HIPAA Breach Notification Penalties: 60-Day Rule & What Late Reporting Costs

Q: Does the 60-day clock start from when the breach occurred or when it was discovered?

The 60-day clock starts from the date of discovery — defined as the first day the breach is known to any employee, officer, or agent of the covered entity (other than the person committing the breach). If a breach is discovered on January 5, the covered entity must notify affected individuals by March 5, report to HHS by March 5 (for breaches ≥500), and notify media if required (breaches ≥500 in a state). However, if OCR determines that the covered entity 'should have known' about a breach earlier — for example, if log monitoring or audit controls were adequate — OCR may treat an earlier date as the constructive discovery date, potentially making the notifications technically late even if filed within 60 days of when the organization first learned of the breach.

Q: What qualifies as a 'breach' that triggers notification requirements?

A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy — unless the covered entity can demonstrate a low probability that the PHI has been compromised using the four-factor risk assessment: (1) the nature and extent of the PHI involved; (2) who accessed or could have accessed the PHI; (3) whether the PHI was actually acquired or viewed; (4) the extent to which the risk to the PHI has been mitigated. If the risk assessment is not documented or is inadequate, OCR will presume a breach occurred. 'Unsecured PHI' means PHI that has not been rendered unusable, unreadable, or indecipherable through HHS-approved methods (encryption or destruction per NIST standards).

Q: Can a covered entity avoid breach notification if it encrypts data after discovery?

No. The Safe Harbor exception (45 CFR § 164.402(2)) applies only if PHI is encrypted at the time of the breach — encryption implemented after the incident does not retroactively eliminate the notification obligation. Additionally, the encryption must meet HHS-approved standards (AES-128 minimum for data at rest; TLS 1.2+ for data in transit) per the HHS Guidance Specifying the Technologies and Methodologies that Render PHI Unusable. Self-decryption keys stored with encrypted data do not qualify. OCR has taken enforcement action against covered entities that claimed encryption safe harbor but could not produce documentation that encryption was active and key management was secure at the time of the incident.

Last updated: 2026-04-05 — ComplianceStack Editorial Team

The HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) requires covered entities to notify affected individuals, HHS, and in some cases the media — all within 60 days of discovering a breach. Failure to notify, or notifying late without justification, triggers civil money penalties under the standard HIPAA four-tier structure. In 2024, HHS OCR identified breach notification failures as a leading enforcement trigger, with penalties ranging from $141 per unknowing violation up to $2,134,831 for willful neglect not corrected within 30 days. State attorneys general can pursue parallel actions adding up to $25,000 per calendar year per violation category.

Regulatory Authority: 45 CFR §§ 164.400–414 (Breach Notification Rule); 42 U.S.C. § 17951 (HITECH state AG authority); 45 CFR § 160.404 (civil money penalties)

Penalty Tier Breakdown

Individual Notification — 60-Day Deadline

$141 – $71,162 (Tier 1 unknowing) up to $71,162 – $2,134,831 (Tier 4 willful)

Annual max: $2,134,831 per violation category

Covered entities must notify each affected individual in writing within 60 days of discovering a breach of unsecured PHI. The 60-day clock starts at the date of discovery — not the date the breach occurred. For organizations that took months to discover a breach, OCR examines whether the delay was itself a Security Rule violation (e.g., insufficient audit controls). Penalties depend on the tier of culpability: unknowing failures receive Tier 1 treatment; deliberate failure to notify falls into Tier 3 or 4.

Example: A regional hospital discovers a breach affecting 8,200 patients on January 5. On March 20 — 74 days later — it sends individual notices. OCR opens an investigation and cites the 14-day delay as a Tier 2 (Reasonable Cause) violation, resulting in a $180,000 resolution agreement.

HHS Notification — Large Breaches (≥500 Individuals)

$1,424 – $71,162 (Tier 2) minimum for deliberate delay

Annual max: $2,134,831 per violation category

Breaches affecting 500 or more individuals must be reported to HHS within 60 days of discovery. HHS posts these notifications on the public 'Wall of Shame' (HHS Breach Portal). Breaches affecting 500 or more in a single state or jurisdiction also require media notice (press release or equivalent) within 60 days. OCR treats failure to report as independent from late individual notification — each is a separate violation.

Example: A health plan experiences a phishing attack affecting 12,000 members. It notifies HHS on day 72, citing ongoing forensic investigation as justification. OCR determines the delay lacked sufficient cause and assesses a $215,000 civil money penalty under Tier 2.

HHS Notification — Small Breaches (<500 Individuals)

$141 – $71,162 per violation (assessed if pattern of delay is found)

Annual max: $2,134,831 if multiple small breaches aggregated

Breaches affecting fewer than 500 individuals must be logged and reported to HHS within 60 days after the end of the calendar year. The annual log must include all small breaches discovered that year. OCR has taken enforcement action when organizations fail to submit annual small-breach logs entirely, or when the log reveals a pattern of recurrent breaches suggesting systemic Security Rule failures.

Example: A multi-practice dental group fails to submit HHS annual small-breach logs for two consecutive years. OCR's investigation uncovers 47 unreported small breaches. The pattern supports a Tier 3 finding (Willful Neglect, Corrected), resulting in a $85,000 settlement and 2-year corrective action plan.

State Attorney General Parallel Action

$100 per individual per violation, up to $25,000 per violation category per calendar year

Annual max: $25,000 per violation category per year (state AG cap); stacks with OCR CMPs

Under 42 U.S.C. § 17951 (HITECH), state AGs are authorized to bring civil actions for HIPAA violations on behalf of state residents. State AG penalties are capped at $100 per person per violation per calendar year, with an annual maximum of $25,000 per violation category. These penalties are additive with OCR CMPs — a covered entity can face simultaneous OCR and state AG enforcement actions for the same breach. New York, Connecticut, Massachusetts, Texas, and California have been the most active state AG enforcers.

Example: A breach notification failure affecting 18,000 Connecticut residents triggers parallel enforcement by OCR ($320,000 CMP) and the Connecticut AG ($25,000 for breach notification failures + $25,000 for Security Rule failures). Total exposure: $370,000.

How Penalties Are Calculated

Breach notification penalties are assessed under the standard HIPAA four-tier CMP structure (45 CFR § 160.404). Each distinct notification failure can be a separate violation — e.g., failing to notify individuals AND failing to notify HHS are two independent violations. OCR weighs: (1) how late the notification was; (2) whether the entity documented its reasons for any delay; (3) whether the breach itself was caused by Security Rule failures; (4) the entity's history of compliance and breach patterns. Late notification without any documented investigation justification typically results in Tier 2 or Tier 3 findings. State AG penalties (42 U.S.C. § 17951) are calculated separately at $100/person/year, capped at $25,000/violation category/year, and are additive with OCR CMPs.

Recent Enforcement Actions

2024 — Yakima Valley Memorial Hospital (Washington)

Workforce member snooped on patient records for 23 months; hospital failed to timely notify affected individuals and HHS of the workforce-caused breach

Penalty: $240,000 — Tier 2 (Reasonable Cause) for delayed breach notification and workforce training failures

Source: HHS OCR Resolution Agreement, 2024

2024 — BayCare Health System (Florida)

Impermissible disclosure of PHI to unauthorized third party; breach notification sent 74 days after discovery without documented justification for the 14-day overage

Penalty: $800,000 — includes breach notification delay under Tier 2 and underlying Privacy Rule violation

Source: HHS OCR Resolution Agreement, 2024

2023 — Lafourche Medical Group (Louisiana)

Ransomware attack; covered entity failed to notify HHS within 60 days; delayed individual notification by 43 days beyond the statutory deadline

Penalty: $480,000 — Tier 3 (Willful Neglect, Corrected) for combined breach notification and Security Rule failures

Source: HHS OCR Resolution Agreement, November 2023

2023 — Health system, multi-state (New England)

Failed to submit two consecutive annual small-breach logs to HHS; OCR investigation revealed 63 unreported small breaches over 2 years, several involving unsecured portable devices

Penalty: $310,000 — Tier 2 (Reasonable Cause) for failure to report plus Security Rule deficiencies

Source: HHS OCR Resolution Agreement, 2023

Understand Your HIPAA Penalty Exposure

Use ComplianceStack's free tools to identify gaps before regulators do.

Take the Quiz → Gap Analyzer →

Frequently Asked Questions

Does the 60-day clock start from when the breach occurred or when it was discovered?

The 60-day clock starts from the date of discovery — defined as the first day the breach is known to any employee, officer, or agent of the covered entity (other than the person committing the breach). If a breach is discovered on January 5, the covered entity must notify affected individuals by March 5, report to HHS by March 5 (for breaches ≥500), and notify media if required (breaches ≥500 in a state). However, if OCR determines that the covered entity 'should have known' about a breach earlier — for example, if log monitoring or audit controls were adequate — OCR may treat an earlier date as the constructive discovery date, potentially making the notifications technically late even if filed within 60 days of when the organization first learned of the breach.

What qualifies as a 'breach' that triggers notification requirements?

A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy — unless the covered entity can demonstrate a low probability that the PHI has been compromised using the four-factor risk assessment: (1) the nature and extent of the PHI involved; (2) who accessed or could have accessed the PHI; (3) whether the PHI was actually acquired or viewed; (4) the extent to which the risk to the PHI has been mitigated. If the risk assessment is not documented or is inadequate, OCR will presume a breach occurred. 'Unsecured PHI' means PHI that has not been rendered unusable, unreadable, or indecipherable through HHS-approved methods (encryption or destruction per NIST standards).

Can a covered entity avoid breach notification if it encrypts data after discovery?

No. The Safe Harbor exception (45 CFR § 164.402(2)) applies only if PHI is encrypted at the time of the breach — encryption implemented after the incident does not retroactively eliminate the notification obligation. Additionally, the encryption must meet HHS-approved standards (AES-128 minimum for data at rest; TLS 1.2+ for data in transit) per the HHS Guidance Specifying the Technologies and Methodologies that Render PHI Unusable. Self-decryption keys stored with encrypted data do not qualify. OCR has taken enforcement action against covered entities that claimed encryption safe harbor but could not produce documentation that encryption was active and key management was secure at the time of the incident.