HIPAA Breach Notification Guide: Requirements, Timeline & Reporting Steps (2026)

When a breach happens, most practices do not know what to do first. They know it is bad. They know they need to tell someone. But the specifics — who to notify, in what order, by when, and through which channel — are buried in a regulation most practice owners have never read end to end.

The HIPAA Breach Notification Rule (45 CFR §164.400–414) lays out specific requirements. There are two reporting tracks, hard deadlines, mandatory content for notification letters, and state-level requirements that can be stricter than the federal standard. Getting this wrong does not just delay recovery. It compounds the original violation with a second one.

This guide covers the full breach notification process for independent healthcare practices — from determining whether an incident qualifies as a breach to filing the final report with HHS.

What Counts as a Breach?

Under the Breach Notification Rule, a breach is an impermissible use or disclosure of protected health information (PHI) that compromises the security or privacy of the information. That definition is broad by design.

The critical default: any impermissible disclosure of PHI is presumed to be a breach unless your practice can demonstrate, through a documented risk assessment, that there is a low probability the PHI was actually compromised.

That risk assessment uses four factors:

1. The nature and extent of the PHI involved. What types of identifiers were exposed? Did the disclosure include clinical information, Social Security numbers, or financial data? The more sensitive the data, the higher the risk.

2. Who accessed or received the PHI. An unauthorized disclosure to another covered entity carries different risk than a disclosure to an unknown third party or a disclosure that was publicly accessible.

3. Whether the PHI was actually acquired or viewed. A misdirected fax that was returned unopened carries lower risk than an email attachment that was opened and downloaded. If you can demonstrate the data was never accessed, the probability of compromise drops.

4. The extent to which the risk has been mitigated. Did you retrieve the data? Did the recipient confirm destruction? Did you receive assurances that the information will not be used or further disclosed?

You must document this four-factor analysis for every potential breach. If the analysis concludes there is a low probability of compromise, you are not required to notify. But the documentation must exist. If OCR investigates and you cannot produce the written risk assessment, the presumption reverts to breach — and now you have both a breach and a failure to notify.

The Two Reporting Tracks

HIPAA separates breaches into two categories with different notification requirements. The dividing line is 500 affected individuals.

Large Breaches: 500 or More Individuals

These are the breaches that make the news. The requirements are:

Notify HHS within 60 days of discovery. Submit the report through the HHS breach reporting portal (ocrportal.hhs.gov). Once submitted, the breach is posted publicly on the HHS Breach Portal — commonly called the "Wall of Shame" — where it is visible to regulators, journalists, competitors, and patients indefinitely.

Notify affected individuals within 60 days. Written notification by first-class mail to every individual whose PHI was compromised. If the individual previously consented to electronic communication, email is acceptable. The notification must contain specific content elements (covered below).

Notify prominent media outlets. If the breach affects 500 or more residents of a single state or jurisdiction, you must issue a press release or equivalent notice to prominent media outlets serving that state. This is not optional. It is a regulatory requirement that practices routinely overlook.

Small Breaches: Fewer Than 500 Individuals

These are more common in independent practices. A misdirected fax, a misfiled record, an email sent to the wrong patient.

Notify affected individuals within 60 days. Same timeline, same content requirements as large breaches. The obligation to the individual does not change based on scale.

Log the breach internally. Maintain a breach log that records the details of every small breach — date of discovery, individuals affected, nature of the breach, and the outcome of the four-factor risk assessment.

Report to HHS annually by March 1. All small breaches from the prior calendar year are submitted to HHS in a single annual report, due no later than March 1 of the following year. These are submitted through the same HHS breach reporting portal. Missing this deadline is itself a compliance failure.

The Breach Notification Timeline

Here is how the process unfolds from the moment a breach is discovered.

Day 0 — Discovery. The 60-day clock starts when the breach is discovered — or when it reasonably should have been discovered. This is not when it is reported to management. It is not when the compliance officer learns about it. It is when any member of your workforce knew or should have known about the incident. If a front desk employee noticed a misdirected fax on a Tuesday but did not tell anyone until the following Monday, the clock started on Tuesday.

Days 1 through 10 — Contain and investigate. Stop the breach from continuing. Retrieve any disclosed PHI if possible. Identify which individuals were affected and what types of PHI were involved. Perform the four-factor risk assessment. Document every step.

Days 10 through 30 — Determine scope and prepare notification. Finalize the list of affected individuals. Draft notification letters that meet the content requirements below. Determine whether the breach crosses the 500-person threshold and triggers media notification. Engage legal counsel if the breach is large, involves sensitive data, or has potential for litigation.

Day 60 — Notification deadline. Individual notifications must be sent. For large breaches, the HHS report must be filed and media notification issued. There is no extension. There is no grace period. Late notification is a separate violation that OCR evaluates independently of the underlying breach.

March 1 of the following year — Small breach annual report. If the breach affected fewer than 500 individuals, the HHS report is due with the annual filing. Every small breach from the prior calendar year must be included.

What Individual Notification Must Include

The Breach Notification Rule specifies five content elements that every notification letter must contain. Omitting any of them makes the notification deficient:

1. A description of the breach — what happened, in plain language, including the date of the breach and the date of discovery.

2. The types of PHI involved — names, Social Security numbers, dates of birth, diagnoses, treatment information, financial data, or whatever specific identifiers were compromised.

3. Steps individuals should take to protect themselves — such as monitoring credit reports, placing fraud alerts, or changing passwords. Tailor this to the type of PHI exposed.

4. What the practice is doing in response — investigation steps, remediation measures, and steps taken to prevent recurrence.

5. Contact information — a toll-free phone number, email address, or mailing address where affected individuals can ask questions. This must be monitored and responsive for at least 90 days.

Notifications must be sent by first-class mail. Email is permitted only if the individual has previously agreed to receive electronic communications from the practice. If you cannot reach 10 or more individuals by mail, you must post a conspicuous notice on your website for 90 days and provide a toll-free number.

State Notification Requirements

HIPAA sets the federal floor, not the ceiling. Many states have their own breach notification laws — and some impose shorter timelines than HIPAA's 60 days.

Examples vary widely. Some states require notification within 30 days. Others require notification to the state attorney general in addition to affected individuals. Several states have expanded the definition of personal information beyond what HIPAA covers, which can trigger notification obligations even when the federal rule might not.

Your practice must comply with both federal and state requirements. When they conflict, the stricter standard applies. Check your state attorney general's website for current breach notification requirements. If your practice operates in multiple states — or treats patients from other states — you may need to comply with the laws of each.

This is an area where legal counsel adds value. A five-minute conversation with a healthcare attorney before you send notifications can prevent a state-level compliance failure.

Common Breach Notification Mistakes

These are the errors that turn a manageable incident into a compounded regulatory problem.

Not recognizing a breach as a breach. The most dangerous mistake. A staff member sends records to the wrong patient and retrieves them the same day. The practice decides it was "not really a breach" and does nothing. But unless you perform and document the four-factor risk assessment, the presumption stands. An undocumented incident that you decided was not a breach looks exactly like a breach you tried to hide.

Starting the clock from the wrong date. The 60-day timeline runs from discovery by any workforce member — not from when it was escalated to the compliance officer, not from when it was discussed at a staff meeting, not from when leadership decided to act. Practices that delay internal reporting effectively shorten their own response window.

Not documenting the four-factor risk assessment. Even when the analysis legitimately supports a low-probability conclusion, the absence of documentation negates the analysis. OCR does not accept verbal recollections. If it is not written down, it did not happen.

Skipping media notification for large breaches. Practices that report to HHS and notify individuals sometimes forget the media notification requirement for breaches affecting 500 or more residents of a single state. This is a distinct obligation. Missing it is a distinct violation.

Missing the March 1 small breach deadline. Small breaches can feel insignificant — a single misdirected fax, a single misfiled record. But they accumulate in the breach log, and the entire log must be reported to HHS by March 1. Missing the annual filing deadline draws regulatory attention to incidents that might otherwise have been unremarkable.

How Patient Protect Helps

Patient Protect provides the operational infrastructure that breach notification requires — before, during, and after an incident.

Security incident logging. Every potential incident is captured, timestamped, and tracked from detection through resolution. The log serves as both an operational tool and an audit trail.

Breach documentation workflows. Guided four-factor risk assessments that produce the written documentation OCR expects. You answer the questions. The platform generates the analysis and stores the evidence.

Breach intelligence dashboard. The breach dashboard displays real-time HHS OCR breach data — every reported breach affecting 500 or more individuals, searchable by entity, state, breach type, and date. Monitor whether your business associates appear in the data before OCR contacts you.

Notification tracking. Track individual notifications sent, delivery confirmations, and the 90-day contact window — with documentation ready for any investigation.

The entire platform starts at $39/month with no long-term contract. For a practice navigating a breach, the cost of not having documentation infrastructure is measured in fines, legal fees, and lost patients.

Frequently Asked Questions

What is the HIPAA breach notification deadline?

Sixty days from the date of discovery. Discovery occurs when any workforce member knew or reasonably should have known about the breach — not when management was informed. For large breaches (500+ individuals), the HHS report is also due within 60 days. For small breaches (under 500), the HHS report is due annually by March 1 of the following year.

Do I have to report a small breach to HHS?

Yes. Every breach, regardless of size, must be reported to HHS. The difference is timing. Breaches affecting fewer than 500 individuals are reported annually through the HHS breach reporting portal by March 1. They are not exempt from reporting — just on a different schedule.

What if I am not sure whether it was a breach?

Perform and document the four-factor risk assessment. The HIPAA Breach Notification Rule presumes that any impermissible use or disclosure is a breach unless you can demonstrate a low probability of compromise through the documented analysis. If you skip the assessment, the presumption stands, and you have 60 days to notify.

Can I be fined for a late breach notification?

Yes. Failure to provide timely breach notification is a separate HIPAA violation, independent of the underlying breach. Penalties follow the standard HIPAA penalty tiers — ranging from $141 to $2,134,831 per violation depending on the level of culpability. OCR evaluates the notification timeline separately from the breach itself.

What is the HHS breach reporting portal?

The portal at ocrportal.hhs.gov is the official mechanism for submitting breach reports to the Office for Civil Rights. Both large and small breach reports are filed through this portal. Large breach reports (500+ individuals) are posted publicly. Small breach annual reports are submitted but not individually published.

Does sending PHI to the wrong patient count as a breach?

Yes. Sending PHI to the wrong recipient is an impermissible disclosure under the Privacy Rule. It is presumed to be a breach unless the four-factor risk assessment demonstrates a low probability of compromise — for example, if the recipient confirmed they did not open the communication and the PHI was retrieved. Even then, the assessment must be documented. This is one of the most common breach scenarios for independent practices.

---

The breach notification process is not optional and it is not flexible. The deadlines are fixed, the content requirements are specific, and the consequences of noncompliance are independent of the original breach. The practices that handle it well are the ones that built the documentation infrastructure before the incident occurred.