Skip Navigation

Instructions for Submitting Notice of a Breach to the Secretary

The breach notification rule requires covered entities to provide the Secretary with notice of breaches of unsecured protected health information (45 CFR 164.408). All notifications must be submitted to the Secretary using the OCR submission portal below.  The number of individuals affected by the breach determines when the notification must be submitted to the Secretary. Please review the instructions below for submitting breach notifications.Hand swiping key card on a wall

Breaches Affecting 500 or More Individuals

If a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach.  This notice must be submitted electronically by following the link below and completing all information required on the breach notification form.  
 

If a covered entity that has submitted a breach notification form to the Secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission.  If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected.  As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.
 

For questions regarding the completion and submission of this form, please e-mail OCRPrivacy@hhs.gov
 

Submit Notice of a Breach Affecting 500 or More Individuals

Hide Details

Breaches Affecting Fewer than 500 Individuals

For breaches that affect fewer than 500 individuals, a covered entity must provide the Secretary with notice of breaches within 60 days of the end of the calendar year in which the breaches were discovered. This notice must be submitted electronically by following the link below and completing all information required on the breach notification form. A separate form must be completed for every breach that was discovered during the calendar year.
If a covered entity that has submitted a breach notification form to the Secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission. If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected. As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.
For questions regarding the completion and submission of this form, please e-mail OCRPrivacy@hhs.gov.

Submit Notice of a Breach Affecting Fewer than 500 Individuals

Hide Details