Reporting HIPAA Breaches: Who to Contact and What OCR Requires

Breach Notification Requirements

Under the HIPAA Breach Notification Rule (45 CFR 164.400–414), you must notify specific parties when there is a breach of unsecured protected health information. “Unsecured” means the data was not rendered unusable, unreadable, or indecipherable to unauthorized individuals (for example, it was not properly encrypted or destroyed). If encryption or destruction was effective, the incident typically does not trigger breach notification.

A breach is presumed when there is an impermissible use or disclosure of PHI unless you document a low probability of compromise using the required four‑factor risk assessment: (1) the nature and extent of PHI involved, (2) the unauthorized person, (3) whether the PHI was actually acquired or viewed, and (4) the extent of mitigation. Certain narrow exceptions apply (e.g., good‑faith, unintentional access by a workforce member).

Covered entity reporting is always the ultimate responsibility of the covered entity. Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery, providing the identities of affected individuals and any available details needed for downstream notifications.

Timelines are strict: notify affected individuals without unreasonable delay and no later than 60 days from breach discovery. Report to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) via the breach notification portal within 60 days if 500 or more individuals are affected, and no later than 60 days after the end of the calendar year if fewer than 500 individuals are affected.

Reporting Procedures to OCR

Before you submit, confirm the breach determination and establish a clear breach discovery timeline. “Discovery” occurs on the first day the incident is known—or would have been known with reasonable diligence—to the covered entity or business associate. Document when, how, and by whom it was discovered.

Prepare your submission package. Count impacted individuals, identify the states or jurisdictions of residence, and summarize the incident, mitigation steps, and safeguards. If you are a business associate, transmit this information to the covered entity promptly so they can complete covered entity reporting to OCR.

Use the OCR breach notification portal to file your report. For large breaches (500+), do not wait for a complete forensic report—submit initial details within the deadline, then update the report as new, material information becomes available. For smaller breaches (<500), you may log incidents throughout the year and submit them collectively after year‑end within the allowed timeframe.

If law enforcement determines that notice would impede an investigation or threaten national security, you must delay notifications for the period specified. Document any oral or written law enforcement hold and track the revised due dates.

Information Needed for Breach Reports

Organization and Contact Details

• Legal name of the covered entity and any implicated business associate(s).
• Primary contact for OCR correspondence (name, title, phone, and email).

Incident Scope and Timeline

• Type of incident (e.g., hacking/IT incident, unauthorized access/disclosure, loss, theft, improper disposal).
• Location of PHI at the time (e.g., network server, EMR, email, laptop, paper/film).
• Dates of breach and discovery, and the date you first determined it to be a reportable breach.
• Number of affected individuals and their states/jurisdictions of residence.

PHI Details and Risk Factors

• Categories of data involved (e.g., names, addresses, SSNs, diagnoses, treatment info, financial data).
• Whether the PHI was encrypted, destroyed, or otherwise safeguarded.
• Whether the PHI was actually viewed/acquired and by whom (if known).

Mitigation and Safeguards

• Steps taken to contain and mitigate harm (e.g., password resets, blocking exfiltration, offering credit monitoring).
• Corrective actions and future prevention measures (policy updates, staff training, technical controls).
• Whether law enforcement is involved and any requested delay.

Notifications and Follow‑Up

• Status of affected individual notification and any substitute notices used.
• Media breach disclosure actions, if applicable.
• Attestations and the ability to provide updates as additional information emerges.

Notification to Affected Individuals

Provide affected individual notification without unreasonable delay and no later than 60 days after discovery. Send written notice by first‑class mail, or by email if the person has agreed to receive electronic notices. For urgent threats (e.g., ongoing misuse), supplement with telephone or other expedient methods.

Your notice should include: a concise description of what happened; the types of information involved; steps individuals should take to protect themselves; what you are doing to investigate, mitigate, and prevent a recurrence; and clear contact methods (toll‑free number, email, and postal address). Maintain records of all notices, returned mail, and any substitute outreach.

If you have insufficient contact information for fewer than 10 individuals, use an alternative like telephone. If 10 or more individuals are unreachable, provide substitute notice via a website posting or major print/broadcast media in the affected area, consistent with HIPAA’s rules.

Media Notification Obligations

When a breach involves 500 or more residents of a single state or jurisdiction, you must provide media breach disclosure to prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. The notice should mirror the content of individual notices and be coordinated with your broader communications plan.

Media notice does not replace individual notices—you must do both when the 500‑resident threshold is met. Keep copies of press materials, publication dates, and proofs of distribution for your compliance file.

Breach Reporting Portal Confirmation

After submitting through the breach notification portal, you should receive an on‑screen confirmation and, typically, an email OCR breach acknowledgment that includes a submission or case number. Save the confirmation page, email, and any attachments you uploaded as part of your official record.

For large breaches, monitor the portal for follow‑up questions and provide timely updates if your investigation yields new facts (e.g., revised individual counts, additional states affected, or clarified root cause). Retain all correspondence and keep a versioned log of changes.

Contacting the Office for Civil Rights

While the portal is the primary channel for reporting HIPAA breaches, you may also contact the Office for Civil Rights for guidance about complex scenarios, technical issues with submissions, or to clarify the status of an existing case. Have your case number ready, summarize your questions, and document the date, time, and outcome of each interaction.

Escalate promptly if deadlines are approaching, if your breach scope is expanding, or if you need to update previously submitted information. Maintain breach documentation for at least six years, including your risk assessment, notices, portal confirmations, and any communications with OCR.

Conclusion

Reporting HIPAA breaches requires disciplined timelines, careful documentation, and clear communication. Determine whether unsecured protected health information was involved, notify affected individuals, complete covered entity reporting via the breach notification portal, meet any media disclosure duties, and preserve your OCR breach acknowledgment and records to demonstrate compliance.

FAQs.

Who must report a HIPAA breach to OCR?

The covered entity is responsible for reporting to OCR. Business associates must notify the covered entity without unreasonable delay (and within 60 days of discovery) and provide all available details, including the identities of affected individuals, so the covered entity can complete the OCR submission.

What is the timeline for reporting HIPAA breaches?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Report to OCR within 60 days for breaches affecting 500 or more individuals. For fewer than 500 individuals, log the breach and report to OCR no later than 60 days after the end of the calendar year in which the breach was discovered.

How do I notify affected individuals after a breach?

Send written notices by first‑class mail (or email if the person agreed to electronic notice). Include what happened, the types of information involved, steps individuals should take, what you are doing to mitigate and prevent recurrence, and clear contact information. Use substitute notice if contact details are insufficient, consistent with HIPAA’s rules.

What information is required in a HIPAA breach report?

OCR expects details about your organization and contacts; the incident type, dates, and number of affected individuals; the states or jurisdictions involved; the categories of PHI exposed and whether safeguards like encryption were in place; mitigation and corrective actions; law enforcement involvement; and the status of individual and media notifications.