Which Federal Agency Enforces the HIPAA Breach Notification Rule? HHS OCR

The federal agency that enforces the HIPAA Breach Notification Rule is the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). If you experience a data breach involving protected health information (PHI), OCR enforcement is the primary federal mechanism that ensures proper HIPAA breach notification and remediation.

This article explains how the rule works, what HHS OCR does, what covered entities and business associates must do, and the timelines and criteria you need to meet when notifying affected individuals and the HHS Secretary.

Overview of HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires you to provide data breach notification following a breach of unsecured protected health information. “Unsecured” generally means PHI that is not rendered unusable or unreadable through strong encryption or similar safeguards.

A breach is presumed when PHI is acquired, accessed, used, or disclosed in a manner not permitted by HIPAA, unless you can demonstrate through a documented risk assessment that there is a low probability the PHI has been compromised. This assessment considers the nature and extent of PHI involved, the unauthorized person who received it, whether the PHI was actually viewed, and the extent of mitigation.

Role of HHS Office for Civil Rights

HHS OCR enforces the Privacy, Security, and Breach Notification Rules. OCR investigates complaints and breach reports, conducts compliance reviews and audits, issues guidance, and takes enforcement actions when organizations fail to meet requirements.

OCR also administers the breach reporting portal on behalf of the HHS Secretary for public listing of breaches affecting 500 or more individuals. Through OCR enforcement, the agency drives corrective action, monitors compliance, and applies civil monetary penalties when warranted.

Responsibilities of Covered Entities

If you are a covered entity (health plan, health care provider, or health care clearinghouse), you must establish and maintain a breach response program that ensures timely and accurate notifications and safeguards PHI.

• Execute business associate agreements and oversee business associates handling PHI.
• Maintain written incident response and HIPAA breach notification policies and procedures.
• Train your workforce, apply sanctions when appropriate, and retain documentation.
• Conduct prompt risk assessments to determine if notification is required.
• Mitigate harmful effects (for example, retrieving PHI or obtaining assurances of deletion).
• Log all breaches and report them to the HHS Secretary as required.

Notification Requirements

Who must be notified

• Affected individuals: Each person whose unsecured PHI was breached.
• HHS Secretary: Report all breaches through the HHS process; timing depends on size.
• Media: For breaches affecting 500 or more residents of a state or jurisdiction.
• Covered entity: Business associates must notify the covered entity of breaches they discover.

How to deliver notice

• Written notice by first-class mail, or by email if the individual has agreed to electronic notice.
• Substitute notice when contact information is insufficient or outdated:
  • For fewer than 10 individuals: alternative methods such as telephone or other written notice.
  • For 10 or more individuals: a conspicuous website posting or major print/broadcast media in affected areas, plus a toll-free number active for at least 90 days.

What the notice must include

• A brief description of what happened, including the date of the breach and the date of discovery.
• The types of PHI involved (for example, names, addresses, Social Security numbers, diagnoses).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• How to contact you for more information (toll-free number, email, postal address, or website).

Enforcement Procedures by OCR

OCR uses a structured process to evaluate and enforce compliance after a report or complaint. You can expect the following sequence, depending on the facts:

1. Intake and triage: OCR reviews the breach or complaint to determine jurisdiction and potential violations.
2. Data request: OCR requests policies, risk assessments, logs, and incident details, including whether notifications were timely and complete.
3. Investigation or compliance review: OCR analyzes technical and administrative safeguards, breach response, and past compliance history; it may conduct desk or onsite reviews.
4. Findings and resolution: Outcomes can include technical assistance, voluntary corrective action, or a resolution agreement with a corrective action plan and monitoring.
5. Civil money penalties: If violations involve willful neglect or remain uncorrected, OCR may impose penalties. In egregious cases, OCR can refer matters for criminal investigation.

Timeliness of HIPAA breach notification, adequacy of risk assessment, and the effectiveness of safeguards are central factors in OCR enforcement.

Penalties for Non-Compliance

HIPAA establishes tiered civil monetary penalties based on the level of culpability, ranging from lack of knowledge to willful neglect that is not corrected. Penalty amounts are adjusted annually for inflation and can accumulate per violation, with annual caps that vary by tier.

When determining penalty amounts or settlement terms, OCR considers factors such as the number of individuals affected, the sensitivity of PHI, the duration of the violation, harm caused, your history of compliance, timely correction, and financial condition. Prompt mitigation and cooperation can significantly reduce enforcement risk.

Reporting Timelines and Criteria

Timelines

• Individuals: Notify without unreasonable delay and no later than 60 calendar days after discovery.
• HHS Secretary:
  • Breaches affecting 500 or more individuals: report without unreasonable delay and no later than 60 calendar days after discovery.
  • Breaches affecting fewer than 500 individuals: log and report to the HHS Secretary no later than 60 days after the end of the calendar year in which the breaches were discovered.
• Media: For 500+ residents in a state or jurisdiction, notify prominent media outlets without unreasonable delay and within 60 calendar days.
• Business associates to covered entities: Notify without unreasonable delay and no later than 60 calendar days from discovery, identifying affected individuals to the extent possible.

Discovery, delay, and exceptions

• Discovery occurs on the first day the breach is known to you (or would have been known with reasonable diligence), including by any workforce member or agent.
• Law enforcement delay is permitted if an authorized official determines that notification would impede a criminal investigation or threaten national security.
• Exceptions to “breach” include certain unintentional or inadvertent disclosures made in good faith within the scope of authority, and disclosures where you can reasonably conclude the recipient could not retain the information.

Documentation essentials

• Maintain policies, risk assessments, notifications, and breach logs; retain documentation as required by HIPAA.
• Ensure business associate agreements clearly allocate breach reporting duties and timeframes.

Conclusion

HHS OCR is the federal agency responsible for enforcing the HIPAA Breach Notification Rule. By conducting thorough risk assessments, notifying affected individuals, the HHS Secretary, and—when required—the media on time, and by maintaining strong safeguards and documentation, you can meet data breach notification obligations and reduce enforcement risk.

FAQs.

Who must comply with the HIPAA Breach Notification Rule?

Covered entities—health plans, most health care providers, and health care clearinghouses—and their business associates must comply when unsecured protected health information is breached. Business associates must notify the covered entity, which in turn must notify individuals, the HHS Secretary, and the media when applicable.

What is the timeline for breach notification?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Breaches affecting 500 or more individuals must also be reported to the HHS Secretary within 60 days; smaller breaches are reported to the HHS Secretary no later than 60 days after the end of the calendar year. Media notice is required within the same timeframe when 500+ residents of a state or jurisdiction are affected.

How does OCR investigate reported breaches?

OCR triages the report, requests documentation, and conducts an investigation or compliance review to assess safeguards, risk assessment quality, and notification timeliness. It may resolve issues with technical assistance or a corrective action plan, or impose civil money penalties in cases of significant noncompliance.