Reporting a HIPAA Violation: Compliance Guide with Timelines, Evidence, and Examples

Legal Reporting Requirements

HIPAA’s Privacy Rule, Security Rule, and the Breach Notification Rule establish how you must respond when protected health information (PHI) is improperly used or disclosed. When a breach occurs, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services enforces these requirements through complaints, Compliance Reviews, and Breach Investigation activity.

Who must comply

• Covered Entities: health plans, most health care providers, and health care clearinghouses.
• Business Associates: vendors and subcontractors that create, receive, maintain, or transmit PHI for a Covered Entity (for example, billing services, cloud hosts, EHR vendors).

Both Covered Entities and Business Associates must implement administrative, physical, and technical safeguards and follow required Notification Timelines if a breach occurs.

What counts as a HIPAA breach

A breach is any impermissible use or disclosure of unsecured PHI that compromises privacy or security. You must conduct a documented risk assessment considering:

• The nature and extent of PHI involved (identifiers and sensitivity).
• The unauthorized person who used/received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (e.g., retrieval, assurances).

Common exceptions include: unintentional access by a workforce member acting in good faith within scope; inadvertent disclosure between authorized persons; or when the recipient could not reasonably retain the information. Encrypted PHI meeting recognized standards is not “unsecured,” so notification is generally not required.

Oversight and enforcement

OCR investigates complaints and can initiate Compliance Reviews after significant incidents. Outcomes may include corrective action plans (CAPs), monitoring, and civil money penalties for non-compliance.

Timelines for Reporting Breaches

HIPAA’s Breach Notification Rule sets specific Notification Timelines. Day 1 is the date the breach is “discovered,” meaning when it is known or should reasonably have been known.

Notification to affected individuals

• Provide written notice without unreasonable delay and no later than 60 calendar days after discovery.
• Send by first-class mail (or email if the individual has agreed to electronic notice).
• If contact information is insufficient or out-of-date:
  • Fewer than 10 individuals: use an alternative method (e.g., phone, email, or other means).
  • 10 or more individuals: provide substitute notice (e.g., conspicuous website posting for at least 90 days or major media), plus a toll-free number active for at least 90 days.

Notification to HHS (OCR)

• 500 or more individuals affected: notify OCR without unreasonable delay and no later than 60 days after discovery.
• Fewer than 500 individuals affected: log the breach and report to OCR no later than 60 days after the end of the calendar year in which the breach was discovered.
• If the breach affects 500+ residents of a single state or jurisdiction, notify “prominent media outlets” serving that area within 60 days.

Business Associate notifications to Covered Entities

• Notify the Covered Entity without unreasonable delay and no later than 60 days from discovery.
• Provide the identities (if known) of affected individuals and other information the Covered Entity needs for individual notices.
• Best practice: BAAs should set shorter internal deadlines (e.g., 5–10 days) so the Covered Entity can meet its 60-day obligation.

Law enforcement delay

If a law enforcement official states that notification would impede an investigation or threaten national security, delay notices for the time specified. Maintain written documentation of the request and duration.

Documentation and retention

Keep all breach-related analyses, decisions, and notices for at least six years. If you determine an incident is not a breach due to a low probability of compromise, retain the written risk assessment supporting that conclusion.

Collecting and Preserving Evidence

Strong evidence underpins a defensible Breach Investigation and timely notifications.

What organizations should collect

• Incident timeline: discovery date/time, containment actions, and escalation steps.
• System artifacts: EHR audit logs, access logs, SIEM alerts, email headers, DLP hits, firewall/VPN records, and endpoint forensics.
• Communications: screenshots or exports of misdirected messages, letters, or portals showing unauthorized disclosures.
• Device details: asset tags/serial numbers for lost/stolen devices and their encryption status.
• Mitigation proof: confirmations of retrieval or deletion, attestations from unintended recipients, and password resets.
• Risk assessment worksheet: the four-factor analysis and final determination.

What individuals should collect

• Dates, locations, and people involved; what PHI was exposed; and how you discovered it.
• Copies of letters or emails you received about the incident and notes from calls.
• Photos or screenshots of problematic mailings, portal entries, or social posts (avoid sharing unnecessary PHI).

Preservation practices

• Keep a clean chain of custody for devices and exports; do not alter original logs.
• Limit access to evidence and store it securely; apply the “minimum necessary” principle to any PHI you handle.
• Coordinate with legal and compliance early to align on scope and documentation needs.

Reporting Procedures for Covered Entities

1) Triage and contain

• Activate your incident response plan; isolate affected systems or accounts; recover misdirected PHI when possible.
• Engage privacy, security, compliance, legal, and relevant leadership immediately.

2) Investigate and assess

• Launch a fact-based Breach Investigation using the evidence above.
• Complete the four-factor risk assessment; decide if an exception applies or if the incident is not a breach (e.g., encrypted PHI).

3) Decide and document

• If no breach: record your rationale and mitigation. If breach: proceed to notifications.
• Track the discovery date that starts all Notification Timelines.

4) Prepare required notifications

Individual notices must be written in plain language and include:

• A brief description of what happened, including the date of the breach and discovery.
• The types of PHI involved (e.g., names, diagnoses, SSNs).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact methods (toll-free number, email, or postal address).

Send notices to individuals, OCR, and media (if required) within the specified timelines. Use substitute notice methods when contact information is insufficient.

5) Execute corrective actions

• Implement remediation (policy updates, technical controls, workforce training, and sanctions when appropriate).
• Review Business Associate Agreements; tighten reporting timeframes and security obligations.
• Prepare for potential OCR inquiries or Compliance Reviews by organizing your evidence and decisions.

6) Close and improve

• Complete after-action reviews; address root causes; and test controls.
• Maintain all breach logs, notices, and risk assessments for at least six years.

Reporting Procedures for Individuals

Step-by-step

1. Contact the organization’s privacy officer to report the issue and request written confirmation of their review.
2. File a complaint with OCR if you believe HIPAA was violated. You generally must submit within 180 days of when you knew or should have known of the problem (extensions may be granted for good cause).
3. Consider state avenues (e.g., your state attorney general) if state privacy or consumer laws may also apply.
4. Protect yourself if sensitive data was exposed: monitor accounts, place fraud alerts or freezes, and change credentials.

What to include in a complaint

• Names of the organization(s) and people involved; dates; locations; and a clear description of what happened.
• Copies of notices or emails you received; relevant photos or screenshots.
• Only the minimum PHI needed to explain the issue—do not send originals.

Workers and whistleblowers

Employees and contractors may report suspected violations. HIPAA prohibits intimidation or retaliation for filing a complaint or assisting an investigation. Workforce members can disclose PHI, when necessary, to report violations to appropriate oversight authorities or to an attorney, but should still limit disclosures to what is needed.

Consequences of Non-Compliance

• Civil money penalties: tiered penalties per violation that escalate with culpability (from reasonable cause to willful neglect). Annual caps apply and are periodically adjusted for inflation.
• Corrective action plans: multi-year obligations to improve security, privacy, training, and governance under OCR monitoring.
• Public exposure: breaches affecting 500+ individuals are listed on HHS’s public portal, increasing reputational risk.
• Contractual and state risks: Business Associates may face contract termination and damages; state attorneys general can bring actions under state law.
• Operational impacts: incident response costs, patient notifications, call center operations, credit monitoring, system hardening, and audits.

Note: HIPAA generally does not create a private right of action for damages, but individuals may pursue remedies under other laws (e.g., negligence, consumer protection) depending on the facts.

Case Examples of HIPAA Violations

Lost unencrypted device

A clinician’s unencrypted laptop containing thousands of patient records is stolen from a car. Without encryption, the PHI is “unsecured,” so individual and OCR notifications are required within the specified timelines. The organization deploys full disk encryption and tightens offsite device policies.

Misdirected email with attachments

A staff member emails a discharge summary to the wrong recipient. The incident is investigated, the unintended recipient attests to deletion, and the risk assessment documents a low probability of compromise. If supported, notification may not be required—but the rationale must be retained.

Unauthorized snooping

An employee repeatedly looks up a neighbor’s records without a job-related need. Access logs and audits confirm the pattern. Notifications are sent, the worker is sanctioned, and monitoring rules are enhanced.

Improper disposal

Paper records containing PHI are found in a public dumpster. Because the recipient could easily retain the PHI, the risk is high. The entity notifies individuals and OCR and retrains staff on secure destruction practices.

Ransomware attack

Malware encrypts a file server with PHI. Forensics indicate data was exfiltrated. The entity treats it as a breach, issues notices, and implements stronger backups, network segmentation, and multi-factor authentication.

Delayed patient access

A provider repeatedly fails to give patients timely access to their records. OCR investigates and requires a corrective action plan, underscoring that access rights are a core HIPAA obligation.

Key takeaways

• Act fast: contain, investigate, and start your risk assessment on day one.
• Track discovery and meet the 60-day individual and OCR Notification Timelines.
• Document every decision; if you conclude “no breach,” keep your analysis.
• Use lessons learned to harden controls and update Business Associate Agreements.

FAQs.

How do I file a HIPAA violation complaint?

You can file directly with the Office for Civil Rights (OCR). Provide who was involved, what happened, when and where it occurred, why you believe HIPAA was violated, and any supporting documents. You generally must file within 180 days of when you knew or should have known about the issue, and you should include only the minimum PHI needed to explain your complaint.

What is the 180-day rule for reporting HIPAA violations?

It is the deadline for filing a complaint with OCR: you typically have 180 days from the date you knew or should have known of the alleged violation. OCR may extend this period if you can show good cause for delay.

Who must notify the Department of Health and Human Services about a breach?

Covered Entities are responsible for notifying HHS/OCR. Business Associates must notify the Covered Entity without unreasonable delay and provide the information the Covered Entity needs for its notices. A Business Associate may be delegated to notify on the Covered Entity’s behalf by contract, but the Covered Entity remains accountable under HIPAA.

What evidence is needed to report a HIPAA violation?

Provide dates, locations, a clear description of the incident, names of the organizations or people involved, and copies of letters, emails, or screenshots that show what occurred. Organizations should include audit logs, risk assessments, mitigation steps, and notification records. Share only the minimum necessary PHI and keep originals secure.