When to Notify HHS of a Breach: HIPAA Reporting Deadlines and the 60‑Day Rule

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and their business associates to provide prompt notice when a breach involves Unsecured Protected Health Information. “Unsecured” means the PHI was not rendered unusable, unreadable, or indecipherable to unauthorized persons, such as through strong encryption or proper destruction.

A breach is presumed when there is an impermissible use or disclosure of PHI unless you perform and document a risk assessment showing a low probability that the PHI was compromised. Evaluate the nature and extent of the PHI, who received it, whether it was actually viewed, and the extent to which risks were mitigated.

The notification clock starts on the date the breach is discovered—when it is first known to the organization (or would have been known with reasonable diligence), not when it occurred. Notices must be provided “without unreasonable delay,” with the 60‑day outer limit serving as a deadline, not a waiting period.

Law enforcement may request a delay if notice would impede an investigation or threaten public safety. Maintain written documentation of any law enforcement hold and resume notifications immediately after the hold expires.

Reporting Thresholds and Timelines

Breaches affecting 500 or more individuals

You must notify HHS without unreasonable delay and no later than 60 calendar days after discovery. For these large incidents, HIPAA Breach Reporting to HHS occurs in parallel with individual notifications and any required media notice.

Breaches affecting fewer than 500 individuals

You must log each incident and report it to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered. Practically, this means by March 1 in most years (or by February 29 in a leap year). Do not wait to notify affected individuals; the annual timeline applies only to HHS reporting.

Counting individuals and multiple incidents

Count each unique person whose PHI was involved, even if multiple records for the same person were affected. If separate incidents occur, treat them individually for Notification Deadlines and include each one in your annual log when using the under‑500 pathway.

Notification Procedures to HHS

Information you will need

• Covered entity or business associate name and primary contact information.
• Breach discovery date and breach occurrence date (if known).
• Total number of individuals affected and states of residence.
• Type of incident (for example, hacking/IT incident, theft, loss, unauthorized access/disclosure).
• Location of breached information (for example, network server, EHR, email, paper/films, portable device).
• Types of PHI involved (for example, names, SSNs, diagnoses, treatment information, financial data).
• Narrative summary describing what happened, containment, mitigation, and corrective actions.
• Whether law enforcement requested a delay and the dates of any hold.

Submission steps

• Collect the details above promptly after discovery; do not wait for a full forensic report to begin HIPAA Breach Reporting.
• Use the HHS Online Portal to file: choose the correct pathway (500+ or under‑500 annual submission), enter event details, and upload any supporting documentation.
• Submit as soon as information is reasonably complete; update the report later if your investigation refines the facts.
• Retain a copy of what you submitted, the confirmation number, and evidence supporting your timelines for PHI Breach Compliance.

Breach Reporting Portal

The HHS Online Portal guides you through a structured form that captures key facts about the incident, affected individuals, and remediation steps. You can save drafts, return to edit, and submit updates if new information emerges.

For breaches affecting 500 or more individuals, submissions appear on HHS’s public breach portal after review, making accuracy and clarity critical. Use concise, factual narratives that explain what happened, how you contained the event, and how you are preventing recurrence.

For under‑500 incidents, submit each breach during the annual reporting window. Maintain an internal log throughout the year so you can report on time without scrambling for details.

Notification Requirements for Affected Individuals

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of a breach of Unsecured Protected Health Information. Do not hold notifications waiting for a final incident report unless a documented law enforcement delay applies.

Content of the notice

• A brief description of what happened, including dates of the breach and discovery.
• Types of PHI involved (for example, names, account numbers, diagnoses, prescriptions).
• Steps individuals should take to protect themselves (for example, monitoring accounts, credit freezes).
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• How individuals can reach you for more information (for example, toll‑free number, email, postal address).

Method and substitute notice

• Provide written notice by first‑class mail, or by email if the individual has agreed to electronic notice.
• If you lack contact information for fewer than 10 people, use an alternative form such as telephone. For 10 or more, provide substitute notice via a conspicuous website posting or major media for at least 90 days and include a toll‑free number.
• If more than 500 residents of a single state or jurisdiction are affected, also notify prominent media serving that area.

Business associates

Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach, including the identities of affected individuals when known. Contracts often require a shorter timeframe; plan accordingly.

Penalties for Late Notification

Failure to meet Notification Deadlines can trigger civil monetary penalties under HIPAA’s four‑tier structure, which scales with the organization’s level of culpability—from lack of knowledge to willful neglect not corrected in time. Penalties are assessed per violation and subject to annual caps that are adjusted for inflation.

Regulators weigh factors such as the duration of the delay, harm to individuals, cooperation, past compliance history, and the adequacy of corrective actions. Late notice can also lead to resolution agreements, multi‑year corrective action plans, and significant reputational damage.

Best Practices for Compliance

• Encrypt PHI at rest and in transit to reduce the risk that a security incident becomes a reportable breach of Unsecured Protected Health Information.
• Establish a written incident response plan with clear internal escalation targets (for example, triage within 24 hours, decision on reportability within a few days).
• Document your risk assessments, Notification Deadlines, and decisions, including any law enforcement delay letters or oral holds.
• Maintain a year‑round breach log to streamline under‑500 annual reporting and ensure accuracy in the HHS Online Portal.
• Train workforce members and contractors on the Breach Notification Rule and phishing, email security, and data handling.
• Manage vendors with robust business associate agreements, right‑to‑audit clauses, and proof of security controls.
• Perform tabletop exercises to test HIPAA Breach Reporting workflows and message templates for individual and media notices.

FAQs.

What is the 60-day rule for notifying HHS of a breach?

The 60‑day rule requires you to notify HHS without unreasonable delay and in no case later than 60 calendar days after discovering a breach of Unsecured Protected Health Information. Treat 60 days as an outer limit, not a target; file as soon as the core facts are known.

When must breaches affecting fewer than 500 individuals be reported?

Log each incident and report it to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered—typically by March 1 of the following year (February 29 in a leap year). Individual notifications are still due within 60 days of discovery.

How should covered entities notify HHS of a breach?

Submit a breach report through the HHS Online Portal. Provide discovery and occurrence dates, number of individuals affected, type and location of the incident, PHI types involved, a narrative description, mitigation steps, and a contact person. Update the report if new information emerges.

What are the penalties for failing to notify HHS on time?

Late or missing notices can result in civil monetary penalties under HIPAA’s tiered system, corrective action plans, and public posting of large breaches. Regulators consider the length of delay, harm to individuals, organizational culpability, and remediation efforts when determining outcomes.