Submitting Notice of a Breach to the Secretary

Certain organizations must report health information privacy breaches to the Secretary of the Health and Human Services (HHS).

  • A HIPAA covered entity must notify the Secretary if it discovers a breach of unsecured protected health information. See 45 CFR 164.408.
    • A HIPAA business associate may submit a breach report on behalf of a covered entity.
  • A Part 2 program must notify the Secretary if it discovers a breach of unsecured Part 2 records. See 42 CFR 2.16(b).
    • A qualified service organization may submit a breach report on behalf of a Part 2 program.

You must submit notifications to the Secretary using the online portal links below.

Reporting Based on the Number of People Affected

Breach notification obligations differ based on whether the breach affects 500 or more individuals (referred to as “patients” under Part 2) or fewer than 500 individuals. If you are uncertain about the number of individuals affected by a breach at the time of submission, you should provide an estimate.

Please review the instructions below for submitting breach notifications.

If you discover additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, you may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after its submission of the initial breach report.

Breaches Affecting 500 or More Individuals

If a breach of unsecured protected health information or unsecured Part 2 records affects 500 or more individuals, the covered entity or Part 2 program, respectively, must notify the Secretary of the breach.

When to Report

  • Without unreasonable delay
  • No later than 60 calendar days from the discovery of the breach

How to Report

  • Submit the notice electronically through the online breach reporting portal
  • Complete all required fields in the breach notification form

Submit a Notice for a HIPAA or Part 2 Breach Affecting 500 or More Individuals

View a list of HIPAA Breaches Affecting 500 or More Individuals

View a list of Part 2 Breaches Affecting 500 or More Individuals

Breaches Affecting Fewer than 500 Individuals

If a breach of unsecured protected health information or unsecured Part 2 records affects fewer than 500 individuals, a covered entity or Part 2 program, respectively, must notify the Secretary of the breach.

When to Report

  • Within 60 days after the end of the calendar year in which the breach was discovered
  • You do not have to wait until the end of the year (you may report the breach as soon as it is discovered)

How to Report

  • Submit the notice electronically through the online breach reporting portal
  • Complete all required fields in the breach notification form

Reporting Multiple Breaches

  • You may report multiple breaches on the same date
  • You must submit a separate notice for each breach incident

Submit a Notice for a HIPAA or Part 2 Breach Affecting Fewer than 500 Individuals.

Contact Us

If you have questions or would like to provide feedback about the Breach Notification process under HIPAA and Part 2, or OCR’s investigative process, please send us an email at OCRbreachreportingfeedback@hhs.gov.

Content created by Office for Civil Rights (OCR)
Content last reviewed