Breach Reporting — Corrective action / RA

Full description

Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process Enforcement Data Resolution Agreements Case Examples Audit Reports to Congress State Attorneys General Special Topics Parental Access Mental and Behavioral Health Change Healthcare Cybersecurity Incident FAQs HIPAA and COVID-19 HIPAA and Reproductive Health HIPAA and Final Rule Notice HIPAA and Telehealth HIPAA and FERPA Research Public Health Emergency Response Health Information Technology Health Apps Patient Safety Covered Entities & Business Associates Business Associate Contracts Business Associates Training & Resources FAQs for Professionals Other Administrative Simplification Rules Substance Use Disorder Confidentiality Submitting Notice of a Breach to the Secretary Certain organizations must report health information privacy breaches to the Secretary of the Health and Human Services (HHS).A HIPAA covered entity must notify the Secretary if it discovers a breach of unsecured protected health information. See 45 CFR 164.408.A HIPAA business associate may submit a breach report on behalf of a covered entity.A Part 2 program must notify the Secretary if it discovers a breach of unsecured Part 2 records. See 42 CFR 2.16(b).A qualified service organization may submit a breach report on behalf of a Part 2 program.You must submit notifications to the Secretary using the online portal links below.Reporting Based on the Number of People AffectedBreach notification obligations differ based on whether the breach affects 500 or more individuals (referred to as “patients” under Part 2) or fewer than 500 individuals. If you are uncertain about the number of individuals affected by a breach at the time of submission, you should provide an estimate.Please review the instructions below for submitting breach notifications.If you discover additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, you may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after its submission of the initial breach report.Breaches Affecting 500 or More IndividualsIf a breach of unsecured protected health information or unsecured Part 2 records affects 500 or more individuals, the covered entity or Part 2 program, respectively, must notify the Secretary of the breach.When to ReportWithout unreasonable delayNo later than 60 calendar days from the discovery of the breachHow to ReportSubmit the notice electronically through the online breach reporting portalComplete all required fields in the breach notification formSubmit a Notice for a HIPAA or Part 2 Breach Affecting 500 or More IndividualsView a list of HIPAA Breaches Affecting 500 or More IndividualsView a list of Part 2 Breaches Affecting 500 or More IndividualsBreaches Affecting Fewer than 500 IndividualsIf a breach of unsecured protected health information or unsecured Part 2 records affects fewer than 500 individuals, a covered entity or Part 2 program, respectively, must notify the Secretary of the breach.When to ReportWithin 60 days after the end of the calendar year in which the breach was discoveredYou do not have to wait until the end of the year (you may report the breach as soon as it is discovered)How to ReportSubmit the notice electronically through the online breach reporting portalComplete all required fields in the breach notification formReporting Multiple BreachesYou may report multiple breaches on the same dateYou must submit a separate notice for each breach incidentSubmit a Notice for a HIPAA or Part 2 Breach Affecting Fewer than 500 Individuals.Contact UsIf you have questions or would like to provide feedback about the Breach Notification process under HIPAA and Part 2, or OCR’s investigative process, please send us an email at OCRbreachreportingfeedback@hhs.gov. Content last reviewed February 13, 2026