Reporting timeframes under HIPAA depend on the type of event, with breach notifications under the HIPAA Breach Notification Rule due without unreasonable delay and no later than 60 calendar days from discovery in most cases, and complaints to the U.S. Department of Health and Human Services Office for Civil Rights required within 180 days of when the person knew of the act or omission, subject to extension for good cause.
A “HIPAA violation” is not a single reporting category in the HIPAA Rules. The HIPAA Breach Notification Rule applies when there is a breach of unsecured protected health information, which is an impermissible use or disclosure that is not excluded by an exception and is not shown through a documented assessment to have a low probability of compromise. The HIPAA Privacy Rule and HIPAA Security Rule also apply to inappropriate access, use, disclosure, or safeguarding failures, which may be addressed through internal compliance reporting and, when required, breach notification.
For breaches of unsecured protected health information, a HIPAA Covered Entity must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. If a breach affects more than 500 residents of a state or jurisdiction, the HIPAA Covered Entity must also notify prominent media outlets serving the affected area within the same 60-day outer limit.
Notification to the U.S. Department of Health and Human Services depends on the number of affected individuals. For breaches affecting 500 or more individuals, notification to the Secretary must be made without unreasonable delay and no later than 60 calendar days from discovery. For breaches affecting fewer than 500 individuals, the HIPAA Covered Entity may maintain a log and submit the notice to the Secretary no later than 60 days after the end of the calendar year in which the breach was discovered.
When a breach occurs at or by a Business Associate, the Business Associate must notify the HIPAA Covered Entity without unreasonable delay and no later than 60 calendar days from discovery, and provide available information needed for the HIPAA Covered Entity’s individual notifications. Contracts may require shorter reporting windows, and organizations frequently enforce shorter internal escalation timelines to support investigation, mitigation, and decision-making.
Separately, an individual complaint to the U.S. Department of Health and Human Services Office for Civil Rights must be filed within 180 days of when the person knew of the act or omission, and the filing period may be extended when the person shows good cause.