Report a HIPAA Breach or Violation: Step-by-Step Guide for Compliance Teams

Reporting Breaches Affecting 500 or More Individuals

When the 60-day clock starts

The reporting timeline begins on the date of discovery—when you first knew, or with reasonable diligence should have known, that unsecured PHI was impermissibly accessed, acquired, used, or disclosed. Start your Incident Response Plan immediately to contain, investigate, and document the event.

Notification to Secretary of HHS

For breaches impacting 500 or more individuals, you must submit a breach report to the Secretary of HHS without unreasonable delay and no later than 60 calendar days from discovery. Be prepared to provide a clear breach description, the number of affected individuals, breach type, mitigation steps, and your point of contact.

Core steps for covered entity compliance

• Complete a Breach Risk Assessment using the four-factor test to confirm whether notification is required.
• Activate your Incident Response Plan, preserve evidence, and coordinate legal and privacy reviews.
• Prepare individual notices, media notice (if applicable), and parallel HHS reporting to ensure consistency.

Reporting Breaches Affecting Fewer than 500 Individuals

Annual log and deadline

Log each breach under 500 individuals and submit all such events to the Secretary of HHS no later than 60 days after the end of the calendar year in which they were discovered. Maintain an auditable register with dates of discovery, notification status, and risk assessment outcomes.

Mind state timelines

State Breach Notification Laws may impose shorter deadlines or additional regulators to notify. Track these alongside HIPAA to avoid missed requirements, especially for multi-state incidents.

Notification to Affected Individuals

Timing and method

Notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Use first-class mail; email is permitted if the individual has agreed to electronic communications. If there is imminent risk of harm, you may provide telephone notice in addition to written notice.

Substitute notice

If contact information is insufficient for fewer than 10 people, use an alternative method such as telephone. If 10 or more have out-of-date contact information, provide substitute notice via a website posting or major media and offer a toll-free number available for at least 90 days.

Required content

• A brief description of the breach, including the date of breach and discovery.
• The types of PHI involved (for example, names, SSNs, diagnoses).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact information for questions or assistance.

Documentation Requirements

Breach risk assessment and decision rationale

Document your Breach Risk Assessment using the four-factor analysis: the nature and extent of PHI involved, the unauthorized person, whether the PHI was actually acquired or viewed, and the extent of mitigation. Record the final determination and the reasoning behind it.

Breach documentation retention

Maintain all breach-related records—risk assessments, notifications, forensics, policy updates, and training—for at least six years. Strong Breach Documentation Retention supports audits and demonstrates Covered Entity Compliance.

Operational records to keep

• Incident logs, timelines, and containment actions.
• Copies of notices to individuals, the Secretary of HHS, and media (if applicable).
• Evidence of workforce training, sanctions, and policy revisions.
• Vendor communications and updated Business Associate Agreement terms.

Business Associate Reporting Obligations

BA to covered entity

A Business Associate must notify the Covered Entity of a breach without unreasonable delay and no later than 60 days after discovery, providing identification of affected individuals and all information needed for notifications. Your Business Associate Agreement may impose a shorter timeframe; many require notice within 10–30 days.

Subcontractors and flow-down

Business Associates must ensure subcontractors comply with the same breach reporting duties. Covered entities should oversee BA performance and enforce contractual remedies if obligations are not met.

Media Notification

When media notice is required

If a breach affects 500 or more residents of a single state or jurisdiction, notify prominent media outlets in that area without unreasonable delay and no later than 60 days after discovery. Align media statements with individual notices and HHS submissions to ensure accuracy.

Practical considerations

• Do not include PHI in public statements.
• Coordinate legal, privacy, and communications teams to manage inquiries.
• If law enforcement determines that notification would impede an investigation, delay notice for the period specified.

Mitigation Efforts

Containment and corrective action

Immediately secure systems, revoke compromised credentials, and patch vulnerabilities. If unencrypted devices are involved, enhance encryption and access controls. For ransomware or ePHI incidents, follow your Incident Response Plan and forensic best practices.

Support for affected individuals

Offer credit monitoring or identity protection where SSNs or financial data are exposed. Provide clear guidance on password changes, fraud alerts, and medical identity theft precautions.

Program improvements

Update policies, strengthen monitoring, retrain staff, and apply workforce sanctions where appropriate. Revisit vendor management, revise your Business Associate Agreement language, and test your Incident Response Plan to prevent recurrence.

In summary, confirm a breach through a documented risk assessment, notify individuals, the Secretary of HHS, and media as required, meet all deadlines, and preserve records for at least six years. Align HIPAA obligations with State Breach Notification Laws to achieve full, defensible compliance.

FAQs

What is the timeframe for reporting a HIPAA breach?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Report breaches affecting 500 or more individuals to the Secretary of HHS within the same 60-day window. For breaches affecting fewer than 500 individuals, log them and report to HHS no later than 60 days after the end of the calendar year in which they were discovered.

Who must be notified in case of a HIPAA violation?

Notify affected individuals, the Secretary of HHS (immediately for 500+; annually for fewer than 500), and, if 500 or more residents of a state or jurisdiction are affected, prominent media outlets. If you are a Business Associate, you must notify the Covered Entity so it can fulfill required notices, unless your contract assigns those duties to you.

What documentation is required after a HIPAA breach?

Maintain the Breach Risk Assessment, evidence supporting your determination, copies of all notices, investigation and forensics records, policy and training updates, and communications with Business Associates. Retain these for at least six years to demonstrate Covered Entity Compliance and support audits.

Are there additional state reporting requirements for HIPAA breaches?

Yes. Many states have separate breach notification laws with different triggers, timelines, and recipients (such as state attorneys general or regulators). Follow HIPAA and any more stringent State Breach Notification Laws concurrently to ensure full compliance.