Reporting HIPAA Breaches: Requirements, Timelines, and Process (2026)

Federal law requires covered entities and their business associates to follow a specific process when a breach of unsecured protected health information occurs. The HIPAA Breach Notification Rule, codified at 45 CFR 164.400 through 164.414, establishes who must be notified, what information the notification must contain, and how quickly it must happen.

Getting breach notification wrong carries real consequences. In 2024 alone, the HHS Office for Civil Rights (OCR) completed 22 enforcement actions and collected over $9.9 million in settlements and civil money penalties. The Change Healthcare breach, disclosed in 2024 and affecting approximately 190 million individuals, demonstrated how a single incident can trigger massive regulatory and public scrutiny.

This article covers the full breach notification process: from determining whether an incident qualifies as a breach, through each required notification, to the penalties for failing to comply.

What Counts as a Breach Under HIPAA

Under 45 CFR 164.402, a breach is the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI.

That definition is intentionally broad. Any time PHI is handled in a way the Privacy Rule does not allow, the incident is presumed to be a breach unless the covered entity or business associate can demonstrate otherwise through a risk assessment.

The rule applies only to unsecured PHI, meaning PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. If PHI has been encrypted using methods specified by the HHS Secretary or destroyed in accordance with NIST guidelines, it is considered secured, and the breach notification requirements do not apply.

The Four-Factor Risk Assessment

When an impermissible use or disclosure occurs, the covered entity or business associate must conduct a risk assessment to determine whether the incident rises to the level of a reportable breach. Under 45 CFR 164.402(2), this assessment considers at least four factors:

1. Nature and extent of the PHI involved. What types of identifiers were exposed? Names alone carry different risk than Social Security numbers, diagnoses, or financial information. The assessment also considers the likelihood of re-identification if the data was de-identified.

2. The unauthorized person who received or accessed the PHI. Was the recipient another covered entity with its own HIPAA obligations, or was it an unknown third party? The identity of the recipient directly affects the probability that PHI will be misused.

3. Whether the PHI was actually acquired or viewed. A misdirected fax that was intercepted and returned unopened presents different risk than one that was read. Evidence that PHI was never actually accessed can support a finding of low compromise probability.

4. The extent to which risk has been mitigated. Steps taken after the incident matter. If the covered entity obtained assurances from the recipient that the information was destroyed, or if forensic evidence shows no data exfiltration, those facts weigh against finding a reportable breach.

The burden of proof falls on the covered entity or business associate. Under 45 CFR 164.414(b), the entity must demonstrate that all required notifications were provided or that an impermissible use or disclosure did not constitute a breach. Maintaining documentation of the risk assessment is essential.

Three Exceptions to the Breach Definition

Not every impermissible use or disclosure qualifies as a breach. Section 164.402(1) carves out three narrow exceptions:

Exception 1: Unintentional workforce access. An employee or other person acting under the covered entity's or business associate's authority unintentionally acquires, accesses, or uses PHI, as long as the access was made in good faith, within the scope of authority, and does not result in further impermissible use or disclosure.

Exception 2: Inadvertent disclosure between authorized persons. A person authorized to access PHI at a covered entity, business associate, or organized health care arrangement inadvertently discloses PHI to another person authorized to access PHI at the same entity or arrangement. Again, no further impermissible use or disclosure can result.

Exception 3: Good faith belief of non-retention. A disclosure occurs to an unauthorized person, but the covered entity or business associate has a good faith belief that the unauthorized recipient would not reasonably have been able to retain the information. For example, a provider briefly displays a patient's chart to the wrong visitor, but the visitor could not have memorized or recorded the clinical details.

These exceptions are narrow. If an incident does not fit squarely within one of them, and the four-factor risk assessment does not demonstrate a low probability of compromise, the covered entity must treat the incident as a reportable breach.

Individual Notification Requirements

Under 45 CFR 164.404, a covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of a breach.

Timeline

Notification must be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Discovery occurs on the first day the breach is known, or would have been known through the exercise of reasonable diligence, to any employee, officer, or agent of the covered entity.

This 60-day window is a hard deadline, not a target. OCR has imposed penalties specifically for late notification, even when the covered entity eventually notified affected individuals.

Content of Individual Notice

The notification must be written in plain language and include, to the extent possible:

• A brief description of what happened, including the date of the breach and the date of discovery
• A description of the types of unsecured PHI involved (such as full name, Social Security number, date of birth, diagnosis, or treatment information)
• Steps individuals can take to protect themselves from potential harm
• A brief description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent future incidents
• Contact procedures, including a toll-free telephone number, email address, website, or mailing address

Methods of Delivery

The primary method is first-class mail to the individual's last known address. If the individual has agreed to receive electronic notices, the covered entity may send the notification by email instead.

For deceased individuals, the covered entity must send written notice to the next of kin or personal representative if their contact information is available.

Substitute Notice

When contact information is insufficient or out of date:

• Fewer than 10 individuals: The covered entity may use an alternative form of written notice, telephone, or other means.
• 10 or more individuals: The covered entity must post a conspicuous notice on its website for at least 90 days or provide the notice through major print or broadcast media in the affected geographic area. Either option must include a toll-free phone number that remains active for at least 90 days.

Urgent Situations

When there is reason to believe that PHI misuse is imminent, covered entities may supplement written notice with telephone calls or other urgent outreach. This additional contact does not replace the written notification requirement.

Notification to HHS (The Breach Portal)

Under 45 CFR 164.408, covered entities must also notify the Secretary of Health and Human Services of every breach of unsecured PHI. The timeline and method depend on the size of the breach.

Breaches Affecting 500 or More Individuals

For breaches involving 500 or more individuals, the covered entity must notify HHS contemporaneously with the individual notification, meaning within 60 days of discovery. The notification is submitted through the HHS Breach Portal.

Breach reports involving 500 or more individuals are posted publicly on the HHS website, in a database often called the "Wall of Shame." The listing includes the name of the covered entity, the number of individuals affected, the type of breach, the location of the breached information, and a summary of the incident.

OCR investigates every breach reported through the portal that affects 500 or more individuals.

Breaches Affecting Fewer Than 500 Individuals

Smaller breaches do not require immediate notification to HHS. Instead, covered entities must maintain a log of these breaches and submit them to the Secretary within 60 days of the end of the calendar year in which they were discovered. This annual reporting is also done through the Breach Portal.

Media Notification

Under 45 CFR 164.406, when a breach affects more than 500 residents of a single state or jurisdiction, the covered entity must notify prominent media outlets serving that state or jurisdiction.

The media notification must occur without unreasonable delay and no later than 60 calendar days after discovery of the breach. The content requirements mirror those for individual notification under 45 CFR 164.404(c): what happened, what information was involved, what individuals can do to protect themselves, what the entity is doing about it, and how to get more information.

This requirement applies on a per-state basis. A breach affecting 400 individuals in one state and 200 in another would not trigger media notification for either state, even though the total exceeds 500. A breach affecting 500 individuals all in the same state would trigger the media notification obligation for that state.

Business Associate Notification Obligations

Under 45 CFR 164.410, when a breach occurs at or by a business associate, the business associate must notify the covered entity. The business associate does not directly notify affected individuals, HHS, or the media. Those responsibilities remain with the covered entity.

Timeline

A business associate must provide notice without unreasonable delay and no later than 60 calendar days after discovering the breach. Discovery is defined the same way as for covered entities: the first day the breach is known or should have been known to any employee, officer, or agent of the business associate.

Content of Notice

The business associate must provide:

• Identification of each individual whose unsecured PHI has been or is reasonably believed to have been affected
• Any other available information that the covered entity needs to fulfill its notification obligations under 45 CFR 164.404(c)

Many business associate agreements include breach notification provisions that are stricter than the federal minimum. Contractual deadlines of 24 to 72 hours for initial notice are common. The 60-day federal rule is a ceiling, not a recommended timeframe.

Business associates are directly liable under HIPAA for failing to provide timely breach notification. OCR can and does investigate business associates independently.

State Attorney General Notification and Enforcement

The HITECH Act granted state attorneys general the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. While HIPAA itself is a federal law, this enforcement mechanism means that breaches can trigger both federal and state-level investigations.

Many states also have their own data breach notification laws that may impose additional requirements beyond HIPAA. These state laws often have shorter notification timelines, require notification to the state attorney general, or cover categories of information not addressed by HIPAA. Covered entities operating in multiple states need to track and comply with each applicable state law in addition to the federal HIPAA requirements.

When a state attorney general brings a HIPAA enforcement action, the HITECH Act requires the AG to notify HHS at least 48 hours before filing and to include a copy of the complaint. OCR collaborates with state attorneys general on enforcement.

How to File a HIPAA Complaint

Individuals who believe their health information privacy rights have been violated may file a complaint with the HHS Office for Civil Rights. This process is separate from the breach notification obligations that fall on covered entities.

Filing Methods

• Online: Through the OCR Complaint Portal
• Mail: Send a completed complaint form to Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Washington, DC 20201
• Email: OCRComplaint@hhs.gov
• Phone: (800) 368-1019 (TDD: (800) 537-7697)

Key Requirements

The complaint must include the name, address, and phone number of the entity believed to have violated HIPAA, along with a description of the acts or omissions and when they occurred. Complaints must be filed within 180 days of when the complainant knew or should have known about the alleged violation. OCR may extend this deadline for good cause.

HIPAA and the HITECH Act prohibit retaliation against anyone who files a complaint.

Penalty Tiers for Breach Notification Failures

Failing to comply with the Breach Notification Rule can result in civil monetary penalties under 45 CFR 160.404. Penalties are structured in four tiers based on the level of culpability:

Tier	Culpability Level	Per Violation	Annual Cap
1	Did not know (and could not have known through reasonable diligence)	$100 to $50,000	$1,500,000
2	Reasonable cause (not willful neglect)	$1,000 to $50,000	$1,500,000
3	Willful neglect, corrected within 30 days	$10,000 to $50,000	$1,500,000
4	Willful neglect, not corrected within 30 days	$50,000 minimum	$1,500,000

These amounts are adjusted annually for inflation under the Federal Civil Monetary Penalty Inflation Adjustment Act.

Willful neglect is defined under 45 CFR 160.401 as conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA administrative simplification provisions. OCR is required by the HITECH Act to investigate all complaints that indicate possible willful neglect.

Recent Enforcement Examples

OCR's enforcement activity has accelerated in recent years. In 2024, the agency completed 22 enforcement actions (the second-highest total in its history) and collected over $9.9 million in settlements and civil money penalties. Notable actions include:

• Warby Parker (December 2024): $1,500,000 civil money penalty for HIPAA Security Rule violations following a cybersecurity investigation
• Gulf Coast Pain Consultants (December 2024): $1,190,000 penalty for Security Rule violations
• Children's Hospital Colorado (December 2024): $548,265 penalty for Privacy and Security Rule violations
• Providence Medical Institute (October 2024): $240,000 penalty in a ransomware cybersecurity investigation

Criminal penalties are also possible. Under 42 U.S.C. 1320d-6, knowingly obtaining or disclosing PHI in violation of HIPAA can result in fines up to $250,000 and imprisonment of up to 10 years, depending on the nature of the offense.

Compliance Best Practices

Organizations subject to HIPAA can reduce breach notification risk and ensure compliance through several practical steps:

• Maintain a breach response plan. Written policies that assign roles, establish investigation timelines, and pre-draft notification templates allow for faster response when an incident occurs.
• Train workforce members. Employees are often the first to discover a potential breach. Training on what constitutes a reportable incident and who to contact internally speeds up the discovery-to-notification timeline.
• Encrypt PHI at rest and in transit. Properly encrypted data is considered secured under HIPAA, which means the breach notification requirements do not apply even if the data is lost or stolen.
• Document risk assessments. Every incident should be documented, whether or not it is ultimately determined to be a reportable breach. The documentation supports the covered entity's burden of proof under 45 CFR 164.414.
• Review business associate agreements. Ensure that BAAs include breach notification provisions with specific timelines and reporting requirements that meet or exceed federal minimums.

The Broader HIPAA Framework

The Breach Notification Rule is one component of the broader HIPAA regulatory framework. It works alongside the Privacy Rule (which governs permissible uses and disclosures of PHI), the Security Rule (which establishes safeguards for electronic PHI), and the Enforcement Rule (which governs investigations, penalties, and hearings).

Understanding breach notification in isolation is not sufficient. A covered entity that maintains strong privacy and security practices reduces the likelihood of a breach occurring in the first place. When breaches do occur, organizations with established compliance programs are better positioned to respond within the required timelines and demonstrate good faith to regulators.

This article provides legal information, not legal advice. HIPAA breach notification involves complex regulatory requirements that may interact with state laws. Consult an attorney for advice specific to your situation.