In February 2023, OCR settled with Banner Health for $1.25 million after a breach affecting nearly 3 million individuals — partly because the organization's response exposed gaps in timely notification. This case underscored a question healthcare organizations still get wrong more often than you'd expect: when must PHI-related breaches be reported, and to whom? The deadlines are codified, the exceptions are narrow, and the penalties for late reporting are very real.

The HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) sets explicit timelines. If your organization is a covered entity or business associate, these are non-negotiable.

For breaches affecting 500 or more individuals, your covered entity must notify affected individuals, the Secretary of HHS, and prominent media outlets in the affected jurisdiction — all without unreasonable delay and no later than 60 calendar days from the date the breach is discovered.

For breaches affecting fewer than 500 individuals, notification to affected individuals must still happen within 60 days of discovery, but reporting to HHS can be deferred. These smaller breaches must be logged and submitted to HHS annually, no later than 60 days after the end of the calendar year in which the breach was discovered.

What Counts as "Discovery" — And Why It Matters

Here's where organizations consistently get tripped up. Under the Breach Notification Rule, a breach is considered "discovered" on the first day it is known — or, by exercising reasonable diligence, would have been known — to any member of your workforce, not just your privacy officer or IT department.

This means if a front-desk employee notices a misdirected fax containing protected health information on March 1, but doesn't report it internally until March 20, the 60-day clock started on March 1. OCR has made clear that ignorance within your organization is not a defense against late reporting.

This is one of the strongest arguments for investing in HIPAA training and certification across every role in your workforce. Staff who can't recognize a potential breach can't report one — and that recognition gap directly impacts your compliance timeline.

The Risk Assessment Exception Most Organizations Misapply

Not every impermissible use or disclosure of PHI constitutes a reportable breach. Under 45 CFR § 164.402, your organization can perform a four-factor risk assessment to determine whether there is a low probability that PHI has been compromised. Those four factors are:

  • The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification
  • The unauthorized person who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually acquired or viewed
  • The extent to which the risk to the PHI has been mitigated

If, after evaluating all four factors, you determine the probability of compromise is low, you may document the analysis and forego notification. But here's the critical point: the burden of proof is on your organization. If OCR investigates and finds your risk assessment was incomplete or self-serving, the incident reverts to a reportable breach — and you've now missed the deadline.

In my work with covered entities, I've seen organizations use this exception as a crutch rather than a rigorous analytical tool. Document thoroughly, involve your privacy officer, and when in doubt, report.

Business Associate Obligations and the Reporting Chain

If you're a business associate and you discover a breach of protected health information, you must notify the covered entity without unreasonable delay and no later than 60 days after discovery. The covered entity then owns the notification obligations to individuals, HHS, and media.

Your business associate agreement (BAA) may impose even shorter reporting timelines — many covered entities now require notification within 24 to 72 hours. If your BAA says 48 hours and you wait 30 days, you've breached the contract regardless of what the federal rule allows.

This is a compliance gap I see frequently. Business associates often don't fully understand their own obligations under the Omnibus Rule, which extended direct liability to them in 2013. Every member of a business associate's workforce needs to understand these requirements through structured workforce HIPAA compliance programs.

Three Narrow Exceptions to the Breach Definition

The Breach Notification Rule carves out three specific scenarios that are not considered breaches, even if an impermissible disclosure occurred:

  • Unintentional access by a workforce member acting in good faith, within the scope of authority, with no further impermissible use or disclosure
  • Inadvertent disclosure between authorized persons at the same covered entity or business associate
  • Good faith belief that the unauthorized recipient would not be able to retain the PHI

These exceptions are narrow by design. They don't eliminate your obligation to investigate and document. They simply mean that, if the facts genuinely fit, notification isn't required.

OCR Enforcement: Late Reporting Draws Penalties

OCR's enforcement history demonstrates that untimely breach notification is treated as a separate HIPAA violation. In its 2022 annual report to Congress, OCR noted continued issues with organizations failing to meet the 60-day notification window — and it treats late reporting as an aggravating factor when calculating penalties.

Penalties under the HITECH Act's tiered structure can reach up to $2,067,813 per violation category per year (adjusted for inflation as of 2023). A late notification adds a distinct violation on top of whatever caused the breach itself.

State attorneys general can also bring actions under HITECH for HIPAA violations, including notification failures. Several states impose their own breach notification requirements with shorter timelines — some as brief as 30 days.

Build Reporting Readiness Into Your Compliance Program

Knowing when PHI-related breaches must be reported is only useful if your organization has the infrastructure to act on that knowledge. That means three things:

  • Workforce training that teaches every employee — not just IT and compliance — how to recognize and internally report a potential breach immediately
  • A documented incident response plan that maps the Breach Notification Rule's timelines to specific roles and escalation steps
  • Regular risk analysis under the Security Rule (45 CFR § 164.308(a)(1)) to identify vulnerabilities before they become breaches

The minimum necessary standard, the Notice of Privacy Practices, your security safeguards — none of them matter if a breach happens and your team doesn't know the clock is already ticking. Build the muscle memory now, because the 60-day window closes faster than most organizations expect.