📅 2026 Compliance Calendar

HIPAA Compliance
Deadline Tracker

Key dates, recurring requirements, and breach notification windows. Stay ahead of every HIPAA deadline — never miss a compliance milestone.

Upcoming deadlines
Due within 30 days
60
Days max — breach notification

Recurring Requirements

📋
HIPAA Risk Assessment
Annually (minimum)
Required by §164.308(a)(1). Must assess all reasonably anticipated threats to PHI security and integrity. Document findings and actions taken.
🎓
Security Awareness Training
Annually (best practice)
Required upon hire and when policies change. Annual refresher training significantly reduces breach risk and satisfies audit expectations.
📄
BAA Review
Annually or on vendor change
Review all Business Associate Agreements when vendors change their services, when new vendors are added, or at minimum annually.
🔐
Access Control Review
Quarterly (recommended)
Audit user access to PHI systems. Remove former employees, adjust permissions for role changes. §164.312(a)(2)(ii) requires unique user identification.
📝
Policy & Procedure Review
Annually or on change
HIPAA requires periodic review and updates to security and privacy policies when operations, technology, or regulations change.
💾
Backup & Recovery Test
Quarterly (recommended)
§164.308(a)(7) requires data backup plans and disaster recovery. Test restoration from backups regularly to ensure business continuity.

⏱ Breach Notification Windows

60 days
Notify individuals + HHS (breaches ≥ 500)
From date of discovery of breach affecting 500+ individuals in a state or jurisdiction. Media notice also required in same window.
60 days
Notify individuals (breaches < 500)
Individual notification required within 60 days of discovery, regardless of breach size.
Mar 1
Annual HHS report — small breaches (< 500)
Breaches affecting fewer than 500 individuals must be reported to HHS annually, within 60 days of the end of the calendar year (March 1 deadline).

Never Miss a Deadline Again

ComplianceStack tracks your deadlines automatically, sends reminders, and keeps your compliance documentation up to date — all on autopilot.

Start Free Trial →

Frequently Asked Questions

What is the HIPAA breach notification deadline?
Covered entities must notify affected individuals within 60 days of discovering a PHI breach. If the breach affects 500 or more individuals in a state, HHS and local media must also be notified within 60 days. Breaches affecting fewer than 500 individuals must be reported to HHS annually by March 1.
How often is HIPAA training required?
HIPAA requires training for all workforce members upon hire and whenever material changes to policies and procedures occur. Annual refresher training is widely considered best practice and is expected by OCR during audits.
When do I need to complete my annual HIPAA risk assessment?
HIPAA does not specify an exact calendar deadline, but you must conduct a risk assessment at least annually and document the results. Many practices align this with their fiscal year or a calendar year (completing it by December 31). It must also be done any time there is a significant change to your environment.
What are the penalties for missing HIPAA deadlines?
Failure to provide timely breach notification is a HIPAA violation subject to civil money penalties of $145 to $50,000 per violation, with an annual cap of $2,190,294 per violation category (2026 adjusted). Criminal penalties can apply for willful neglect, including fines up to $250,000 and up to 10 years imprisonment.