Who Covered Entities Must Report HIPAA Breaches To: Requirements Explained

This guide explains who covered entities must report HIPAA breaches to and the requirements that apply under the HIPAA Breach Notification Rule. When a breach involves Unsecured Protected Health Information, you must notify affected individuals, the U.S. Department of Health and Human Services (HHS), and in some cases the media. Meeting these Covered Entity Reporting Obligations is central to information privacy compliance and reduces risk after a security incident.

The obligations below apply to most healthcare providers, health plans, and clearinghouses when PHI is compromised. Your actions should be prompt, documented, and aligned with health information disclosure regulations that govern how and when you communicate about a breach.

Breach Notification to Affected Individuals

If a breach of Unsecured Protected Health Information occurs, you must notify each affected individual without unreasonable delay. Use first-class mail to the last known address or email if the person has agreed to electronic notice. Notices should be written in plain language so people can act quickly.

• What to include: a brief description of the breach (including dates), the types of information involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate harm, and how to contact you (toll-free number, email, or postal address).
• Format and accessibility: offer alternative formats when needed to ensure equitable access, and keep records of all notices sent.
• Scope: send individual notices even if you also issue media or substitute notices.

Before sending notices, confirm that the incident meets the definition of a reportable breach. Under the HIPAA Breach Notification Rule, a compromise is presumed unless a documented risk assessment shows a low probability of compromise based on the nature of the PHI, who received it, whether it was actually viewed or acquired, and the extent of mitigation.

Reporting to the U.S. Department of Health and Human Services

In addition to notifying individuals, you must report breaches to HHS through the Office for Civil Rights (OCR). The timing depends on the number of people affected across the incident, regardless of where they live.

• 500 or more individuals: report to HHS without unreasonable delay and no later than 60 calendar days from discovery.
• Fewer than 500 individuals: log the breach and submit it to HHS within 60 days after the end of the calendar year in which the breach was discovered.

Ensure your submission accurately describes the event, types of PHI involved, mitigation steps, and your Breach Notification Timelines. Keep supporting documentation for your compliance files.

Media Notification Requirements

If a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area. This media notice must be issued without unreasonable delay and no later than 60 calendar days from discovery.

• Content: provide the same core elements as the individual notice and clear contact information for questions.
• Purpose: media notification broadens reach when many people may be affected and reinforces transparency in health information disclosure regulations.

Timelines for Breach Reporting

Timeframes are strict and measured in calendar days from the date of discovery (or when you should have known of the breach using reasonable diligence). Do not wait for day 60 if earlier notice is feasible.

• Individuals: without unreasonable delay, and in all cases no later than 60 days after discovery.
• HHS (500+): without unreasonable delay, and no later than 60 days after discovery.
• HHS (< 500): on an annual basis, within 60 days after the end of the calendar year.
• Media (500+ residents in a state/jurisdiction): without unreasonable delay, and no later than 60 days after discovery.

Document your decision-making and the dates notices were sent. Meticulous records support information privacy compliance and demonstrate adherence to the HIPAA Breach Notification Rule.

Substitution Notice Procedures

When you lack current contact information for some individuals, follow these Substitute Notice Requirements.

• Fewer than 10 individuals with insufficient contact data: use an alternative method such as telephone, another written form, or email where available.
• 10 or more individuals: provide substitute notice by a conspicuous posting on your website home page or by notice through major print or broadcast media in areas where affected individuals likely reside. Keep the web notice active for at least 90 days and include a toll-free number active for the same period so people can determine whether they were affected.

Substitute notice supplements, but does not replace, direct notice to anyone whose contact information is valid.

Role of Business Associates in Reporting

Business associates that discover a breach of Unsecured Protected Health Information must notify the covered entity without unreasonable delay and no later than 60 days from discovery. They should identify each affected individual (if known) and provide any information the covered entity needs to deliver timely notices.

Business associate agreements may delegate who sends individual, HHS, or media notices, but they cannot dilute regulatory duties. Ultimately, covered entities remain responsible for ensuring required notifications are made within the Breach Notification Timelines.

Legal Obligations Under the HIPAA Breach Notification Rule

The rule applies to breaches of Unsecured Protected Health Information; if PHI is properly encrypted or otherwise secured per HHS guidance, notification is generally not required. There are limited exceptions (for example, certain unintentional or intra-organization disclosures that are promptly remedied and do not result in further use or disclosure), but you must document any determination not to notify.

To align with health information disclosure regulations, maintain written policies, train your workforce, conduct and document risk assessments, and retain proof of all notices and submissions. Also evaluate applicable state laws that may impose shorter deadlines or additional content requirements, and harmonize them with federal obligations.

• Practical compliance steps: confirm scope and discovery date, start your risk assessment, prepare plain-language notices, activate a call center if needed, submit to HHS on time, and review root causes to strengthen safeguards.

Bottom line: when a breach is discovered, you must notify affected individuals, HHS, and—if 500 or more residents of a state or jurisdiction are involved—the media. Acting quickly, documenting decisions, and following the HIPAA Breach Notification Rule are essential to sustained information privacy compliance.

FAQs

Who qualifies as a covered entity under HIPAA?

Covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions (such as billing or eligibility checks). While business associates are not covered entities, they have direct obligations and must support covered entities in breach response.

What are the timeframes for notifying individuals about a breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. Deliver notice sooner when feasible, and keep evidence of when you discovered the incident and when notices were issued.

When must a breach be reported to the HHS?

For breaches affecting 500 or more individuals, report to HHS without unreasonable delay and within 60 days of discovery. For breaches affecting fewer than 500 individuals, log them and report to HHS within 60 days after the end of the calendar year in which they were discovered.

What constitutes an acceptable substitute notice?

If you lack current contact details for fewer than 10 people, use another reasonable method such as phone. If 10 or more individuals are unreachable, post a conspicuous website notice or use major print or broadcast media in the relevant area for at least 90 days, and provide a toll-free number active for the same period so individuals can verify whether they were affected.