When to Report a HIPAA Breach: Deadlines, Exceptions, and Who to Notify

HIPAA Breach Definition and Scope

What counts as a HIPAA breach?

A HIPAA breach is an impermissible use or disclosure of protected health information (PHI) that violates Privacy Rule compliance and compromises the security or privacy of the data. Under the Breach Notification Rule, a breach is presumed unless you document through a risk assessment that there is a low probability the PHI was compromised.

How is risk assessed?

• The nature and sensitivity of the PHI involved (for example, diagnoses, SSNs, or financial data).
• Who received or could access the information and their authority to view PHI.
• Whether the PHI was actually acquired or viewed versus merely exposed.
• The extent to which you mitigated risk, such as obtaining a satisfactory written attestation of destruction or prompt retrieval.

What does “unsecured” PHI mean?

Unsecured Protected Health Information is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through approved encryption or destruction. The Breach Notification Rule applies only to unsecured PHI; if data are properly secured, notification is generally not required.

Who is responsible?

Covered entities and business associates each have duties. Covered entities must notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media. Business associates must notify the covered entity of breaches without unreasonable delay so notification timelines can be met.

Notification Deadlines for Affected Individuals

When the 60‑day clock starts

You must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. “Discovery” occurs on the first day the breach is known, or should reasonably have been known, to the organization; knowledge by any workforce member or agent is imputed to the entity.

Form and content of individual notices

Provide notice by first‑class mail or by email if the individual has agreed to electronic notice. Your letter should clearly explain what happened, the types of PHI involved, what you are doing to mitigate harm, steps individuals should take, and how to reach you for more information.

Substitute and urgent notice

If you lack current contact information for some people, use substitute notice. For smaller numbers, this can be phone, email, or other means; for larger numbers, use a prominent website posting or media notice. If imminent misuse is likely, you may also provide urgent telephone notice in addition to the standard letter.

Reporting to the Department of Health and Human Services

Thresholds and timelines

• Breaches affecting 500 or more individuals: report to HHS without unreasonable delay and no later than 60 calendar days from discovery (concurrent with individual notices).
• Breaches affecting fewer than 500 individuals: log each incident and report to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered.

Business associate notifications to covered entities

Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovery. They should identify each affected individual and share available details so the covered entity can meet notification timelines. Agreements may delegate direct notification duties to the business associate, but accountability remains defined by the contract and the Rule.

Practical tips

• Submit required details via the HHS breach portal promptly; if some information is unavailable, submit what you have and update as more becomes known.
• Document your risk assessment, decisions, and dates—these records support compliance and audits.

Media Notification Requirements

Who and when to notify

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and within 60 calendar days of discovery. This is in addition to individual notices and the HHS report.

What the media notice should cover

Issue a plain‑language press release that summarizes the incident, the types of PHI involved, actions you have taken, steps individuals can take to protect themselves, and your contact information. Coordinate timing so media, HHS, and individual notifications align.

Exceptions to Breach Reporting

Three narrow exceptions

• Unintentional acquisition, access, or use of PHI by a workforce member or person acting under authority, made in good faith and within scope, and not further used or disclosed improperly.
• Inadvertent disclosure from one authorized person to another authorized person within the same covered entity, business associate, or organized health care arrangement.
• Good‑faith belief that the unauthorized recipient could not reasonably have retained the information.

Low probability of compromise

If your documented risk assessment shows a low probability that PHI was compromised, the incident is not a reportable breach under the Breach Notification Rule. Keep the analysis and supporting evidence on file.

Secured PHI

Notification is not required when the PHI was secured through approved encryption or proper destruction before the incident. Encryption applied by an attacker does not satisfy this condition; the PHI must have been secured by you at the time of the event.

Law enforcement delay

When a law enforcement official determines that notice would impede a criminal investigation or threaten national security, you must delay notifications for the time specified. An oral request permits a temporary delay, followed by a written statement for any extended period.

Developing Breach Notification Policies

Core policy elements

• Designation of privacy and security leaders with clear authority and escalation paths.
• Standardized risk assessment methodology aligned to the Rule’s four factors.
• Written procedures for individual, HHS, and media notifications with definitive notification timelines.
• Templates for letters, media releases, call scripts, and FAQs for consistent messaging.

Incident response workflow

• Intake and triage within hours; contain, preserve evidence, and start the risk assessment.
• Decide on breach status quickly; track discovery and deadline dates from the start.
• Coordinate with business associates, cyber counsel, and insurance as needed.
• Mitigate harm and offer protective services proportionate to the risk.

Documentation and retention

Maintain incident files, assessment records, notices, and approvals for at least six years. Accurate logs support annual HHS reporting for small breaches and demonstrate Privacy Rule compliance.

Vendor and business associate governance

• Execute business associate agreements that define reporting duties, timeframes, and cooperation.
• Assess vendor security and require timely breach reporting with sufficient detail to notify individuals.

Training and Compliance Enforcement

Training essentials

• Provide onboarding and annual refreshers that explain the Breach Notification Rule and how to recognize and report incidents.
• Deliver role‑based training for high‑risk functions such as billing, IT, and care coordination.
• Reinforce everyday practices: minimum necessary, secure messaging, encryption, and safe disposal.

Workforce Member Sanctions

Adopt graduated, consistently applied sanctions for violations—from coaching to termination—based on intent, impact, and prior history. Communicate the sanctions policy, document decisions, and apply it uniformly to deter noncompliance.

Monitor and improve

• Run phishing and security awareness campaigns and track reporting performance.
• Conduct periodic audits and tabletop exercises to validate readiness and notification timelines.
• Address findings with targeted training, process updates, and technology controls.

Conclusion

Timely action drives compliance: notify individuals within 60 days of discovery, report to HHS on the proper schedule, and alert the media when 500 or more residents of a state or jurisdiction are affected. Use the Rule’s exceptions carefully, secure PHI by design, and sustain readiness through robust policies, training, and enforcement.

FAQs.

What is the deadline for reporting a HIPAA breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Breaches affecting 500 or more individuals must also be reported to HHS within the same 60‑day window, while smaller breaches are logged and reported to HHS no later than 60 days after the end of the calendar year in which they were discovered.

Who must be notified in a HIPAA breach?

Notify affected individuals in all reportable breaches. If 500 or more residents of a state or jurisdiction are impacted, notify prominent media outlets serving that area. Report to HHS for every breach—within 60 days for incidents involving 500 or more individuals, and by year‑end plus 60 days for smaller incidents. Business associates notify the covered entity unless the agreement assigns them direct notice duties.

What are the exceptions to HIPAA breach notification?

Three narrow exceptions apply: good‑faith, within‑scope access by an authorized person; inadvertent disclosure between two authorized persons; and situations where the recipient could not reasonably retain the information. In addition, secured PHI (properly encrypted or destroyed) and incidents with a documented low probability of compromise do not require notification. Law enforcement may also require you to delay notices temporarily.

How should covered entities train their workforce on breach policies?

Provide role‑based training that explains how to spot, escalate, and document incidents; practice with tabletop exercises; and reinforce day‑to‑day safeguards like minimum necessary access, encryption, and secure disposal. Track completion, test comprehension, and apply workforce member sanctions consistently to sustain Privacy Rule compliance.