Get Demo

HIPAA Breach Notification Rule: 60-Day Requirements Explained

HIPAA Breach Notification Rule explained for US organizations — clear, practical guidance to protect PHI and stay audit-ready. Learn the essentials with Cybe

📅 Published: June 2026 🔐 Cybersecurity • HIPAA • USA ⏱️ 2,200 words

The HIPAA Breach Notification Rule requires covered entities and their business associates to notify affected individuals, the Secretary of Health and Human Services (HHS), and in some cases the media, following a breach of unsecured protected health information (PHI), with notification deadlines that depend on the breach's scale — most critically, all notifications to HHS must be made no later than 60 days after the end of the calendar year in which the breach was discovered for breaches affecting fewer than 500 individuals. For breaches affecting 500 or more individuals, covered entities must notify HHS without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. This 60-day window is a hard regulatory requirement enforced by the HHS Office for Civil Rights (OCR), and non-compliance can result in civil monetary penalties ranging from $141 to $69,729 per violation, adjusted annually for inflation, with a maximum annual penalty of $2,134,831 for identical violations.

The HIPAA Breach Notification Rule, codified at 45 CFR §§ 164.400-414, is one of the most consequential regulatory frameworks for healthcare organizations, health plans, healthcare clearinghouses, and their business associates operating in the United States. For CISOs, privacy officers, and compliance leads, understanding the precise mechanics of this rule — what constitutes a breach, who must be notified, the exact timeline for each notification category, and how to document compliance — is essential to avoiding regulatory action and preserving patient trust. This guide provides a complete, authoritative breakdown of the 60-day requirements and every other obligation under the rule.

What Is the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule is a federal regulation issued by the HHS under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. It establishes mandatory procedures that covered entities and business associates must follow when a breach of unsecured PHI occurs. The rule applies to all organizations subject to HIPAA, including hospitals, physician practices, health insurance plans, pharmacies, healthcare clearinghouses, and any third-party vendors or subcontractors that handle PHI on their behalf.

The core obligation is straightforward: any impermissible acquisition, access, use, or disclosure of PHI that compromises the security or privacy of that information triggers notification obligations. However, the rule provides a risk assessment framework that allows entities to determine whether an impermissible use or disclosure actually constitutes a breach requiring notification. If the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a four-factor risk assessment, notification is not required.

The Four-Factor Risk Assessment

To determine whether an impermissible use or disclosure of PHI constitutes a breach, the covered entity or business associate must conduct a risk assessment that considers at least the following four factors as outlined in 45 CFR § 164.402(1):

Importantly, the risk assessment places the burden of proof on the covered entity. If the entity cannot demonstrate a low probability of compromise, the incident is presumed to be a breach, and all notification obligations apply. This presumption reinforces the importance of thorough, documented risk assessments performed promptly after any impermissible use or disclosure.

Who Must Comply With the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule applies to two categories of organizations: covered entities and business associates. Covered entities include healthcare providers who conduct electronic transactions, health plans (including employer-sponsored group health plans with 50 or more participants), and healthcare clearinghouses. Business associates are individuals or organizations that create, receive, maintain, or transmit PHI on behalf of a covered entity for functions such as claims processing, data analysis, utilization review, billing, and practice management.

Since the HIPAA Omnibus Rule of 2013, business associates are directly liable for compliance with the Breach Notification Rule. This means that a third-party vendor such as a cloud storage provider, medical transcription service, or IT support firm that experiences a breach of PHI is independently obligated to notify the covered entity of the breach. The covered entity then has the responsibility to notify affected individuals and HHS, unless the business associate agreement specifies otherwise.

Key Takeaway: Direct Liability for Business Associates
Under the HITECH Act and the 2013 Omnibus Rule, business associates are directly regulated by OCR. A business associate that fails to notify a covered entity of a breach within 60 days of discovery faces the same civil monetary penalties as the covered entity. For organizations handling PHI as a vendor, this means robust incident detection and notification processes are non-negotiable.

What Qualifies as a Breach Under HIPAA?

A breach is defined under 45 CFR § 164.402 as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. The definition excludes three specific categories of incidents:

It is critical to note that the "good faith" and "inadvertent" exceptions are narrow and fact-specific. OCR has made clear that these exceptions do not apply to incidents involving malicious intent, gross negligence, or systemic failures. In practice, most security incidents involving external actors — such as hacking, ransomware attacks, or theft of devices containing PHI — will qualify as breaches requiring notification.

The HIPAA Breach Notification Rule: 60-Day Requirements Explained

The 60-day requirement in the HIPAA Breach Notification Rule is one of the most frequently misunderstood provisions. The rule establishes two distinct notification tracks to HHS, and the 60-day timeline applies differently depending on the breach size:

Breaches Affecting 500 or More Individuals

For breaches that affect 500 or more individuals, the covered entity must notify HHS without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. This notification is submitted electronically through the HHS OCR breach reporting portal. Additionally, if the breach affects 500 or more residents of a state or jurisdiction, the covered entity must also notify prominent media outlets serving that state or jurisdiction — typically the largest-circulation newspaper or broadcast station.

OCR maintains a public "wall of shame" — the HIPAA Breach Notification Rule's list of breaches affecting 500 or more individuals — which is continuously updated and available on the HHS website. Inclusion on this list carries significant reputational risk, which is why many organizations prioritize rapid containment, notification, and remediation.

Breaches Affecting Fewer Than 500 Individuals

For breaches involving fewer than 500 individuals, the covered entity must notify HHS annually. The notification must be submitted no later than 60 days after the end of the calendar year in which the breach was discovered. This means an organization that discovers a small breach in March 2025 must log it internally and report it to OCR by March 1, 2026 — but that reporting obligation does not obviate the need to notify affected individuals within 60 days of discovery.

This annual reporting structure creates a compliance risk if organizations fail to maintain accurate, centralized logs of all breaches throughout the year. A business associate that fails to report a smaller breach to the covered entity in a timely manner may inadvertently cause the covered entity to miss its annual filing deadline.

Critical Distinction: Individual Notification vs. HHS Notification
The 60-day clock for notifying affected individuals runs from the discovery of the breach and applies regardless of breach size. Even for breaches affecting fewer than 500 individuals, individual notifications must be sent without unreasonable delay and within 60 days of discovery. The annual filing to HHS for smaller breaches is a separate requirement that consolidates all smaller incidents at the end of the calendar year.

Notification Timelines: A Complete Breakdown

The HIPAA Breach Notification Rule establishes three distinct notification requirements, each with its own deadline. Understanding these timelines is essential for compliance and avoiding enforcement action.

Notice to Affected Individuals

Covered entities must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. This notification must be made without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. The notification must include, at minimum:

Notification must be sent by first-class mail to the individual's last known address, or by email if the individual has agreed to receive electronic notices. If the covered entity does not have sufficient contact information for 10 or more individuals, the entity must post a conspicuous notice on its website for at least 90 days or provide substitute notice through print or broadcast media where the affected individuals likely reside.

Notice to HHS

As detailed above, the timeline for notifying HHS depends on the breach size:

For breaches affecting 500 or more individuals: Notification must be made within 60 calendar days of discovery. The covered entity must also notify HHS immediately if the breach involves 500 or more individuals and is discovered after the start of the annual reporting period but before the annual report is due.

For breaches affecting fewer than 500 individuals: Notification is submitted annually, no later than 60 days after the end of the calendar year in which the breach occurred. Entities must log each breach and include all qualifying incidents in a single annual report.

Notice to Media

When a breach affects 500 or more residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving that state or jurisdiction. This notification must also be made without unreasonable delay and within 60 calendar days of the breach discovery. The media notice must contain the same information as the individual notice.

How to Achieve and Maintain HIPAA Breach Notification Compliance

Compliance with the HIPAA Breach Notification Rule requires more than simply knowing the deadlines. Organizations must build operational capabilities that enable rapid breach detection, accurate risk assessment, and flawless execution of the notification process. The following steps provide an enterprise-grade framework for compliance.

1

Establish a Breach Response Team and Plan

Designate a breach response team that includes representatives from legal, privacy, security, communications, and executive leadership. Develop a written breach response plan that defines roles, notification templates, escalation procedures, and timelines. The plan should be tested through tabletop exercises no less than annually, with particular focus on the 60-day notification deadline for large breaches.

2

Deploy Continuous Monitoring for PHI Access and Disclosure

Implement technical controls — including SIEM, user and entity behavior analytics (UEBA), and data loss prevention (DLP) systems — that monitor for unauthorized access, anomalous data transfers, and other indicators of PHI compromise. These tools should generate alerts that trigger a predefined incident response workflow within the breach response team. ThreatHawk SIEM provides continuous monitoring tailored to healthcare environments, with pre-built correlation rules for HIPAA-related events and automated alerting that can significantly reduce detection time.

3

Conduct Prompt Four-Factor Risk Assessments

When an incident is detected, the breach response team must immediately perform the four-factor risk assessment. This assessment should be documented in writing and preserved as part of the entity's compliance records. If the assessment concludes that there is a low probability of compromise, document the rationale thoroughly — OCR may request these documents during an audit or investigation.

4

Execute Notifications Within the 60-Day Window

If the risk assessment determines a breach has occurred, begin the notification process immediately. Prepare individual notification letters using approved templates, verify contact information, and send by first-class mail or email within the 60-day period. For breaches involving 500 or more individuals, simultaneously submit the HHS notification through the OCR portal and coordinate media notification.

5

Maintain a Breach Log for Annual Reporting

Maintain a centralized breach log that records all incidents, regardless of whether they were determined to be breaches requiring notification. The log should include the date of discovery, the nature of the incident, the results of the risk assessment, and the notification timeline. For breaches affecting fewer than 500 individuals, ensure the log is reviewed before the annual HHS filing deadline to capture all qualifying incidents from the calendar year.

6

Review and Update Business Associate Agreements

Business associate agreements (BAAs) must include provisions requiring business associates to notify the covered entity of a breach without unreasonable delay. Update existing BAAs to specify a notification timeline shorter than the 60-day maximum — 24 to 72 hours is recommended — to give the covered entity adequate time to assess the incident and prepare its own notifications. Ensure that the BAA also requires the business associate to provide sufficient information about the breach to enable the covered entity to meet its notification obligations.

7

Automate Compliance Evidence Collection

Manual compliance evidence management is unsustainable for organizations that manage PHI at scale. Automated tools can capture logs, timestamp risk assessment decisions, track notification deadlines, and generate audit-ready reports. CyberSilo Compliance Standards Automation provides integrated workflows that map breach notification requirements to the HIPAA Security and Privacy Rules, reducing the administrative burden on compliance teams and improving accuracy.

Penalties for Non-Compliance

OCR enforces the HIPAA Breach Notification Rule through civil monetary penalties (CMPs) structured in a tiered system based on the entity's level of culpability. The penalty ranges, adjusted annually for inflation, are as follows as of the latest HHS rule:

In addition to CMPs, OCR may require corrective action plans that mandate specific remediation measures, such as revising policies, retraining staff, or implementing new technical safeguards. For breaches that also violate state notification laws — which exist in all 50 states, the District of Columbia, and U.S. territories — entities face additional penalties, including potential private civil actions from affected individuals.

The 2021 American Hospital Association v. Becerra decision clarified that OCR cannot apply penalties retroactively to entities that self-report and promptly mitigate breaches, but only if the entity can demonstrate compliance with all applicable HIPAA rules. This legal environment underscores the importance of proactive breach notification compliance as a liability mitigation strategy.

Ensure Your HIPAA Breach Notification Process Is Audit-Ready

Failed to notify within the 60-day window? Uncertain whether your risk assessment methodology meets OCR expectations? CyberSilo's compliance experts can review your breach response plan, test your notification workflows, and help you build a defensible compliance posture. Our Compliance Standards Automation platform integrates with your existing security stack to automate evidence collection and reduce the risk of human error.

How HIPAA Breach Notification Works for Business Associates

Business associates have independent obligations under the Breach Notification Rule. When a business associate discovers a breach of PHI that it creates, receives, maintains, or transmits on behalf of a covered entity, the business associate must notify the covered entity without unreasonable delay and within 60 calendar days of discovery. The business associate must include in its notification:

Critically, the business associate does not directly notify affected individuals or HHS — that responsibility falls to the covered entity. However, the business associate is responsible for ensuring its notification to the covered entity contains sufficient information for the covered entity to fulfill its own notification obligations within the 60-day window. Failure to provide timely and complete notification to the covered entity exposes the business associate to direct OCR enforcement.

For business associates operating in multiple jurisdictions, including Canada, the interaction between HIPAA requirements and Canadian privacy laws such as PIPEDA and provincial health privacy laws adds complexity. In cross-border arrangements where PHI is stored or processed in Canada, business associates must navigate both the HIPAA Breach Notification Rule's mandatory 60-day notification and the breach reporting requirements under Canadian law, which may have different timelines and notification thresholds. Canadian cybersecurity compliance services can help organizations manage these dual obligations.

Relationship Between HIPAA Breach Notification and Other Regulations

The HIPAA Breach Notification Rule does not exist in isolation. Organizations that handle PHI are often subject to other regulatory frameworks that impose overlapping or complementary breach notification requirements. For example:

For organizations operating across the U.S.-Canada border, building a unified breach response capability that addresses the most stringent requirements from all applicable jurisdictions is the most efficient and defensible approach. U.S. cybersecurity compliance services can help map these overlapping requirements and build a single, integrated notification workflow.

Best Practices for Proofing Your HIPAA Breach Response

A robust HIPAA breach response program goes beyond minimum compliance to build organizational resilience and trust. Consider these best practices drawn from OCR settlement agreements and industry guidance:

1. Reduce detection time through automation. The 60-day clock starts ticking from the moment the breach is discovered — not from the moment it occurred. Organizations that detect breaches faster have more time to perform risk assessments and prepare notifications. Implementing a SIEM solution such as ThreatHawk SIEM with real-time monitoring of PHI access logs can compress detection time from days to minutes.

2. Pre-draft notification templates and workflows. Developing FDA/OCR-approved notification templates in advance — for individual notices, media notices, and HHS submissions — eliminates the time-consuming drafting process during a breach event. Pre-approve these templates with legal counsel to ensure they meet all content requirements under 45 CFR § 164.404(c).

3. Conduct annual tabletop exercises. Mock breach scenarios that test the 60-day notification workflow under simulated pressure conditions reveal gaps in communication, delays in risk assessment completion, and technical issues with notification systems. OCR has cited failure to test incident response plans as a contributing factor in several enforcement actions.

4. Maintain a secure, centralized breach log. Use a compliance management platform — not spreadsheets — to track every incident from detection through closure. The log should include timestamps for each step in the notification process to demonstrate compliance with the "without unreasonable delay" standard, even if the notification occurs well within the 60-day maximum.

5. Train workforce members continuously. Every workforce member who handles PHI should be trained to recognize potential breaches and escalate them to the breach response team immediately. Training should cover the distinction between impermissible uses and disclosures that require a risk assessment versus those that qualify for the "inadvertent" exception, which is narrower than most employees assume.

Get a Compliance Assessment Today

Is your HIPAA breach notification process ready for an OCR audit? CyberSilo offers targeted compliance assessments that evaluate your breach detection capabilities, risk assessment methodology, notification workflows, and BAA oversight. Our experts will deliver a prioritized action plan that addresses gaps and reduces your exposure to penalties.

Frequently Asked Questions

What is the exact 60-day requirement in the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule at 45 CFR § 164.404(b) requires that notifications to affected individuals be made "without unreasonable delay and in no case later than 60 calendar days" from the discovery of the breach. For breaches affecting 500 or more individuals, the same 60-day timeline applies to notifications to HHS and media outlets. For breaches affecting fewer than 500 individuals, notification to HHS must be made annually, no later than 60 days after the end of the calendar year in which the breach occurred. Critically, "discovery" is defined as the first day the breach is known or, by exercising reasonable diligence, would have been known, which means organizations cannot delay the clock by failing to investigate suspicious activity.

Are business associates required to notify HHS directly about breaches?

No. Business associates are required to notify the covered entity of a breach without unreasonable delay and within 60 calendar days of discovery. The covered entity retains the primary obligation to notify affected individuals, HHS, and the media. However, business associates are directly liable for failing to provide timely and complete notification to the covered entity and may face civil monetary penalties directly from OCR for such failures. The business associate's notification must include sufficient information for the covered entity to fulfill its own notification obligations within the 60-day window.

What happens if a covered entity misses the 60-day notification deadline?

Missing the 60-day deadline exposes the covered entity to OCR enforcement action, including civil monetary penalties that can range from $141 to $69,729 per violation depending on the entity's level of culpability. OCR also considers the duration of non-compliance — each day of delay may be treated as a separate violation. Additionally, late notifications undermine patient trust and may result in reputational harm. Organizations that discover they have missed a deadline should notify affected individuals and HHS immediately, document the reasons for the delay, and cooperate fully with any OCR investigation. Voluntary self-reporting and immediate corrective action can reduce, but not eliminate, potential penalties.

Does a ransomware attack always require HIPAA breach notification?

Yes, in nearly all cases. OCR issued guidance in 2021 clarifying that ransomware attacks affecting PHI are generally presumed to be breaches under the HIPAA Breach Notification Rule because the unauthorized access to and encryption of data constitutes an impermissible access and disclosure. The covered entity may conduct a four-factor risk assessment to rebut the presumption, but OCR has stated that the assessment must demonstrate with strong evidence that the PHI was not actually accessed, acquired, used, or disclosed — a very difficult standard to meet when ransomware actors have demonstrated the ability to exfiltrate data before encryption. Organizations should generally treat any ransomware incident involving PHI as a breach and begin the notification process immediately.

How does the HIPAA Breach Notification Rule apply to Canadian healthcare organizations?

The HIPAA Breach Notification Rule applies directly to any organization — including Canadian healthcare providers, health insurers, and their business associates — that handles PHI of U.S. residents. This frequently occurs when Canadian hospitals treat U.S. patients, when Canadian health insurers contract with U.S. health plans, or when Canadian companies process medical data for U.S. covered entities. In these cases, the organization must comply with HIPAA's 60-day notification requirements in addition to Canadian breach notification obligations under PIPEDA, PHIPA (Ontario), and other provincial health privacy laws, which generally require notification "as soon as feasible." Canadian organizations should adopt the more stringent timeline — typically notification within days — to satisfy both regulatory regimes. CyberSilo's PHIPA compliance services can help navigate these dual obligations.

Our Conclusion & Recommendation

The HIPAA Breach Notification Rule's 60-day requirements represent one of the most enforceable and frequently audited provisions in the U.S. healthcare privacy framework. For CISOs, privacy officers, and compliance leads, the operational reality is that compliance demands more than calendar awareness — it requires a mature incident detection capability, a practiced risk assessment methodology, and a notification workflow that can execute flawlessly under time pressure. Organizations that invest in automation, pre-prepared templates, and cross-functional tabletop exercises position themselves to meet the 60-day deadline — and the "without unreasonable delay" standard — even in complex breach scenarios involving multiple business associates and overlapping state laws.

CyberSilo's Compliance Standards Automation platform provides healthcare organizations with an integrated approach to breach response, combining continuous monitoring, automated evidence collection, and pre-configured notification workflows that align with OCR requirements. For organizations that prefer guided implementation, our compliance specialists offer end-to-end assessment and gap analysis services tailored to the HIPAA Breach Notification Rule and its interplay with state and international privacy laws. To ensure your organization is prepared for its next breach notification obligation, contact our team to schedule a compliance assessment.

Get a Compliance Assessment Today

Don't wait for a breach to test your notification process. Our HIPAA compliance assessment evaluates your breach detection, risk assessment, and notification workflows against OCR expectations and delivers a prioritized remediation plan.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!