In February 2024, OCR announced a $4.75 million settlement with Montefiore Medical Center after a former employee accessed and sold protected health information (PHI) of over 12,000 patients. The breach itself was damaging — but what drew OCR's sharpest scrutiny was the organization's failure to conduct a thorough risk analysis and its delayed response. For every covered entity and business associate, HIPAA reporting a breach is not optional, and the consequences of getting it wrong extend far beyond the initial incident.

What Triggers the HIPAA Breach Notification Rule

The Breach Notification Rule (45 CFR §§ 164.400–414) applies whenever there is an impermissible use or disclosure of PHI that compromises its security or privacy. Under HIPAA, a breach is presumed unless your organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI was compromised.

Those four factors are: the nature and extent of the PHI involved, the unauthorized person who accessed it, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. Document this assessment rigorously — OCR will ask for it.

Three narrow exceptions exist: unintentional access by a workforce member acting in good faith, inadvertent disclosure between authorized persons within the same organization, and situations where your organization has a good-faith belief that the unauthorized recipient could not retain the information. If none of these apply, you are on the clock.

The 60-Day Timeline for HIPAA Reporting a Breach

Once a breach is discovered — or reasonably should have been discovered — your organization has 60 calendar days to notify affected individuals. Discovery is not the moment leadership learns about it; it's the moment any workforce member becomes aware of the incident, or would have become aware through reasonable diligence.

This distinction catches organizations off guard constantly. If a front-desk employee notices suspicious access in January but doesn't report it until March, OCR considers the breach discovered in January. Your 60-day window started ticking the moment that employee had knowledge.

Individual notifications must be sent via first-class mail or email (if the individual has agreed to electronic communication). Each notice must include a description of the breach, the types of PHI involved, steps individuals should take to protect themselves, what your organization is doing in response, and contact information for follow-up.

When You Must Notify HHS and the Media

If the breach affects 500 or more individuals, you must notify the HHS Secretary and prominent media outlets in the affected state or jurisdiction simultaneously — within that same 60-day window. The HHS notification is submitted through the OCR Breach Portal, commonly known as the "Wall of Shame," where the details become public record.

For breaches affecting fewer than 500 individuals, you still must notify HHS, but you may do so on an annual basis. These smaller breach reports are due no later than 60 days after the end of the calendar year in which the breach was discovered. In my work with covered entities, I've seen organizations treat these smaller breaches casually. That's a mistake — OCR aggregates patterns, and repeated small breaches signal systemic compliance failures.

Business Associate Obligations in Breach Reporting

If your business associate discovers a breach, they are required to notify your covered entity without unreasonable delay and no later than 60 days after discovery. Your Business Associate Agreement (BAA) should specify a tighter notification window — many organizations require 10 to 30 days.

The responsibility for notifying individuals, HHS, and the media remains with the covered entity, not the business associate. However, if your BAA delegates notification duties, that arrangement must be clearly documented. Ambiguity in BAAs is one of the most common vulnerabilities I see during compliance audits.

The Risk Assessment Most Organizations Get Wrong

The four-factor risk assessment required under 45 CFR § 164.402 is your only mechanism for demonstrating that a breach did not occur. Yet many organizations perform it superficially or skip documentation entirely.

Every risk assessment should be written, dated, signed by a responsible privacy or security officer, and retained for at least six years. Verbal conclusions or informal email chains will not satisfy OCR. When OCR investigates, they request this documentation early in the process — and its absence often escalates a routine inquiry into a full compliance review.

A proper risk analysis — the broader evaluation your Security Rule program demands — should already be identifying vulnerabilities before breaches happen. If your organization hasn't conducted or updated its risk analysis recently, that gap will compound your exposure during any breach investigation.

Penalties for Failing to Report a HIPAA Breach

OCR enforces the Breach Notification Rule with increasing aggression. Penalties fall into four tiers under 45 CFR § 160.404:

  • Tier 1: $137 to $68,928 per violation (lack of knowledge)
  • Tier 2: $1,379 to $68,928 per violation (reasonable cause)
  • Tier 3: $13,785 to $68,928 per violation (willful neglect, corrected)
  • Tier 4: $68,928 to $2,067,813 per violation (willful neglect, not corrected)

These amounts, adjusted annually for inflation, apply per violation category per year. A late or incomplete breach notification can itself be a separate HIPAA violation, stacking on top of the underlying privacy or security failure. In 2023 alone, OCR resolved multiple cases where delayed breach reporting was a central factor in the settlement amount.

The Workforce Training Requirement That Prevents Breach Reporting Failures

The most preventable breach reporting failures I encounter stem from one root cause: workforce members who don't know what constitutes a breach or how to escalate it internally. Under the Privacy Rule (45 CFR § 164.530), every covered entity must train all workforce members on HIPAA policies and procedures — including breach identification and internal reporting protocols.

Training isn't a one-time event. It must occur at onboarding and whenever material changes affect PHI handling. Organizations that invest in comprehensive HIPAA training and certification programs see faster internal breach detection, more accurate risk assessments, and significantly reduced OCR exposure.

If your workforce can't recognize a reportable breach when it happens, your 60-day clock runs silently — and by the time leadership discovers the incident, you may already be in violation.

Build a Breach Response Plan Before You Need One

Every covered entity and business associate should maintain a written breach response plan that specifies:

  • Who receives internal breach reports and within what timeframe
  • Who conducts the four-factor risk assessment
  • Who authorizes individual, HHS, and media notifications
  • Templates for notification letters that meet the content requirements of 45 CFR § 164.404
  • Documentation and retention procedures for all breach-related records

Test this plan annually. Run tabletop exercises. The organizations that handle HIPAA reporting a breach most effectively are the ones that rehearsed before the incident occurred.

Take Action Before OCR Comes Knocking

Breach reporting failures are among the most avoidable — and most penalized — HIPAA violations. The requirements are specific, the timelines are firm, and OCR's enforcement posture continues to intensify. If your organization hasn't reviewed its breach notification procedures, updated its risk analysis, or refreshed workforce training this year, the time to act is now.

Start by ensuring every member of your workforce understands their role in breach identification and reporting through HIPAA Certify's workforce compliance program. A trained workforce is your first line of defense — not just against breaches, but against the regulatory consequences that follow when reporting goes wrong.