Reporting HIPAA Breaches: Required Recipients, Timelines, and Compliance Best Practices

HIPAA’s Breach Notification Rule sets specific duties for reporting incidents that compromise Protected Health Information (PHI). To stay compliant, you must notify the right recipients, meet strict notification timelines, and maintain thorough records. This guide clarifies required recipients, Health and Human Services reporting expectations, and practical controls you can adopt to prevent and respond to unauthorized PHI disclosure.

Breach Notification to Affected Individuals

You must notify each affected individual, or their personal representative, without unreasonable delay and no later than 60 calendar days after discovery of a breach. “Discovery” occurs on the first day the breach is known—or would have been known with reasonable diligence—by the covered entity or business associate.

• Method: Send written notice by first-class mail; email is allowed if the individual has agreed to electronic notice. For deceased individuals, notify the next of kin or personal representative when known.
• Substitute notice: If you have insufficient or outdated contact information for fewer than 10 people, use an alternative method such as telephone. If 10 or more are unreachable, post a conspicuous notice on your website for at least 90 days or provide notice in major print/broadcast media where affected individuals likely reside, including a toll-free number active for at least 90 days.
• Urgent situations: If there is an imminent risk of misuse, you may also notify by telephone or other immediate means in addition to written notice.

These requirements apply whether the breach stems from a cyber event, misplaced records, or any unauthorized PHI disclosure. Ensure notices are timely, accurate, and accessible to individuals with limited English proficiency or disabilities.

Breach Notification to the Secretary of HHS

Health and Human Services reporting is mandatory for every breach, but timing depends on the number of affected individuals.

• 500 or more individuals: Report to the Secretary of Health and Human Services without unreasonable delay and no later than 60 calendar days after discovery. This submission is made via the HHS breach portal.
• Fewer than 500 individuals: Log each breach during the year and report all such incidents to HHS no later than 60 days after the end of the calendar year (generally by March 1 of the following year).
• Business associates: A business associate must notify the covered entity without unreasonable delay and no later than 60 days after discovery, sharing the identities of affected individuals and available details so the covered entity can complete required notifications.

When reporting, include the number of individuals, breach type and location, PHI elements involved, and your mitigation steps. Maintain confirmation of submission for your records.

Media Notification Requirements

If a breach affects more than 500 residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and within 60 calendar days of discovery. This typically takes the form of a press release containing the same core elements required in individual notices.

Do not confuse this requirement with substitute notice for unreachable individuals. Media notification is required because of the breach’s scale within a state or jurisdiction, regardless of whether you have accurate addresses for the affected people.

Content of Breach Notifications

All notices must be in plain language and include the following elements so individuals can understand what happened and how to protect themselves:

• What happened: A brief description of the incident, including the date of the breach and the date of discovery, if known.
• What PHI was involved: Types of data (for example, name, address, date of birth, medical record number, diagnosis/treatment information, Social Security number, or financial details).
• What individuals should do: Concrete steps to reduce risk, such as monitoring accounts, changing passwords, placing a fraud alert, or obtaining credit freezes when appropriate.
• What you are doing: Actions taken to investigate, mitigate harm, and prevent future incidents (for example, resetting credentials, enhancing access controls, deploying encryption, or retraining staff).
• How to get help: Contact procedures and information, including a toll-free number, email, website, or postal address for questions or assistance.

Tailor notices to the specific risk assessment findings. If financial identifiers were not involved, clarify that to reduce unnecessary alarm, while still providing protective guidance.

Documentation Requirements for Breaches

Meticulous documentation proves compliance and supports consistent decision-making. Maintain records for at least six years from the date of creation or last effective date.

• Risk assessment: A written, event-specific risk assessment supporting whether notification is required or whether there is a low probability of compromise.
• Incident file: Investigation notes, system logs, forensics, data mapping, decision rationale, timeline of activities, and approvals.
• Notification artifacts: Copies of individual notices, media releases, substitute notices, HHS submissions, mailing lists, and evidence of delivery or returned mail.
• Business associate communications: Notices from BAs, data provided to complete notifications, and your BAAs and oversight activities.
• Mitigation and remediation: Steps taken to contain the incident, offer support (such as call centers or monitoring), and prevent recurrence.
• Governance: Applicable policies and procedures, training records, and workforce sanctions, demonstrating adherence to the Breach Notification Rule.

Exceptions to Breach Reporting

Not every incident is a reportable breach. The following exceptions may apply:

• Good-faith access/use within scope: Unintentional acquisition, access, or use of PHI by a workforce member or person acting under authority of a covered entity or business associate, if done in good faith and within the scope of authority.
• Inadvertent disclosure: Disclosure from one authorized person to another within the same covered entity, business associate, or organized health care arrangement, with no further improper use or disclosure.
• Recipient could not retain information: Disclosure where the covered entity or business associate believes in good faith the unauthorized recipient could not reasonably have retained the information (for example, returned unopened mailings).
• Secured PHI safe harbor: PHI that is secured (for example, properly encrypted or destroyed per HHS guidance) is not considered “unsecured PHI,” so notification is not required.

Even when an exception may apply, document a risk assessment addressing the nature and extent of PHI, the unauthorized person who used or received it, whether the PHI was actually viewed or acquired, and the extent to which risk was mitigated.

Compliance Best Practices for HIPAA Breach Reporting

• Build an incident response plan: Define roles, decision trees, counsel/forensics engagement, internal SLAs, and communication templates that satisfy notification timelines and the Breach Notification Rule.
• Harden preventive controls: Encrypt devices and backups, enforce multi-factor authentication, apply least privilege and the minimum necessary standard, patch promptly, and deploy data loss prevention and endpoint detection.
• Train and test: Provide routine workforce training on PHI handling and unauthorized PHI disclosure, and run tabletop exercises that rehearse end-to-end notifications.
• Strengthen vendor oversight: Maintain current BAAs, set contractual notice windows shorter than 60 days, and verify vendors’ incident response and reporting capabilities.
• Monitor and log: Centralize incident intake, maintain a breach log for Health and Human Services reporting, and time-stamp key actions to demonstrate diligence.
• Communicate clearly: Use plain language, offer multilingual options and TTY access where applicable, and staff a call center to address individual concerns promptly.
• Align with state law: Some state breach laws are stricter or faster; coordinate your plan to meet the most stringent applicable requirement.

In summary, effective HIPAA breach reporting hinges on rapid detection, a documented risk assessment, timely notices to individuals, HHS, and sometimes the media, and disciplined recordkeeping. An actionable incident response plan ensures you meet legal obligations while protecting affected individuals.

FAQs

Who must receive breach notifications under HIPAA?

You must notify each affected individual (or their personal representative). If 500 or more residents of a single state or jurisdiction are affected, you must also notify prominent media outlets. In all cases, you must report the breach to the Secretary of Health and Human Services, either within 60 days for large breaches or annually for smaller ones.

What are the deadlines for reporting breaches to HHS?

For breaches affecting 500 or more individuals, report to HHS without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting fewer than 500 individuals, log the incident and submit it to HHS no later than 60 days after the end of the calendar year (generally by March 1 of the following year).

When is media notification required for a breach?

Media notification is required when the breach involves more than 500 residents of a single state or jurisdiction. You must inform prominent media outlets serving that area without unreasonable delay and within 60 calendar days of discovering the breach.

What information must be included in a breach notification?

Include a brief description of what happened (with breach and discovery dates if known), the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate the incident and prevent recurrence, and clear contact information such as a toll-free number, email, website, or mailing address.