HIPAA Breach Notification Penalties: Timelines, Fines & Enforcement

Last updated: 2026-04-13 — ComplianceStack Editorial Team

Under the HIPAA Breach Notification Rule (45 CFR § 164.400–414), covered entities must notify affected individuals within 60 days of discovering a breach of unsecured PHI. Larger breaches (500+ individuals) require simultaneous notification to HHS and prominent media in the affected state. Failing to notify — or notifying late — is a separate HIPAA violation that carries the same civil money penalty structure as Privacy and Security Rule violations. OCR has aggressively pursued breach notification failures; in recent years, notification timing has been the triggering violation in approximately 40% of HIPAA settlements.

Regulatory Authority: 45 CFR §§ 164.400–414 (Breach Notification Rule); 45 CFR § 160.404 (Civil Money Penalties); 42 U.S.C. § 17932 (HITECH Act breach notification mandate)

HIPAA Breach Penalty Exposure Estimator

Describe your breach scenario and organization profile. We'll estimate your notification obligation timeline, likely OCR penalty tier, and potential fine range — plus what factors could mitigate your exposure.

Free · Instant · Based on real enforcement patterns

Penalty Tier Breakdown

Individual Notification Failure (< 500 affected)

$141 – $71,162 per violation
Annual max: $2,134,831 per violation category

Failure to notify affected individuals within 60 days of breach discovery. For breaches affecting fewer than 500 individuals, annual HHS notification is required but not immediate — however, individual notifications must still occur within 60 days. Penalty tier depends on culpability.

Example: A small physical therapy practice experienced a laptop theft and delayed notifying 85 patients for 95 days while waiting for the police report. This triggered a Tier 2 (reasonable cause) enforcement action.

Large Breach Notification Failure (500+ affected)

$14,238 – $71,162 per violation
Annual max: $2,134,831 per violation category

Failure to notify HHS and prominent media within 60 days for breaches affecting 500+ individuals in a single state or jurisdiction. Large breach failures are almost always investigated — HHS OCR reviews the breach portal monthly.

Example: A health plan failed to notify media outlets in two states affected by a network breach of 52,000 patients within the 60-day window. OCR discovered the omission via the HHS breach portal and opened an investigation.

Notification Content Violation

$1,424 – $71,162 per violation
Annual max: $2,134,831 per violation category

Sending breach notifications that omit required content — description of PHI involved, steps individuals should take, what the entity is doing, contact information. Content violations often accompany timing violations in OCR enforcement.

Example: A covered entity notified patients within 60 days but the letter omitted the required description of the types of PHI involved and provided only a generic helpline number with no incident-specific guidance.

Business Associate Breach Notification Failure

$1,424 – $2,134,831 per violation
Annual max: $2,134,831 per violation category

Business associates must notify covered entities within 60 days of breach discovery. Failure to do so is an independent HIPAA violation for the BA — separate from any CMP imposed on the covered entity. BAs have faced OCR enforcement directly since the 2013 Omnibus Rule.

Example: A cloud storage vendor experienced a breach exposing PHI of a hospital client. The BA delayed notification to the covered entity for 120 days while conducting internal forensics. OCR fined the BA independently.

How Penalties Are Calculated

OCR counts each day past the 60-day deadline as a separate violation, up to the annual cap per violation category. For breaches affecting 500+ individuals, simultaneous failures (missing individual notification AND media notification AND HHS notification) are counted as three independent violations — each with its own annual cap. The duration of the failure, the number of individuals harmed, and the entity's history with OCR are the primary penalty drivers. Entities that self-report the breach on the HHS breach portal within 60 days, cooperate fully, and implement a corrective action plan consistently achieve 40–70% reductions from maximum penalty exposure.

Recent Enforcement Actions

2024 — Advocate Aurora Health (Illinois/Wisconsin)
Impermissible disclosure of PHI via tracking pixels to Meta and Google; delayed notification to 3 million patients
Penalty: $2,100,000 — Tier 3/4 (Willful Neglect)
Source: HHS OCR Resolution Agreement, June 2024
2023 — LA Care Health Plan (California)
Failure to timely notify 1.6 million members following a cybersecurity breach; inadequate breach response procedures
Penalty: $1,300,000 — Tier 3 (Willful Neglect, Corrected)
Source: HHS OCR Resolution Agreement, 2023
2023 — Manasa Health (Multi-state)
Delayed notification to breach victims by more than 6 months; no breach notification policy in place
Penalty: $300,000 — Tier 2/3 (Reasonable Cause / Willful Neglect)
Source: HHS OCR Resolution Agreement, 2023
2022 — Northcutt Dental (Alabama)
Ransomware attack; notified HHS but failed to provide required notifications to individual patients
Penalty: $62,500 — Tier 2 (Reasonable Cause)
Source: HHS OCR Resolution Agreement, December 2022

Run Your Free Penalty Exposure Assessment

Use the calculator above to get your organization-specific fine range in under 2 minutes.

 Compliance Quiz →
🔔

Get enforcement alerts before they hit the news

Weekly enforcement actions, penalty updates, and regulatory changes for HIPAA. Free, no spam, unsubscribe anytime.

Frequently Asked Questions

When does the 60-day breach notification clock start?

The 60-day clock starts on the date of breach 'discovery' — defined as the first day the covered entity knew, or reasonably should have known, that a breach had occurred. If a business associate discovered the breach, the clock starts when the covered entity is notified by the BA. Courts and OCR have found that 'discovery' begins when an employee recognizes facts that would lead a reasonable person to conclude a breach occurred — not when a formal investigation concludes.

What if the breach affected fewer than 500 people — do we still need to notify HHS?

Yes. Breaches affecting fewer than 500 individuals in a single state can be reported to HHS annually — consolidated into a single end-of-year submission via the HHS breach portal. However, individual patient notifications are still required within 60 days of discovery, regardless of breach size. There is no small-breach exemption from the individual notification obligation.

What are the required elements of a HIPAA breach notification letter?

Under 45 CFR § 164.404(c), each breach notification must include: (1) a brief description of what happened; (2) a description of the types of PHI involved; (3) steps individuals should take to protect themselves; (4) a brief description of what the covered entity is doing to investigate and mitigate; and (5) contact procedures including a toll-free telephone number, email, website, or postal address. Notifications must be written in plain language. Missing any required element is a separate notification content violation.

More HIPAA Resources