Who Receives HIPAA Breach Notices? OCR, Individuals, Media Requirements Explained

When a breach of unsecured Protected Health Information occurs, the HIPAA Breach Notification Rule specifies exactly who must be notified and how. You may need to notify affected individuals, prominent media outlets, and the Secretary of Health and Human Services through the HHS Office for Civil Rights (OCR), each on a defined notification timeline. The details below explain each obligation so you can act quickly and correctly.

Individual Notice Requirements

You must provide written notice to every individual whose unsecured PHI was compromised. Send notice without unreasonable delay and no later than 60 calendar days after discovery of the breach. “Discovery” occurs when you know, or reasonably should know, that a breach happened.

Delivery methods

• First-class mail to the individual’s last known address.
• Email is permitted if the individual has agreed to electronic notice.
• For minors or incapacitated persons, notify the personal representative; for deceased individuals, notify the next of kin or personal representative.
• If there is an urgent need to mitigate imminent misuse, you may also use telephone or other rapid means in addition to the written notice.

Individual notices are mandatory even when you also must notify media or OCR. Each notice must be written in plain language and free of unnecessary technical jargon.

Media Notice Obligations

If a single breach affects more than 500 residents of a state or jurisdiction, you must notify prominent media outlets that serve that area. This notice must be provided without unreasonable delay and no later than 60 calendar days after discovery. Media notice supplements, and does not replace, individual notices.

Scope and practical tips

• The 500-resident threshold applies per state or jurisdiction. If a breach affects 600 people spread across several states but fewer than 500 in any one state, media notice is not triggered.
• Use a press release or similar public statement that contains all required content elements, but do not disclose additional PHI.

Notice to the Secretary of HHS

All reportable breaches of unsecured PHI must be reported to the Secretary of Health and Human Services via OCR.

• Breaches involving 500 or more individuals: report without unreasonable delay and no later than 60 calendar days from discovery.
• Breaches involving fewer than 500 individuals: log the incident and submit the report no later than 60 days after the end of the calendar year in which the breach occurred (for example, by March 1 of the following year).

OCR uses these reports for oversight and posts certain large breaches on its public breach portal.

Business Associate Breach Notification

Business Associates must notify the Covered Entity when they discover a breach of unsecured PHI. Under the Breach Notification Rule and your Business Associate Agreement, this notice must be provided without unreasonable delay and no later than 60 calendar days after discovery, with many BAAs requiring shorter contractual time frames.

What the Business Associate must provide

• Identification of each affected individual, to the extent possible.
• A description of what happened, including the date of the breach and discovery.
• The types of PHI involved (for example, names, Social Security numbers, diagnoses).
• Any steps individuals should take to protect themselves.
• Information the Covered Entity needs to meet its own notification obligations.

The Covered Entity is ultimately responsible for ensuring required notices go out, though a Business Associate may be designated in the Business Associate Agreement to issue notices on the Covered Entity’s behalf.

Substitute Notice Procedures

If you lack sufficient or up-to-date contact information for some affected individuals, you must use substitute notice.

• Fewer than 10 individuals: use an alternative method such as telephone, email (if available), or another means reasonably calculated to reach the individual.
• 10 or more individuals: either (a) a conspicuous posting on your website homepage for at least 90 days, or (b) notice in major print or broadcast media in areas where affected individuals likely reside.

All substitute notices must include a toll-free number active for at least 90 days so individuals can determine whether their information was involved. Do not include PHI in the notice itself.

Timing of Breach Notifications

The notification timeline centers on discovery of the breach.

• Individuals: without unreasonable delay, no later than 60 calendar days after discovery.
• Media (if required): without unreasonable delay, no later than 60 calendar days after discovery.
• Secretary of HHS (OCR): within 60 days of discovery for 500+ breaches; by 60 days after year-end for fewer than 500.
• Business Associate to Covered Entity: without unreasonable delay, no later than 60 days after discovery (or a shorter period if your Business Associate Agreement requires it). Your 60-day clock to notify individuals generally starts when you discover the breach, which typically is the date you are notified by the Business Associate.

Law enforcement delay

You must delay notifications if a law enforcement official states that notice would impede a criminal investigation or cause damage to national security. If the statement is written, delay for the specified time; if oral, document the statement and delay for up to 30 days unless a written statement extending the delay is provided during that period.

Content Requirements for Notifications

Every notification—whether to individuals, media, or OCR—must include specific elements. Use clear, plain language.

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• A description of the types of unsecured PHI involved (for example, full name, address, birth date, account numbers, diagnoses).
• Steps affected individuals should take to protect themselves (such as monitoring accounts, placing fraud alerts, password changes, or credit freezes).
• A description of what you are doing to investigate the breach, mitigate harm, and prevent future incidents (for example, enhanced monitoring, workforce retraining, encryption, or access controls).
• Contact procedures for questions or additional information, including a toll-free number, email address or website, and postal address.

These content rules apply only to breaches of unsecured PHI. If PHI was rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, via strong encryption), breach notification is generally not required.

Summary

In short, the Breach Notification Rule requires timely, plain-language notices to affected individuals, OCR, and—when the 500-resident threshold is met—prominent media outlets. Follow the defined notification timeline, use substitute notice when contact information is insufficient, and ensure each notice contains all required elements to remain compliant.

FAQs

Who must covered entities notify in the event of a HIPAA breach?

You must notify all affected individuals, report the breach to the Secretary of Health and Human Services through OCR, and notify prominent media outlets if more than 500 residents of a state or jurisdiction are affected. These obligations apply to breaches of unsecured PHI under the Breach Notification Rule.

When is media notification required for a HIPAA breach?

Media notification is required when a single breach affects more than 500 residents of a state or jurisdiction. It must be issued without unreasonable delay and no later than 60 calendar days after discovery, and it supplements individual notices rather than replacing them.

What information must be included in a HIPAA breach notification?

Each notification must include: what happened (including breach and discovery dates), what types of PHI were involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate the breach, and how to contact you for more information. The notice should be written in plain language.

How soon must breaches be reported to the HHS Secretary?

For breaches involving 500 or more individuals, report to OCR without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting fewer than 500 individuals, maintain a log and submit it to OCR within 60 days after the end of the calendar year in which the breaches occurred.