How to Notify the Secretary of a Breach: A Guide to the Rules for Breaches Over and Under 500 Individuals (45 CFR § 164.408)

Under the HIPAA Breach Notification Rule, healthcare providers must notify the Secretary of Health and Human Services (HHS) of any breach involving unsecured Protected Health Information (PHI). But the timing and process differ based on the number of individuals affected. If the breach involves 500 or more individuals, notification must occur without unreasonable delay, no later than 60 days following discovery. For breaches affecting fewer than 500 individuals, entities may report annually, but the deadline is still firm. This article provides small practices with a clear guide for complying with 45 CFR § 164.408, minimizing penalties, and maintaining patient trust.

Understanding the Requirement Under 45 CFR § 164.408

The HIPAA Breach Notification Rule, as enforced by the HHS Office for Civil Rights (OCR), requires covered entities to notify HHS of all breaches of unsecured PHI. The relevant regulation, 45 CFR § 164.408, distinguishes between large and small breaches.

Breach Notification to HHS: Small vs. Large Breaches

Breaches Involving 500 or More Individuals

• Timeline: Must be reported to the Secretary within 60 calendar days of discovery

• Method: Electronically via the HHS Breach Notification Portal

• Details Required:

• Nature and scope of PHI involved

• Cause of the breach

• Mitigation steps taken

• Number of individuals affected

• Whether law enforcement delayed the notice

Breaches Involving Fewer Than 500 Individuals

• Timeline: May be reported annually, but no later than 60 days after the end of the calendar year in which the breach was discovered

• Method: Same online HHS Breach Portal, but submitted as part of an annual batch

• Documentation: Even though the report is delayed, the breach must still be fully investigated and documented upon discovery

Important: Regardless of the size or scope of a data breach, all covered entities are legally required to notify the individuals affected without unreasonable delay. This obligation applies whether the breach impacts one person or thousands. Additionally, under 45 CFR 164.404 and 164.406, if the breach involves more than 500 residents of a single state or jurisdiction, the covered entity must also provide notification to prominent media outlets serving that area. These requirements are designed to ensure transparency, protect patient rights, and maintain public trust. Failure to comply with these notification rules may result in significant penalties and enforcement actions.

In 2022, a small dental practice experienced a breach when an unencrypted external backup drive containing Protected Health Information (PHI) for approximately 612 patients was stolen from a locked office. The practice responded swiftly by notifying all affected individuals, believing that prompt patient communication would satisfy HIPAA’s breach requirements.

However, the practice failed to notify the U.S. Department of Health and Human Services (HHS) within the required 60-day window for breaches involving 500 or more individuals, as mandated by 45 CFR 164.408. Although the Office for Civil Rights (OCR) found no evidence of willful neglect, the failure to report the breach on time still resulted in a $25,000 civil monetary penalty.

In addition to the fine, the practice was required to adopt a corrective action plan, which included staff retraining on breach notification rules and the creation of a formal incident response policy.

Key takeaway: Timely notification to patients alone is not enough. If a breach affects 500 or more individuals, your practice must notify HHS within 60 days, regardless of size or intent, to remain compliant and avoid costly penalties.

Reporting Process Through the HHS Breach Portal

Step-by-Step Process:

1. Access the Portal:
   https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf

2. Prepare the Required Information:

   • Name and contact info of the covered entity

   • Date the breach occurred and was discovered

   • Number of individuals affected

   • Breach type (e.g., hacking, loss, unauthorized access)

   • Safeguards in place prior to the breach

   • Steps taken to mitigate harm

3. Submit for Review:

   • For breaches of 500+: Immediate submission

   • For breaches <500: Consolidated annual submission by March 1 of the following year

4. Retain Documentation:
   Keep all documentation related to the breach investigation, notification efforts, and your submission for at least six years.
   

Pitfall 1: Misclassifying the Breach Size

Small practices may underestimate the number of affected individuals, especially when backups or shared drives are involved, resulting in failure to report timely under the “500 or more” rule.

How to Avoid It: Conduct a thorough investigation and use IT support to estimate how many individuals' PHI may have been exposed. If in doubt, treat it as a large breach and report promptly.

Pitfall 2: Assuming Patient Notification Is Sufficient

Some providers believe notifying patients is enough. However, the regulation separately mandates that HHS be notified, and for large breaches, that notice must occur within 60 days.

How to Avoid It: Always treat HHS notification as a standalone compliance step. Use checklists during breach response to track all legal obligations.

Pitfall 3: Waiting Too Long on Small Breaches

Even when reporting is permitted annually, practices sometimes fail to calendar the March 1st reporting deadline and miss the submission window.

How to Avoid It: Create a recurring compliance calendar alert each January to ensure all small breaches from the prior year are reported before March 1.

Pitfall 4: Incomplete or Inaccurate HHS Submissions

Submitting incorrect information, such as wrong dates, incomplete explanations, or missing fields, can lead to follow-up audits and corrective actions.

How to Avoid It: Use the HHS breach reporting checklist before submitting. Assign final review to a compliance officer or legal counsel.

Pitfall 5: Missing Evidence of Reporting

Practices often forget to download or save a copy of their HHS submission confirmation.

How to Avoid It: Always download the PDF copy of your submission and store it with the incident file for six years, as required under HIPAA documentation rules.

1. HHS Breach Notification Rule Overview

2. Breach Notification Submission Portal

3. Breach Notification Guidance Document

Notifying the Secretary of a breach isn’t just another administrative task, it’s a federally mandated obligation with real regulatory consequences for failure to comply. Many small healthcare practices mistakenly believe that minor breaches or incidents affecting only a few patients are exempt from strict reporting requirements. However, HIPAA regulations are clear: Every breach involving unsecured Protected Health Information (PHI) must be reported to HHS, regardless of size or scope.

The requirements under 45 CFR 164.408 establish two tiers: breaches affecting fewer than 500 individuals must be logged and reported annually by March 1st of the following calendar year, while breaches involving 500 or more individuals must be reported within 60 days of discovery.

Failing to report even unintentionally can result in investigations, monetary penalties, and corrective action plans. Proper breach reporting is not just about legal compliance, but also about maintaining transparency and trust with your patients and the federal government.

Next steps for your practice should include reviewing your breach response policy, bookmarking the HHS Breach Portal, training responsible staff on timelines, and scheduling a year-end compliance check to ensure all reportable incidents are submitted before the annual deadline.