Who Must Covered Entities Report HIPAA Breaches To? A Practical Checklist

Notification to Affected Individuals

Who must be notified

If a breach of unsecured Protected Health Information (PHI) occurs, the HIPAA Breach Notification Rule requires you to notify every affected individual whose PHI was compromised. This applies to covered entities such as health plans, most health care providers, and health care clearinghouses.

What the notice must include

• A clear description of what happened, including the date of the breach and the date of discovery (if known).
• The types of PHI involved (for example, name, Social Security number, diagnoses, treatment information, or account details).
• Steps individuals should take to protect themselves (credit monitoring, password changes, fraud alerts).
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• Contact information, including a toll‑free number, email, or postal address for questions.

How and when to send notices

• Delivery: Send written notice by first‑class mail to the individual’s last known address. You may use email if the individual agreed to receive notices electronically.
• Timing: Provide notice without unreasonable delay and no later than 60 calendar days after discovery of the breach.
• Substitute notice: If contact information is insufficient for fewer than 10 people, use an alternative method (e.g., phone). If 10 or more are unreachable, post a conspicuous website notice or notify major media and maintain a toll‑free number for at least 90 days.
• Special cases: If law enforcement determines notice would impede an investigation, delay notification for the time specified by the official.

Practical checklist

• Confirm the incident involves unsecured PHI and meets the definition of a reportable breach.
• Compile an accurate list of affected individuals and addresses.
• Draft notices that meet Breach Reporting Requirements; prepare translated versions where appropriate.
• Set up call center FAQs and identity‑protection options, if warranted by the risk.
• Document all decisions, Incident Reporting Timelines, and mail/email proofs.

Reporting to HHS Secretary

Who you report to and how

Covered entities must report HIPAA breaches to the HHS Secretary through the HHS Office for Civil Rights (OCR). Use the online breach reporting portal to submit required details, including your risk assessment, number of individuals affected, and mitigation steps.

Thresholds and timing

• Breaches affecting 500 or more individuals: Report to the HHS Secretary without unreasonable delay and no later than 60 calendar days after discovery.
• Breaches affecting fewer than 500 individuals: Log each breach and submit a consolidated report to the HHS Secretary within 60 days after the end of the calendar year in which the breaches were discovered.

Business associates

Business associates must notify the covered entity of any breach of unsecured PHI they handle on its behalf, without unreasonable delay and no later than 60 days after discovery. They must provide, to the extent possible, the identities of affected individuals and the information needed for the covered entity’s notifications.

Practical checklist

• Determine the total number of affected individuals to establish the reporting track (≥500 or <500).
• Prepare a concise incident summary, risk assessment, mitigation actions, and security improvements.
• Submit via OCR’s portal and retain submission confirmations and supporting documentation.

Media Notification Requirements

When media notice is required

You must notify prominent media outlets when a breach involves more than 500 residents of a single state or jurisdiction. This requirement is in addition to notifying affected individuals and the HHS Secretary.

Content, method, and timing

• Method: Issue a press release or formal statement to major print, broadcast, or digital outlets serving the affected area.
• Content: Provide the same core elements as the individual notice, written in clear, consumer‑friendly language.
• Timing: Without unreasonable delay and no later than 60 calendar days after discovery.

Practical checklist

• Confirm the residency count exceeds 500 in a single state or jurisdiction.
• Align messaging with individual notices; avoid disclosing more PHI than necessary.
• Track publication dates and copies of the media notice for your compliance file.

Compliance with Breach Notification Rule

Determining whether an incident is a breach

Under the HIPAA Breach Notification Rule, a breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule. Perform the four‑factor risk assessment: (1) nature and extent of PHI, (2) unauthorized person who used/received the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent of mitigation.

Exceptions and safe harbor

• Unintentional access by a workforce member in good faith within scope of authority, without further disclosure.
• Inadvertent disclosure between authorized persons within the same entity, without further disclosure.
• Information a recipient could not reasonably retain.
• Safe harbor: If PHI was secured (e.g., encrypted to HHS guidance or properly destroyed), breach notification is generally not required.

Coordinating federal and state requirements

State-Specific Notification Laws may require additional notices (for example, to state attorneys general or regulators) and often impose shorter timelines (some as short as 30 days). You must comply with both HIPAA and applicable state breach laws; follow the more stringent provisions.

Practical checklist

• Complete and document a four‑factor risk assessment for every incident.
• Consult counsel or compliance to map State-Specific Notification Laws triggered by the facts.
• Apply minimum necessary disclosures in all notices and preserve privilege where appropriate.
• Centralize records of risk assessments, notifications, and remediation steps.

Timing and Deadlines for Reporting

Key Incident Reporting Timelines

• Start of clock: “Discovery” occurs on the first day the breach is known—or by reasonable diligence would have been known—to your organization or business associate.
• Individuals: Without unreasonable delay and no later than 60 calendar days after discovery.
• HHS Secretary (≥500 individuals): Without unreasonable delay, no later than 60 days after discovery.
• HHS Secretary (<500 individuals): Report annually within 60 days after the end of the calendar year.
• Media (≥500 state/jurisdiction residents): Without unreasonable delay, no later than 60 days after discovery.
• State-Specific Notification Laws: Check for shorter deadlines; build a parallel state timeline.
• Law enforcement delay: Document the official’s request and update your schedule accordingly.

Practical checklist

• Create a day‑by‑day project plan from discovery to final notice, including drafting, QA, and mailing.
• Use certified mail or other trackable methods where appropriate; retain proofs and bounce reports.
• Record every date and decision to demonstrate compliance with Breach Reporting Requirements.

Penalties for Non-Compliance

What’s at stake

OCR can impose tiered civil money penalties per violation, with caps that can reach into the millions in a calendar year for identical provisions. Penalties scale with culpability—ranging from lack of knowledge to willful neglect not corrected—and are adjusted annually for inflation. Violations can also result in corrective action plans, audits, and reputation damage.

Additional exposure

• State enforcement under consumer protection and privacy laws.
• Contractual liability under business associate agreements and indemnity clauses.
• Potential criminal liability for certain knowing, wrongful disclosures of PHI.

Practical checklist

• Document good‑faith efforts, reasonable diligence, and timely responses to reduce enforcement risk.
• Close corrective actions quickly and verify remediation was effective.
• Maintain evidence of training, risk analyses, and technical safeguards.

Steps to Prepare for Breach Reporting

Build a readiness program

• Assign leadership: Name a Privacy Officer and Security Officer with clear decision rights.
• Map data: Maintain a system inventory showing where Protected Health Information resides and flows.
• Vendor management: Ensure business associate agreements are current and include notification commitments.
• Templates: Pre‑approve individual, media, and HHS notifications; keep translations ready.
• Contact lists: Maintain up‑to‑date HHS OCR portal credentials and media/state regulator contacts.
• Playbooks: Document step‑by‑step Breach Reporting Requirements and escalation paths.
• Tabletop exercises: Rehearse scenarios at least annually; time each task to validate Incident Reporting Timelines.
• Technical safeguards: Encrypt PHI at rest and in transit to leverage safe harbor; monitor and log access.
• Post‑incident review: Capture root causes and implement preventive controls.

Conclusion

In short, covered entities must notify affected individuals, the HHS Secretary through the HHS Office for Civil Rights, and—when the threshold is met—prominent media outlets. Act promptly, follow the HIPAA Breach Notification Rule, reconcile State-Specific Notification Laws, and document every step. Preparedness turns a chaotic response into a predictable, compliant process.

FAQs

Who qualifies as a covered entity under HIPAA?

Covered entities include health plans, most health care providers that transmit health information electronically (such as hospitals, physicians, clinics, and pharmacies), and health care clearinghouses. These organizations—and their business associates—must safeguard PHI and follow the HIPAA Breach Notification Rule when unsecured PHI is compromised.

What is the deadline for notifying affected individuals of a breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after the breach is discovered. Start counting from the day the incident is known—or by reasonable diligence would have been known—to your organization or business associate.

When must breaches be reported to the HHS Secretary?

For breaches involving 500 or more individuals, report to the HHS Secretary via OCR without unreasonable delay and within 60 days of discovery. For fewer than 500 individuals, log the breach and submit an annual report to HHS within 60 days after the end of the calendar year in which the breach was discovered.

Are media notifications required for all HIPAA breaches?

No. Media notification is required only when a breach involves more than 500 residents of a single state or jurisdiction. In those cases, you must notify prominent media outlets without unreasonable delay and no later than 60 days after discovery, in addition to notifying individuals and the HHS Secretary.