.

Checklist to streamline audits

• Policy and procedure acknowledging the HIPAA Breach Notification Rule and escalation paths.
• Training records proving workforce awareness of reporting obligations.
• Sanctions applied, if any, for noncompliance.
• Evidence of ongoing security improvements tied to lessons learned.

Reporting Methods and Portals

Using the HHS Breach Reporting Portal

Use the HHS Breach Reporting Portal to submit all OCR reports. Select the path for “500 or more” or “fewer than 500” individuals, then enter details such as incident type, location of breached information, PHI elements involved, number of individuals, and mitigation steps.

Large breaches (500 or more individuals)

• Submit to OCR without unreasonable delay and no later than 60 days after discovery.
• Expect your case details to appear on the public breach portal; review entries for accuracy after submission.
• Coordinate portal submission with individual and media notices so facts align across all channels.

Small breaches and Annual Breach Reporting

• Track all breaches affecting fewer than 500 individuals throughout the year.
• File them through the portal no later than 60 days after the end of the calendar year in which they were discovered.
• Submit a separate entry for each incident; do not aggregate unrelated events.

Practical reporting tips

• Draft a clear, factual incident description that avoids speculative language.
• Align counts and dates across individual letters, media notices, and portal entries.
• Retain the portal Submission ID, acknowledgment emails, and any follow‑up correspondence from OCR.

Business Associate Notification Obligations

What Business Associates must do

Business Associates must notify the Covered Entity without unreasonable delay and no later than 60 days after discovery. Include the identities of affected individuals (if known) and all available information the Covered Entity needs to provide individual notices.

Contractual acceleration

Many Business Associate Agreements require shorter notice (for example, within 5–15 days). Honor the stricter contractual timeline, and keep an internal playbook that reflects the shortest applicable deadline.

Who sends which notices

Covered Entities generally notify individuals, media, and OCR. A Business Associate may send notices only if the Business Associate Agreement delegates that role. Clarify responsibilities in writing before an incident occurs.

Compliance with State Breach Laws

Preemption and “more stringent” rules

HIPAA does not override state breach laws that are more stringent. If both HIPAA and a state law apply, you must satisfy both—meeting the shortest timeline and the most detailed content requirements.

Key state‑law differences to watch

• Shorter notification deadlines (often 30–45 days) that may run from determination of a breach rather than discovery of an incident.
• Attorney General or regulator notification at specific thresholds or immediately for certain sectors.
• Additional content requirements (for example, offering identity protection, disclosing the name of the reporting entity and vendors, or prohibitions on including certain data in notices).

Practical coordination steps

• Build a state‑law matrix covering timelines, regulator contacts, and thresholds for each state where affected individuals reside.
• Use the shortest applicable deadline as your master project plan, and back‑schedule all workstreams (forensics, letters, media, portal).
• Document the legal analysis that drove your approach and retain it with the breach file.

Conclusion

The path to compliance is consistent: conduct a defensible Breach Risk Assessment, notify individuals promptly, meet 60‑day federal deadlines, leverage the HHS Breach Reporting Portal correctly (including Annual Breach Reporting), and preserve complete documentation for six years. Align with stricter state requirements and your Business Associate Agreements to avoid timing gaps and enforcement risk.

FAQs.

What is the timeline for reporting HIPAA breaches to OCR?

For incidents affecting 500 or more individuals, report to OCR without unreasonable delay and no later than 60 calendar days after discovery. For incidents affecting fewer than 500 individuals, use Annual Breach Reporting and submit no later than 60 days after the end of the calendar year in which the breach was discovered.

How must affected individuals be notified of a breach?

Send written notice by first‑class mail or by email if the individual agreed to electronic delivery. The notice must describe what happened, the types of PHI involved, steps individuals should take, what you are doing to mitigate and prevent recurrence, and how to contact you. Provide substitute notice if contact information is insufficient.

When is media notification required for a HIPAA breach?

Notify prominent media outlets when 500 or more residents of a single state or jurisdiction are affected. Send the notice without unreasonable delay and no later than 60 calendar days after discovery, and ensure it contains the same core information as individual notices.

What documentation must be maintained for HIPAA breach reporting?

Keep your Breach Risk Assessment, secured/unsecured PHI determination, copies of all notices, OCR portal confirmations, dates evidencing timeliness, incident and mitigation records, BA agreements and communications, and relevant policies, procedures, training, and sanctions. Retain these records for at least six years.