When to Notify Patients of a Breach: HIPAA Deadlines and Notification Requirements

Knowing exactly when to notify patients of a breach is essential to HIPAA compliance. The Breach Notification Rule sets deadlines and content standards for notifying individuals when unsecured protected health information is compromised. This guide explains the timelines, who must report, required notice content, and how to document every step so you can act quickly and confidently after breach discovery.

HIPAA Breach Notification Rule Overview

Who is covered and when the rule applies

The rule applies to covered entities—health plans, most health care providers, and health care clearinghouses—and their business associates that create, receive, maintain, or transmit PHI. Notification duties arise when there is a breach of unsecured protected health information that poses a risk of compromise.

What counts as a breach

A breach is an impermissible use or disclosure of PHI that compromises its security or privacy. You must conduct a risk assessment considering the nature and extent of PHI involved, who received it, whether it was actually acquired or viewed, and the extent of mitigation. If the assessment shows a low probability of compromise, notification may not be required.

Unsecured PHI versus secured PHI

Unsecured protected health information is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through approved encryption or destruction methods. If PHI is properly encrypted or destroyed, the incident is not a notifiable breach under HIPAA.

When a breach is “discovered”

Breach discovery occurs on the first day the breach is known—or by exercising reasonable diligence should have been known—to the organization. For business associates, discovery starts their obligation to notify the covered entity; the covered entity’s 60‑day clock to notify individuals typically begins when it discovers the breach (often the date the business associate provides notice).

Notification Timeframes and Deadlines

Individuals

You must provide written notice to affected individuals without unreasonable delay and in no case later than 60 calendar days after breach discovery. Calendar days include weekends and holidays; aim to notify as soon as you can responsibly provide accurate facts.

Business associates to covered entities

Business associates must notify the covered entity without unreasonable delay and no later than 60 calendar days from their own discovery, supplying the identities of affected individuals and all available details needed for individual notifications.

Permissible law enforcement delays

If a law enforcement official determines that notification would impede an investigation or harm national security, you must delay notices for the time specified in a written request. If the request is oral, document it and delay for up to 30 days unless replaced sooner by a written request or lifted earlier by the official.

Reporting Requirements for Large Breaches

500 or more individuals affected

For breaches affecting 500 or more individuals, provide Department of Health and Human Services notification through the HHS online portal without unreasonable delay and no later than 60 calendar days after discovery. This threshold is based on the total number of affected individuals in the incident, regardless of where they reside.

Parallel actions you must take

• Notify all affected individuals within 60 calendar days.
• Notify prominent media outlets in any state or jurisdiction where 500 or more residents are affected (details in the Media section below).
• Implement mitigation strategies—such as securing accounts, resetting credentials, and offering protections like credit monitoring—appropriate to the risks created by the breach.

Annual Reporting for Small Breaches

Fewer than 500 individuals affected

Maintain a log of breaches that affect fewer than 500 individuals and submit Department of Health and Human Services notification for all such breaches in aggregate no later than 60 days after the end of the calendar year in which they were discovered. Continue to notify each affected individual within 60 days of discovery even when the breach is small.

Media Notification Obligations

State or jurisdiction threshold

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify one or more prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery. Media notices should mirror the substance of individual notices and use clear, plain language.

Substitute notice when contact information is insufficient

• If fewer than 10 individuals have out-of-date or insufficient contact information, use alternative methods such as email, other written means, or telephone.
• If 10 or more individuals cannot be reached, provide a conspicuous website posting for at least 90 days or notify major print or broadcast media in the affected area, and include a toll-free number active for at least 90 days.

Contents of Breach Notifications

Required notification content requirements

• A brief, factual description of what happened, including the date of the breach and the date of discovery (if known).
• The types of PHI involved (for example, names, dates of birth, addresses, Social Security numbers, account numbers, clinical data).
• Steps individuals should take to protect themselves, such as monitoring accounts, changing passwords, placing fraud alerts, or freezing credit.
• What your organization is doing to investigate, contain, and mitigate the breach and to prevent future incidents.
• How individuals can get more information or assistance, including a toll‑free number, email address, website, or postal address.

Use plain language, avoid technical jargon, and provide only confirmed facts. Consider FAQs or a dedicated call center to reduce confusion and support affected individuals.

Documentation and Record-Keeping Requirements

Breach investigation documentation

• Risk assessment showing how you determined whether notification was required.
• For notifiable breaches, evidence of timelines from breach discovery through mailing and posting.
• Copies of all individual, media, and Department of Health and Human Services notifications.

Operational records you should retain

• Incident response plans, mitigation strategies taken, and corrective action plans.
• Law enforcement delay requests and your documentation of any oral requests.
• Workforce training records, sanctions (if applicable), and updated policies and procedures.
• Business associate agreements and communications related to the breach.

HIPAA generally requires retaining documentation for at least six years from the date of creation or last effective date, whichever is later. Keep small-breach logs current to meet annual reporting deadlines and to demonstrate reasonable diligence during audits.

Conclusion

Act quickly once a breach is discovered: notify individuals within 60 calendar days, report large breaches to HHS and, when applicable, the media, and aggregate small-breach reports annually. Clearly communicate what happened, how you are mitigating harm, and how patients can protect themselves, and maintain thorough records to show full compliance.

FAQs

What is the deadline for notifying patients of a breach?

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after breach discovery. Send notices as soon as accurate information is available; calendar days include weekends and holidays.

When must the HHS be notified of a breach?

For breaches affecting 500 or more individuals, submit Department of Health and Human Services notification without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting fewer than 500 individuals, report them to HHS in aggregate no later than 60 days after the end of the calendar year in which they were discovered.

How is media notification handled for state-specific breaches?

If 500 or more residents of a single state or jurisdiction are affected, notify one or more prominent media outlets serving that area within 60 calendar days of discovery. If multiple states are involved, apply the 500‑resident threshold to each state or jurisdiction separately. Remember, substitute media posting is also required when 10 or more individuals cannot be reached due to insufficient contact information.

What information must be included in a breach notification?

Each notice must describe what happened (including breach and discovery dates), list the types of PHI involved, explain steps individuals should take to protect themselves, detail your investigation and mitigation strategies, and provide clear contact information (such as a toll‑free number or email) for questions and support.