When Must PHI-Related Breaches Be Reported? HIPAA Deadlines and Notification Requirements

The HIPAA Breach Notification Rule sets clear deadlines for reporting breaches of Unsecured Protected Health Information. Covered Entities and their Business Associates must act quickly to notify affected individuals, the Department of Health and Human Services (HHS), and—in some cases—the media. This guide explains who must notify, when notices are due, and what each notice must include.

The timelines below are hard limits. Regulators view “no later than 60 days” as an outer boundary—not a target. Whenever feasible, provide notice without unreasonable delay.

Notification to Affected Individuals

Who is responsible and when notice is due

Covered Entities must notify each affected individual without unreasonable delay and in no case later than 60 calendar days after discovering a breach of Unsecured Protected Health Information. Business Associates must promptly inform the Covered Entity so the individual notices can be sent; a Business Associate may send them directly only if the contract delegates that task.

Acceptable delivery methods

• First-class mail to the individual’s last known address is the default method.
• Email is permitted if the individual has provided Electronic Notice Consent. If you know an email address is invalid, send a paper notice instead.
• If there is a risk of imminent misuse or harm, supplement written notice with a phone call or other rapid method.

Substitute notice when contact information is insufficient

• Fewer than 10 individuals with outdated/insufficient addresses: use an alternative form of notice such as telephone, email, or another appropriate means.
• 10 or more individuals: post a conspicuous website notice for at least 90 days or provide notice in major print or broadcast media in the affected area, and maintain a toll‑free number for at least 90 days.

Notification to the Department of Health and Human Services

Breaches affecting 500 or more individuals

Report to HHS without unreasonable delay and in no case later than 60 calendar days from discovery. Submit through the HHS Breach Reporting portal. Coordinate this filing with individual and, if applicable, media notifications so the information is consistent.

Breaches affecting fewer than 500 individuals

Log each incident and report it to HHS no later than 60 days after the end of the calendar year in which the breach was discovered (effectively by March 1 of the following year). Maintain documentation supporting your determinations and submissions.

Media Notification Requirements

When the Media Notification Mandate applies

If a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery. This media notice does not replace individual notices; it is an additional requirement.

How to execute media notice

• Issue a press release that clearly summarizes the same core elements required in individual notices.
• Coordinate timing and messaging with your individual and HHS filings to avoid inconsistencies.
• Retain copies of the media notice and evidence of its distribution for your compliance file.

Breach Discovery and Reporting Timelines

What counts as a reportable breach

The notification requirements apply to breaches of Unsecured Protected Health Information—i.e., PHI that has not been rendered unusable, unreadable, or indecipherable (for example, via strong encryption in accordance with HHS guidance). Perform the required four‑factor risk assessment to determine whether there is a low probability that the PHI was compromised; only then may notification be unnecessary.

When the clock starts

Discovery occurs on the first day the breach is known—or by exercising reasonable diligence would have been known—to the Covered Entity or Business Associate, whichever is earlier under the circumstances. The 60‑day period runs from that discovery date. A documented law‑enforcement request may delay notifications for the period specified; if the request is oral, obtain written confirmation within 30 days.

Business Associate duties and timing

Business Associates must notify the Covered Entity without unreasonable delay and no later than 60 calendar days after discovering a breach, and provide the identities of affected individuals and available details needed for notices. Many Business Associate Agreements set shorter internal deadlines (e.g., 5–15 days); comply with the stricter term.

Simple timeline example

If you discover a breach on March 1, individual and (if applicable) HHS/media notices are due no later than April 30. Small-breach logs for events discovered throughout the year are due to HHS by March 1 of the following year.

Content Requirements for Breach Notices

Each notice to individuals—and, in summarized form, to media—should include:

• A brief description of what happened, including the date of the breach and the date of discovery (if known).
• The types of PHI involved (for example, names, addresses, dates of birth, medical record numbers, diagnoses, treatment information, or financial data).
• Steps individuals should take to protect themselves (such as monitoring accounts, placing fraud alerts, or changing passwords).
• What the organization is doing to investigate the incident, mitigate harm, and prevent future occurrences.
• Contact methods for questions or assistance (toll‑free number, email address, and postal address).

Mitigation and Follow-Up Actions

Contain and investigate

Secure systems, recover or disable access to exposed data, rotate credentials, and preserve forensic evidence. Engage privacy and security teams promptly to complete the risk assessment that underpins your HIPAA Breach Notification Rule analysis.

Support affected individuals

Offer appropriate remedies such as credit monitoring or identity theft protection when financial data may be at risk. Provide clear instructions for account monitoring, password resets, and enabling multi‑factor authentication.

Strengthen your compliance program

Update policies, retrain workforce members, and apply sanctions where required. Reassess technical controls (encryption, logging, access management), review Business Associate arrangements, and document every step for audit readiness.

Conclusion

To stay compliant, act quickly, focus on Unsecured Protected Health Information, meet the 60‑day outer limit, and align individual, HHS Breach Reporting, and any Media Notification Mandate duties. Strong mitigation and documentation close the loop and reduce regulatory risk.

FAQs.

What is the deadline to notify individuals of a PHI breach?

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovering the breach. Use first‑class mail or email if the person has provided Electronic Notice Consent; employ substitute notice if contact information is insufficient.

When must breaches affecting 500 or more individuals be reported to HHS?

For breaches impacting 500 or more individuals, report to HHS without unreasonable delay and no later than 60 calendar days from discovery. For fewer than 500 individuals, submit your annual log to HHS within 60 days after the end of the calendar year (effectively by March 1 of the following year).

How should media notification be handled for large breaches?

If a breach affects 500 or more residents in a single state or jurisdiction, issue a press release to prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. This media notice supplements—rather than replaces—individual notices and your HHS filing.