A Hospital Waited 101 Days. It Cost Them $4.8 Million.

In 2019, Presence Health agreed to a $475,000 settlement with the Office for Civil Rights (OCR) for a single violation: late breach notification. Not a massive hack. Not millions of stolen records. They simply reported a breach involving paper-based PHI 104 days after discovery — 44 days past the legal deadline. So when must PHI-related breaches be reported? The answer is deceptively simple on paper and routinely botched in practice.

I've watched organizations lose six and seven figures not because they had a breach, but because they mishandled the clock. If you work at a covered entity or business associate, the reporting timeline isn't a suggestion. It's a federal obligation with real teeth.

This post breaks down every deadline, every notification tier, and the mistakes I see organizations make when the clock starts ticking.

Under the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414), covered entities must notify affected individuals no later than 60 calendar days after discovering a breach of unsecured protected health information (PHI). Not 60 business days. Calendar days. Weekends and holidays count.

"Discovery" doesn't mean the day your CEO finds out. It means the day any member of your workforce — or any agent of your organization — first knows about the breach. If a front-desk employee notices missing records on March 1 but doesn't tell compliance until March 20, your clock started on March 1.

This is the detail that trips up most organizations I've consulted with. The legal standard is "knew or should have known." Ignorance isn't a defense. Neither is a broken reporting chain.

What Counts as "Unsecured PHI"?

The reporting obligation applies specifically to unsecured PHI — meaning information that hasn't been rendered unusable, unreadable, or indecipherable through encryption or destruction. If a stolen laptop's hard drive was encrypted to NIST standards, you may not have a reportable breach. If it wasn't, you absolutely do.

HHS publishes guidance on what qualifies as secured PHI. I recommend your privacy officer bookmark that page and reference it during every breach risk assessment.

Three Audiences, Three Sets of Rules

HIPAA doesn't just require you to tell patients. Depending on the size of the breach, you may owe notifications to three separate audiences — each with its own rules.

1. Individual Notification

Every affected individual must receive written notice by first-class mail (or email, if they've agreed to electronic communication). The notice must include a description of the breach, the types of PHI involved, steps the individual should take, what your organization is doing in response, and contact information for questions.

The deadline: 60 days from discovery. No exceptions.

2. HHS / OCR Notification

Here's where breach size creates a fork in the road.

Breaches affecting 500 or more individuals: You must notify the HHS Secretary within 60 days of discovery. OCR will post your breach on its public "Wall of Shame" — officially called the Breach Portal. Every reporter, plaintiff's attorney, and competitor in your market monitors that page.

Breaches affecting fewer than 500 individuals: You can log these and submit them to HHS annually, no later than 60 days after the end of the calendar year in which the breach was discovered. So a small breach discovered in February 2026 must be reported to HHS by March 1, 2027.

3. Media Notification

If a breach affects 500 or more residents of a single state or jurisdiction, you must also notify prominent media outlets in that area. Same 60-day deadline. I've seen compliance teams completely forget this requirement, then scramble when OCR asks for proof of media notification during an investigation.

Business Associates: Your Clock Is Different (and Shorter in Practice)

If you're a business associate and you discover a breach, you must notify the covered entity. The Breach Notification Rule requires this "without unreasonable delay" and no later than 60 days after discovery. But here's the catch: most Business Associate Agreements (BAAs) set a much tighter deadline — often 5, 10, or 30 days.

The covered entity's 60-day clock doesn't start until you tell them. So if you wait 55 days as a business associate and then the covered entity needs time to investigate and send notifications, you've effectively made compliance impossible for your client. That's a fast way to lose contracts and invite OCR scrutiny.

I always advise business associates to report within 72 hours internally, then notify the covered entity within the BAA-specified window. Build that muscle now, before you need it.

The $5.55 Million Wake-Up Call from Advocate Medical Group

In 2016, Advocate Medical Group paid $5.55 million to settle HIPAA violations after breaches affecting approximately 4 million individuals. The case involved stolen laptops containing unencrypted ePHI. Among the findings: inadequate risk assessments and failures in breach response protocols.

That settlement wasn't just about the breach itself. It was about the systemic failures that let it happen and the response gaps that followed. OCR doesn't just ask "did you report it?" They ask "did you have a plan, did you train your workforce, and did you follow through?"

This is exactly why structured HIPAA training for your entire workforce matters. Your staff need to know what a breach looks like, who to call, and how fast to move. A reporting chain that only exists in a policy binder is worthless.

What Triggers the Clock? The Four-Part Breach Assessment

Not every incident is a reportable breach. Under the rule, a covered entity must conduct a risk assessment evaluating four factors:

  • The nature and extent of the PHI involved — including types of identifiers and likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom it was disclosed — a researcher bound by data use agreements is different from a stranger on the internet.
  • Whether the PHI was actually acquired or viewed — a misdirected fax returned unopened is different from a stolen database.
  • The extent to which the risk has been mitigated — did you get a signed destruction confirmation? Did the recipient confirm they didn't retain copies?

If, after this analysis, you determine the probability of compromise is low, you can document your rationale and treat the incident as a non-reportable event. But document everything. OCR will want to see your math.

The default assumption under HIPAA is that an impermissible use or disclosure is a breach unless you can demonstrate otherwise. The burden of proof sits squarely on your organization.

Penalties for Late or Missing Breach Reports

OCR enforces breach notification violations under the same tiered penalty structure as other HIPAA violations. As of 2026, penalties range from $141 per violation (where the entity didn't know and couldn't have known) up to approximately $2.13 million per violation category per year for willful neglect left uncorrected.

The Presence Health settlement I mentioned earlier was significant because it was the first enforcement action OCR pursued purely for untimely breach notification. The message was clear: the clock matters as much as the content of the notification.

State attorneys general can also bring HIPAA-related actions, and many state breach notification laws have their own timelines — some shorter than 60 days. Your compliance team must know both the federal and state deadlines for every jurisdiction where your patients reside.

How to Build a Breach Reporting Process That Actually Works

After 15+ years in this space, I've seen what separates organizations that survive breaches from those that don't. It comes down to preparation.

Designate a Breach Response Team Before You Need One

Your privacy officer, security officer, legal counsel, and communications lead should all know their roles before an incident occurs. Run a tabletop exercise at least annually.

Train Every Employee to Recognize and Escalate

The workforce member who discovers the breach is almost never the compliance officer. It's the medical assistant who notices a missing chart, the IT tech who spots unusual access logs, or the billing clerk who sent records to the wrong fax number. Every one of them needs to know: report it internally within 24 hours. Explore the HIPAA training catalog at HIPAACertify for role-specific courses that cover exactly this scenario.

Document Everything in Real Time

Your breach log should capture: date of discovery, date of notification, individuals affected, PHI types involved, risk assessment findings, and mitigation steps. OCR investigations often happen a year or more after the breach. Your memory won't be enough. Your documentation will.

Template Your Notification Letters Now

Don't draft breach notification letters for the first time under pressure. Build templates that comply with the content requirements in 45 CFR § 164.404(c) and have legal counsel review them annually.

Quick Reference: PHI Breach Reporting Deadlines

  • Individual notification: 60 calendar days from discovery
  • HHS notification (500+ individuals): 60 calendar days from discovery
  • HHS notification (fewer than 500): Within 60 days after end of the calendar year of discovery
  • Media notification (500+ in one state/jurisdiction): 60 calendar days from discovery
  • Business associate to covered entity: Per BAA terms, no later than 60 days from discovery

The Real Risk Isn't the Breach — It's the Response

Every covered entity will eventually face a PHI incident. The organizations that come through intact are the ones that trained their workforce, documented their processes, and hit their deadlines. The ones that didn't? They end up on the OCR Breach Portal, in settlement agreements, and in blog posts like this one.

If your team hasn't reviewed your breach notification procedures this year, do it this week. If your workforce hasn't completed up-to-date HIPAA training, that's your starting point. The 60-day clock waits for no one — and it's probably already running somewhere in your organization right now.