Skip to main contentChat with us

HIPAA · Breach Notification Rule

HIPAA Breach Notification
Timelines & Requirements

When a breach of unsecured PHI occurs, HIPAA requires notification to affected individuals, HHS, and potentially the media. Learn the 60-day timeline and notification requirements.

Notify affected individuals within 60 days of discovery; breaches of 500+ individuals also require immediate HHS and media notice.

Get Breach-Readiness SupportExplore the HIPAA Hub
60Day notification deadline
500+Individuals triggers HHS & media notice
4Risk-assessment factors

45 CFR Part 164 · U.S. Dept. of Health & Human Services (OCR) · Last reviewed June 2026

Direct Answer

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals within 60 calendar days of discovering a breach of unsecured PHI, and to also notify the HHS Office for Civil Rights (hhs.gov/hipaa) — immediately when 500 or more individuals are affected, or in an annual batch when fewer than 500 are affected — plus prominent media when more than 500 residents of a state are involved. Business associates that discover a breach must alert the covered entity within the same 60-day outer limit (often sooner under the BAA), and properly encrypted PHI is generally exempt from notification.

Definitions

What Constitutes a Breach?

Breach Definition

An impermissible use or disclosure of PHI that compromises the security or privacy of the PHI. There is a presumption that any impermissible use or disclosure is a breach.

Exceptions to Breach

  • • Unintentional access by workforce member acting in good faith
  • • Inadvertent disclosure between authorized persons
  • • Good faith belief that unauthorized person could not retain PHI

The 60-Day Clock

Breach Response Timeline

1

Discovery

Day 0

Breach discovered or should have been discovered through reasonable diligence

2

Risk Assessment

Days 1-7

Conduct 4-factor risk assessment to determine if notification is required

3

Individual Notice

Within 60 days

Written notice to affected individuals via first-class mail

4

Media Notice

Within 60 days

If 500+ individuals affected in a state, notify prominent media

5

HHS Notice

Within 60 days

Notify HHS via online portal (immediate if 500+, annual if <500)

Notification Thresholds at a Glance

Who must be notifiedWhenTrigger / threshold
Affected individualsWithin 60 days of discoveryAny breach of unsecured PHI (written notice, usually first-class mail)
HHS (OCR) — immediateWithin 60 days of discoveryBreach affecting 500 or more individuals (via HHS online portal)
HHS (OCR) — annualWithin 60 days of year-endBreaches affecting fewer than 500 individuals, reported in an annual log
Prominent mediaWithin 60 days of discoveryMore than 500 residents of a single state or jurisdiction affected
Covered entity (by the BA)Within 60 days (often sooner per BAA)Business associate discovers a breach of unsecured PHI it handles

Properly encrypted PHI is “secured” and its loss generally does not trigger these notification duties.

Rebutting the Presumption

4-Factor Risk Assessment

To determine if an impermissible disclosure compromised PHI, evaluate these factors:

1

Nature of PHI

Types of identifiers and likelihood of re-identification

2

Unauthorized Person

Who received or accessed the PHI (employee, external party, etc.)

3

PHI Acquired/Viewed

Whether PHI was actually acquired or viewed

4

Risk Mitigation

Extent to which risk has been mitigated (e.g., data returned, destroyed)

Notice Content

What Must Be Included in Breach Notice

Description of breach
Types of information involved
Steps individuals should take
What entity is doing to investigate
Contact information
Toll-free number (if 10+ individuals)

Frequently Asked Questions

Common questions on HIPAA breach notification timelines, thresholds, and business associate duties.

How long do you have to report a HIPAA breach?

A covered entity must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI. Breaches affecting 500 or more individuals must also be reported to the HHS Secretary without unreasonable delay and within 60 days, and to prominent media in the affected area. Breaches affecting fewer than 500 individuals are logged and reported to HHS in an annual submission. The rule is enforced by the HHS Office for Civil Rights (https://www.hhs.gov/hipaa).

What counts as a breach under HIPAA?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. The rule presumes any impermissible use or disclosure is a breach unless the entity demonstrates, through a four-factor risk assessment, a low probability that the PHI was compromised. PHI that is properly encrypted to HHS standards is "secured," so its loss generally does not trigger breach notification.

What is the 4-factor risk assessment?

To rebut the presumption of a breach, an entity evaluates four factors: (1) the nature and extent of the PHI involved, including identifiers and likelihood of re-identification; (2) the unauthorized person who used or received the PHI; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated. If this assessment shows a low probability of compromise, notification may not be required — but the analysis must be documented.

Who must a business associate notify after a breach?

A business associate that discovers a breach of unsecured PHI must notify the covered entity without unreasonable delay and no later than 60 days after discovery, providing the identities of affected individuals and the information needed for the covered entity to make its own notifications. The Business Associate Agreement typically sets a shorter contractual deadline. The covered entity then handles notification to individuals, HHS, and the media.

When must the media be notified of a HIPAA breach?

Media notification is required when a breach of unsecured PHI affects more than 500 residents of a single state or jurisdiction. In that case the covered entity must notify prominent media outlets serving that area, in addition to notifying the affected individuals and HHS, all within 60 days of discovery. This media-notice threshold is separate from, but aligned with, the 500-individual threshold that triggers immediate HHS reporting.

Continue your HIPAA research

Written By Expert Auditors

Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Keep Exploring

Related Reading

HIPAA

HIPAA Knowledge Hub

Privacy Rule, Security Rule, BAAs, cloud guides and penalties.

Read more
HIPAA

HIPAA Penalties

Penalty tiers from $100 to $2M per violation category per year.

Read more
HIPAA

HIPAA Privacy Rule

Use and disclosure standards for protected health information.

Read more
HIPAA

HIPAA Compliance

US health-data rules for healthtech and business associates.

Read more
Privacy

DPDP Breach Notification

Mandatory breach reporting obligations and timelines.

Read more
SOC 2

SOC 2 for Healthtech

Where SOC 2 meets HIPAA for healthcare SaaS selling into the US.

Read more

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations