How Do You Report a HIPAA Breach? (w/Examples) + FAQs

You report a HIPAA breach by notifying affected individuals in writing within 60 days, filing a report with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) through its online Breach Portal, and—if the breach involves 500 or more people in one state or jurisdiction—alerting prominent media outlets. Business associates must notify the covered entity they serve, and covered entities must notify patients, HHS, and sometimes the press. Every step is governed by the HIPAA Breach Notification Rule at 45 CFR §§164.400–414.

The rule exists because unsecured protected health information (PHI) that escapes into the wrong hands can wreck lives, drain bank accounts, and erase trust in the healthcare system. Congress passed the HITECH Act in 2009 to force disclosure, and OCR now enforces it with civil money penalties that climb into the millions. A single late or missing notification can convert a manageable incident into a headline-grabbing enforcement action.

In 2024 alone, OCR received 734 reports of breaches affecting 500 or more individuals, exposing the records of more than 275 million people—nearly 82% of the U.S. population. That statistic shows why regulators treat the clock, the paperwork, and the content of each notice as non-negotiable.

Here is what you will learn in this guide:

• 📌 Exactly who must report a HIPAA breach and who they must tell
• ⏱️ The 60-day deadline, the “without unreasonable delay” standard, and the annual March 1 log
• 🧮 The four-factor Breach Risk Assessment and how to document a “low probability of compromise”
• 🏛️ Federal HIPAA/HITECH rules plus state overlays like CMIA, Texas HB 300, and the SHIELD Act
• 💸 Current 2026 civil and criminal penalties, plus real OCR enforcement examples

What Counts as a HIPAA Breach

A HIPAA breach is the acquisition, access, use, or disclosure of protected health information in a manner not permitted by the Privacy Rule that compromises the security or privacy of that information. The definition comes from 45 CFR §164.402. The rule presumes every impermissible use or disclosure is a breach unless the covered entity or business associate proves otherwise through a formal risk assessment. That presumption flips the old burden of proof and forces organizations to document every incident.

Protected Health Information Defined

Protected health information, or PHI, includes any individually identifiable health information held or transmitted by a covered entity or its business associate. The HHS definition of PHI lists 18 identifiers, from names and Social Security numbers to biometric data and full-face photos. The consequence of misidentifying PHI is severe: if a covered entity treats a record as non-PHI and releases it, every downstream disclosure becomes a reportable breach. For example, Dr. Lina Ortega at a small pediatric clinic emails a spreadsheet of patient first names and birthdates to a marketing vendor, believing initials are safe. A common misconception is that stripping last names removes PHI status; in reality, the combination of date of birth and ZIP code still identifies a person under the HHS Safe Harbor de-identification standard.

Secured vs. Unsecured PHI

Only unsecured PHI triggers breach notification. PHI is “secured” when it is encrypted to NIST Special Publication 800-111 standards for data at rest or FIPS 140-2 validated encryption for data in motion. If a laptop holding encrypted PHI is stolen and the key is not on the device, no notification is required. A common misconception is that password protection alone qualifies as encryption; it does not, and OCR has fined organizations that confused the two. The consequence of skipping encryption is that every lost phone, stolen USB stick, or misdirected fax becomes a public, reportable event.

Exceptions That Are Not Breaches

Three narrow exceptions exist under 45 CFR §164.402(1). The first covers unintentional access by a workforce member acting in good faith and within scope of authority. The second covers inadvertent disclosure between two authorized persons at the same organization. The third covers cases where the covered entity has a good-faith belief the unauthorized recipient could not reasonably have retained the information. For instance, nurse Marcus Reed hands a discharge summary to the wrong patient, realizes the error in two seconds, and retrieves the paper before it is read. That incident is not a breach because retention was not possible.

Who Must Report a HIPAA Breach

Both covered entities and business associates carry reporting duties, but the duties run in different directions. A covered entity is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically in connection with a HIPAA-standard transaction. A business associate is any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. The HHS definitions page lists every category.

Covered Entity Duties

Covered entities must notify affected individuals, HHS, and in some cases the media. They must also make sure their workforce is trained on breach identification and response under 45 CFR §164.530(b). The consequence of skipping training is that an untrained employee may sit on a ransomware event for weeks, pushing the organization past the 60-day deadline. Consider Bayside Family Practice, a three-doctor clinic, where receptionist Julia Chen opens a phishing email and infects the server. Because the clinic never trained staff, Julia hides the incident for 70 days, and the clinic now faces willful-neglect penalties starting at $71,162 per violation.

Business Associate Duties

Business associates must notify the covered entity they serve “without unreasonable delay and in no case later than 60 days” after discovery under 45 CFR §164.410. The business associate agreement (BAA) may shorten that window to 10, 15, or 30 days. The consequence of missing the BAA deadline is breach of contract plus direct OCR enforcement, because the HITECH Act made business associates directly liable. For example, MedClaims Processing LLC, a billing vendor, discovers an unauthorized login on day 12 but waits until day 55 to tell its client hospital. The hospital then has only five days to draft individual notices, which is nearly impossible for a 40,000-patient breach.

Subcontractors and Downstream Vendors

A subcontractor of a business associate is itself a business associate under HIPAA. The OCR guidance on business associate chains confirms this. The consequence is that a cloud hosting provider two layers down the chain still owes a breach notice up the chain. A common misconception is that only the signed, top-level vendor carries HIPAA liability; in truth, every downstream handler of PHI owes the same duties.

The Step-by-Step Breach Reporting Process

The reporting process breaks into six stages: discover, contain, assess, notify individuals, notify HHS, and notify the media when required. Each stage has its own paperwork and clock.

Step 1: Discover and Document the Incident

A breach is “discovered” on the first day any workforce member or agent knows or should reasonably have known about it. That trigger date sets every downstream deadline under 45 CFR §164.404(b). The consequence of misdating discovery is that OCR will use its own reconstructed timeline, usually the earliest log entry showing unusual activity. Dr. Aaron Patel’s urgent-care group discovers malware on March 3 but logs the discovery as March 20; OCR later finds server alerts from March 3 and treats that as day one. A common misconception is that discovery means the day the CEO is briefed; the rule uses the earliest employee awareness.

Step 2: Contain and Investigate

Containment means stopping the bleeding: disconnect the compromised device, revoke credentials, preserve forensic images, and freeze the payroll of any departing employee who may have taken records. The OCR Cyber Security Guidance lists these steps. The consequence of skipping forensic preservation is that the organization cannot prove the four-factor risk assessment later and is stuck with the presumption of breach.

Step 3: Complete the Four-Factor Risk Assessment

Under 45 CFR §164.402(2), a covered entity may rebut the presumption of breach only by showing a “low probability of compromise” using four factors:

• The nature and extent of the PHI involved, including identifiers and likelihood of re-identification
• The unauthorized person who used the PHI or to whom the disclosure was made
• Whether the PHI was actually acquired or viewed
• The extent to which the risk to the PHI has been mitigated

Every factor must be documented in a signed memo retained for six years. The consequence of a thin assessment is that OCR rejects the “no breach” conclusion and charges the late notifications as willful neglect.

Step 4: Notify Affected Individuals

Individual notice must go out “without unreasonable delay and in no case later than 60 calendar days” after discovery under 45 CFR §164.404(a). The notice must be written in plain language and mailed first-class to the last known address, or emailed if the individual has agreed to electronic notice. If the covered entity has outdated contact information for 10 or more people, it must post substitute notice on its home page for 90 days or run a notice in major print or broadcast media. The notice must contain a brief description of what happened, the types of PHI involved, steps individuals should take, what the entity is doing, and contact information with a toll-free number.

Step 5: Notify the HHS Secretary

For breaches affecting 500 or more individuals, the covered entity must notify HHS “contemporaneously” with individual notices—meaning the same day or close to it—under 45 CFR §164.408(b). For breaches under 500, the entity may log each incident and submit a combined annual report to HHS no later than 60 days after the end of the calendar year, which in practice means March 1. All notifications go through the OCR Breach Reporting Portal.

Step 6: Notify the Media

If a breach affects more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving that area under 45 CFR §164.406. A press release to a major newspaper or TV station usually satisfies the rule. The consequence of skipping media notice is a separate violation for every day the notice is late.

Filling Out the OCR Breach Portal Form

The online Breach Portal walks the reporter through a structured form. Every field matters because OCR uses the data to decide whether to open a compliance review.

Contact and Entity Information

The form asks for the covered entity name, address, and contact person. If a business associate is reporting on behalf of the covered entity, the portal asks for both sets of information. The consequence of listing the wrong contact is that OCR letters go to the wrong desk and deadlines slip.

Breach Details

The reporter must enter the date of the breach, the date of discovery, the number of individuals affected, and the type of breach (theft, loss, unauthorized access, hacking/IT incident, improper disposal, or unknown). The reporter then identifies the location of the PHI (laptop, network server, paper, email, electronic medical record, etc.) and the type of PHI involved (demographic, financial, clinical, other). Each dropdown choice feeds OCR analytics and appears on the public “Wall of Shame” for breaches of 500 or more.

Safeguards and Notification

The form asks what administrative, physical, and technical safeguards were in place before the breach, and what actions the entity has taken since. It also asks whether individual, media, and HHS notices were sent and on what dates. The consequence of blank fields is that OCR treats the report as incomplete and opens an investigation by default.

Three Common Breach Scenarios

Real OCR Enforcement Examples

OCR publishes every resolution agreement on its enforcement highlights page. A few stand out as teaching cases.

Anthem Inc. — $16 Million

In 2018, Anthem paid the largest HIPAA settlement in history at that time, $16 million, after a cyberattack exposed the ePHI of nearly 79 million people. OCR found Anthem failed to conduct an enterprise-wide risk analysis and failed to implement sufficient procedures to review information system activity. The consequence for Anthem reached beyond the fine: a corrective action plan, ongoing OCR monitoring, and related class-action settlements totaling $115 million.

Premera Blue Cross — $6.85 Million

In 2020, Premera Blue Cross paid $6.85 million to settle allegations tied to a hack exposing 10.4 million records. OCR cited lack of risk analysis, lack of risk management, insufficient hardware and software inventory, and lack of audit controls. The case shows how a single root cause—no formal risk analysis—can cascade into multiple violations.

Excellus Health Plan — $5.1 Million

Excellus paid $5.1 million in 2021 after cyberattackers accessed PHI of 9.3 million people. OCR emphasized inadequate technical and non-technical evaluation of environmental and operational changes. The case is a reminder that OCR reads the Security Rule’s evaluation standard at 45 CFR §164.308(a)(8) literally.

Advocate Health Care — $5.55 Million

In 2016, Advocate Health Care paid $5.55 million after three separate breaches involving 4 million patients. The settlement highlighted failure to execute a business associate agreement and failure to safeguard an unencrypted laptop. The case is a textbook example of how one organization’s gaps stack across incidents.

Federal Timeline at a Glance

State Law Overlays

HIPAA sets the floor, not the ceiling. State breach notification laws often demand faster notice, broader coverage, or extra recipients.

California — CMIA and CCPA

The California Confidentiality of Medical Information Act (CMIA) requires licensed healthcare providers to report breaches of medical information to the California Department of Public Health within 15 business days, a much tighter window than federal HIPAA’s 60 days. The California Consumer Privacy Act adds a private right of action with statutory damages of $100–$750 per consumer per incident. The consequence for a California covered entity that follows only HIPAA is a parallel CMIA violation, often with per-patient fines.

Texas — HB 300

Texas HB 300 expands HIPAA’s definition of “covered entity” to anyone who assembles, stores, or transmits PHI in Texas, including many organizations outside traditional healthcare. It also requires breach notice to the Texas Attorney General and mandates employee training within 90 days of hire. The consequence of ignoring HB 300 is civil penalties up to $250,000 per violation for knowing failures.

New York — SHIELD Act

The SHIELD Act requires any business holding New Yorkers’ private information to implement reasonable safeguards and notify affected residents and the New York Attorney General. The act covers biometric and medical information and applies even to out-of-state companies holding New York data. The consequence is civil penalties up to $250,000 and injunctive relief.

Other State Variations

Every state except Alabama now has a breach notification law. Many, like Florida’s FIPA, shorten the federal 60-day window to 30 days. A common misconception is that HIPAA preempts state law; it does not preempt stricter state law under 45 CFR §160.203.

Penalties for Failing to Report

OCR imposes civil money penalties under four tiers set by the HITECH Act and adjusted annually for inflation. For calendar year 2026, the adjusted tiers are roughly:

• Tier 1 (no knowledge): $141 to $71,162 per violation, up to $2,134,831 per identical violation per year
• Tier 2 (reasonable cause): $1,424 to $71,162 per violation, up to $2,134,831 per year
• Tier 3 (willful neglect, corrected): $14,232 to $71,162 per violation, up to $2,134,831 per year
• Tier 4 (willful neglect, not corrected): $71,162 per violation, up to $2,134,831 per year

Criminal penalties under 42 U.S.C. §1320d-6 reach 10 years in prison for obtaining PHI with intent to sell or use for commercial advantage. The consequence of ignoring the rule is not abstract; clinic owner Dr. Michael Ayers pleaded guilty in a recent case for selling patient lists and now faces federal sentencing.

Named Examples of Real-World Reporting

Example 1: Dr. Lina Ortega’s Pediatric Clinic

Dr. Ortega’s clinic loses a thumb drive holding 340 unencrypted immunization records. On discovery day, she calls counsel, runs the four-factor assessment, and cannot reach “low probability of compromise” because the drive held full names and dates of birth. She mails 340 notices by day 45, logs the incident, and waits until March 1 of the next year to submit the batch report to HHS because the count is under 500.

Example 2: MedClaims Processing LLC

MedClaims, a business associate, suffers a ransomware attack exposing 62,000 patient claims across three hospital clients. Under its BAA’s 15-day clause, MedClaims notifies each hospital on day 10. Each hospital then issues individual notices, contemporaneous HHS reports, and press releases in its state. The total legal and forensic bill tops $2.1 million, and OCR opens a direct investigation into MedClaims.

Example 3: Nurse Marcus Reed’s Near Miss

Marcus accidentally emails a patient’s lab result to the wrong address on a hospital domain. The recipient, another nurse, deletes the email and attests in writing. The hospital documents the incident under the “inadvertent disclosure” exception in 45 CFR §164.402(1)(ii), concludes no breach occurred, and retains the memo for six years.

Mistakes to Avoid

• Treating password protection as encryption and skipping notice after a lost laptop
• Dating “discovery” on the day the CEO is briefed instead of the first employee awareness
• Writing a one-paragraph risk assessment that fails to address all four factors
• Forgetting to post substitute notice on the home page when 10 or more contacts are stale
• Skipping the media notice for breaches of 500+ in a single state
• Missing the March 1 annual log deadline for small breaches
• Allowing a business associate agreement to remain silent on breach timing
• Failing to train workforce members, leaving phishing clicks undetected for weeks
• Ignoring stricter state law deadlines like California’s 15 business days
• Relying on a cyber insurance vendor to handle notices without direct oversight
• Deleting server logs before forensic preservation, killing the four-factor defense

Do’s and Don’ts

Do’s

• Start the 60-day clock on the earliest employee awareness, because that is the legal trigger
• Document the four-factor risk assessment in a signed memo, because OCR will demand it
• Encrypt all portable media and email containing PHI, because encryption creates a safe harbor
• Send notices by first-class mail with tracking, because delivery evidence defeats “we never got it” claims
• Train every new hire within 30 days, because willful neglect begins with untrained staff
• Maintain a written incident response plan, because regulators expect a tested playbook

Don’ts

• Don’t assume HIPAA preempts stricter state law, because 45 CFR §160.203 says otherwise
• Don’t delay notice while investigating, because “unreasonable delay” is a separate violation
• Don’t forget to list the incident on the OCR portal, because missing entries trigger audits
• Don’t use a generic template without the five required content elements, because missing elements equal non-notification
• Don’t rely on a business associate’s verbal assurance, because direct liability flows through contracts
• Don’t destroy forensic evidence, because spoliation invites punitive findings

Pros and Cons of Prompt Reporting

Pros

• Limits civil penalty exposure to Tier 1 or Tier 2 instead of willful-neglect tiers
• Preserves patient trust because transparency softens reputational harm
• Satisfies state law deadlines that often run shorter than federal 60 days
• Avoids parallel enforcement from state attorneys general piling on
• Creates a documented record that defeats class-action “cover-up” theories

Cons

• Triggers immediate media scrutiny, particularly when the breach crosses 500 individuals
• Forces operational disruption to draft, mail, and staff toll-free hotlines
• Can encourage plaintiffs’ lawyers to file quickly on a confirmed admission
• Raises insurance premiums at renewal even when the entity acts correctly
• May involve paying for credit monitoring that costs $15 to $30 per person

Recap of Key Rulings and Guidance

The U.S. Supreme Court’s 2016 decision in Spokeo v. Robins shaped HIPAA-adjacent class actions by requiring concrete injury for standing. Lower courts split on whether mere data exposure satisfies that test, which is why OCR filings and breach notices must be precise. The Fifth Circuit’s 2021 decision in University of Texas M.D. Anderson Cancer Center v. HHS vacated a $4.3 million OCR penalty and narrowed OCR’s enforcement theory on encryption, prompting OCR to tighten its investigative record-keeping. Both rulings remind reporters that careful documentation at the time of the breach is the single most valuable defense later.

FAQs

When does the 60-day HIPAA breach notification clock start?

No, it does not start when the CEO is briefed. It starts on the first day any workforce member knew or should have known about the incident under 45 CFR §164.404(b).

Do small clinics have to use the OCR Breach Portal?

Yes, every covered entity, regardless of size, must report breaches through the OCR online portal for both 500+ incidents and the annual small-breach log.

Is a lost encrypted laptop a reportable HIPAA breach?

No, if the encryption meets NIST SP 800-111 standards and the key is not on the device, the data is “secured” and no notification is required.

Must I notify HHS about breaches under 500 people right away?

No, breaches affecting fewer than 500 individuals may be submitted in a combined annual log by March 1 of the following calendar year under 45 CFR §164.408(c).

Does HIPAA preempt state breach notification laws?

No, HIPAA sets a floor; stricter state laws like CMIA, HB 300, and the SHIELD Act still apply alongside federal rules under 45 CFR §160.203.

Can a business associate report directly to HHS for its client?

Yes, but only if the covered entity delegates that duty in writing; the covered entity remains legally responsible for the accuracy and timeliness of the report.

Is ransomware automatically a HIPAA breach?

Yes, OCR’s 2016 ransomware guidance presumes a breach whenever ransomware encrypts PHI, unless the entity proves low probability of compromise through the four-factor test.

Do I have to offer credit monitoring after a breach?

No, federal HIPAA does not mandate credit monitoring, but many state laws and OCR resolution agreements effectively require one to two years of free monitoring.

Can I be criminally prosecuted for a HIPAA breach?

Yes, knowing violations, especially selling or misusing PHI, can trigger up to 10 years in federal prison under 42 U.S.C. §1320d-6.

Does the 60-day deadline include weekends and holidays?

Yes, the deadline is 60 calendar days, not business days, so weekends, holidays, and office closures do not extend the clock.

Must I notify deceased patients’ families about a breach?

Yes, the personal representative or next of kin receives the notice when the individual is deceased, consistent with 45 CFR §164.502(g).

Is a workforce member’s snooping a reportable breach?

Yes, unauthorized access by an employee is a breach unless it falls within the narrow good-faith, same-organization exceptions in 45 CFR §164.402(1).