HIPAA BREACH NOTIFICATION — HHS

Organization Name: [________________________________]
Breach Reference Number: [________________________________]
Document Version: [____]
Prepared By: [________________________________]
Date Prepared: [__/__/____]
Legal Review Completed: ☐ Yes — Date: [__/__/____] ☐ Pending

SECTION 1: HHS NOTIFICATION REQUIREMENTS OVERVIEW

1.1 Statutory Basis

Under 45 C.F.R. § 164.408, a covered entity must notify the Secretary of the U.S. Department of Health and Human Services ("HHS") of breaches of unsecured protected health information ("PHI"). The notification must be submitted electronically through the HHS Breach Portal (OCRNOTIFY) at:

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

1.2 Two-Track Reporting System

1.3 Determining the Number of Affected Individuals

The number of affected individuals determines the reporting track and timeline:

☐ Count each individual whose unsecured PHI was or is reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach
☐ Include individuals identified during the investigation, even if not all investigations are complete by the reporting deadline
☐ If the exact number is unknown, provide your best estimate and update later via addendum

Number of Individuals Affected: [________________________________]
Reporting Track: ☐ Track 1 (500+) ☐ Track 2 (<500)

1.4 Key Dates

SECTION 2: HHS BREACH PORTAL — STEP-BY-STEP SUBMISSION GUIDE

2.1 Accessing the Portal

1. Navigate to: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
2. Select the appropriate report type:
   ☐ New Report — First submission for this breach
   ☐ Addendum — Supplemental information for a previously reported breach (requires original transaction number)

2.2 Section A: Report Type and Covered Entity Information

A.1 Report Type:
☐ Covered Entity breach report
☐ Business Associate breach report (on behalf of Covered Entity)

A.2 Is this an addendum to a previously filed report?
☐ No — New report
☐ Yes — Previous transaction number: [________________________________]

A.3 Covered Entity Information:

A.4 Contact Person for this Breach Report:

2.3 Section B: Business Associate Information

B.1 Was a business associate involved in the breach?
☐ No — Skip to Section C
☐ Yes — Complete the following:

2.4 Section C: Breach Details

C.1 Date of Breach:

C.2 Date Breach Discovered:
[__/__/____]

Note: The discovery date starts the 60-day notification clock. A breach is "discovered" on the first day it is known or, by exercising reasonable diligence, would have been known.

C.3 Number of Individuals Affected:
[________________________________]

☐ Exact count
☐ Approximate count (will update via addendum when exact count is determined)

C.4 Type of Breach:

Check all that apply:

☐ Hacking/IT Incident
☐ Unauthorized Access/Disclosure
☐ Theft
☐ Loss
☐ Improper Disposal
☐ Other: [________________________________]

C.5 Location of Breached Information:

Check all that apply:

☐ Email
☐ Electronic Medical Record (EMR/EHR)
☐ Desktop Computer
☐ Laptop
☐ Network Server
☐ Portable Electronic Device (tablet, USB, external hard drive)
☐ Paper/Films
☐ Other: [________________________________]

2.5 Section D: Type of PHI Involved

Check all types of PHI involved in the breach:

Demographic Information:
☐ Name
☐ Date of birth
☐ Address (street, city, state, zip)
☐ Phone number
☐ Email address
☐ Social Security number
☐ Driver's license / state ID number

Financial Information:
☐ Credit card / debit card number
☐ Financial account number
☐ Payment information

Clinical / Medical Information:
☐ Medical record number
☐ Patient account number
☐ Diagnosis / conditions
☐ Treatment information
☐ Medications
☐ Lab results / test results
☐ Clinical notes
☐ Dates of service
☐ Provider name

Insurance Information:
☐ Health insurance member ID
☐ Health insurance group number
☐ Medicare / Medicaid beneficiary number
☐ Health plan beneficiary number
☐ Claims information

Other Identifiers:
☐ Biometric identifiers
☐ Full-face photographs
☐ Device identifiers / serial numbers
☐ Internet Protocol (IP) addresses
☐ Certificate / license numbers
☐ Vehicle identifiers
☐ Other: [________________________________]

2.6 Section E: Description of Breach and Actions Taken

E.1 Brief Description of the Breach:

Provide a plain-language description of the breach incident:

[________________________________]
[________________________________]
[________________________________]
[________________________________]
[________________________________]

Guidance: Include what happened, how it was discovered, and the basic facts. Be factual and concise. This description will be publicly available for breaches affecting 500+ individuals.

E.2 Safeguards in Place Prior to the Breach:

Describe the administrative, physical, and technical safeguards that were in place at the time of the breach:

☐ Encryption of data at rest
☐ Encryption of data in transit
☐ Access controls / role-based access
☐ Multi-factor authentication
☐ Audit logging and monitoring
☐ Workforce training on HIPAA privacy and security
☐ Business Associate Agreements in place
☐ Physical access controls (locks, badge access)
☐ Firewall and intrusion detection/prevention
☐ Antivirus / anti-malware software
☐ Other: [________________________________]

E.3 Actions Taken in Response to the Breach:

☐ Investigation conducted (internal and/or external forensics)
☐ Affected systems contained and secured
☐ Credentials reset / access revoked
☐ Vulnerability patched or remediated
☐ Additional security measures implemented
☐ Policies and procedures updated
☐ Workforce retrained
☐ Law enforcement notified
☐ Credit monitoring / identity protection offered to affected individuals
☐ Disciplinary action taken against responsible workforce members
☐ Business Associate Agreement reviewed and/or terminated
☐ Other: [________________________________]

2.7 Section F: Individual Notification Status

F.1 Were individuals notified of the breach?
☐ Yes ☐ Not yet — planned date: [__/__/____]

F.2 If yes, date(s) of notification:
[__/__/____] to [__/__/____]

F.3 Method of individual notification:
☐ First-class mail
☐ Email (with prior individual consent)
☐ Substitute notice (website posting + toll-free number)
☐ Telephone (urgent notification)
☐ Combination: [________________________________]

F.4 If substitute notice was used, describe:
[________________________________]

2.8 Section G: Media Notification Status

G.1 Was media notification required? (500+ residents of a single state/jurisdiction)
☐ Yes ☐ No

G.2 If yes, date of media notification:
[__/__/____]

G.3 Media outlets notified:
[________________________________]

2.9 Section H: Law Enforcement

H.1 Was notification delayed at the request of law enforcement?
☐ Yes ☐ No

H.2 If yes, provide details:
Law enforcement agency: [________________________________]
Date of request: [__/__/____]
Delay period: [________________________________]

2.10 Submission

Review all entries carefully before submitting. Once submitted, the portal will generate a transaction/confirmation number. Save this number for your records and any future addendum submissions.

☐ All information reviewed and verified
☐ Legal counsel has reviewed the submission
☐ Privacy Officer has approved the submission
☐ Submission completed: Date [__/__/____]
☐ Confirmation/Transaction Number: [________________________________]

SECTION 3: THE HHS "WALL OF SHAME" (BREACH PORTAL PUBLIC POSTING)

3.1 Public Posting of Large Breaches

HHS/OCR publicly posts all breaches affecting 500 or more individuals on the HHS Breach Portal at:

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

This is commonly referred to as the "Wall of Shame." The publicly posted information includes:

• Name of covered entity
• State
• Covered entity type
• Number of individuals affected
• Breach submission date
• Type of breach
• Location of breached information
• Whether a business associate was involved
• Web description of the breach

3.2 Implications

☐ Posted breaches remain publicly visible indefinitely (OCR maintains archives)
☐ Posted breaches routinely generate media coverage, class action lawsuits, and regulatory scrutiny
☐ OCR investigates all breaches affecting 500+ individuals
☐ The description provided in the portal submission becomes the public record of the breach
☐ Consider the public nature of this posting when drafting the breach description

3.3 Strategic Considerations for the Public Description

Legal counsel should review the breach description with the following in mind:

☐ The description will be publicly searchable and accessible to the media, plaintiffs' attorneys, and the public
☐ The description should be factual and accurate but need not include unnecessary detail
☐ Avoid language that could be construed as an admission of negligence or liability
☐ The description should be consistent with the individual notification letters and press release
☐ Consider that OCR investigators will compare the portal description with the investigation file

SECTION 4: OCR INVESTIGATION PROCESS

4.1 What to Expect After Submission (Breaches of 500+)

Step 1: Acknowledgment
OCR sends an acknowledgment letter confirming receipt of the breach report.

Step 2: Data Request
OCR typically sends a "data request" or "investigation letter" requesting documentation of the breach and the Organization's response. Common requests include:

☐ Complete description of the incident and investigation
☐ Copy of the four-factor risk assessment
☐ Copies of all notification letters to individuals
☐ Proof of mailing / notification delivery
☐ Media notification documentation (if applicable)
☐ Timeline of events (discovery to notification)
☐ Documentation of law enforcement delay (if applicable)
☐ Corrective actions implemented
☐ Current HIPAA risk analysis (most recent version)
☐ Risk management plan
☐ HIPAA policies and procedures (privacy, security, breach notification)
☐ Business Associate Agreements (if BA was involved)
☐ Workforce training records
☐ Evidence of prior compliance efforts

Step 3: OCR Review and Investigation
OCR reviews the submitted documentation and may request additional information, conduct interviews, or perform on-site reviews.

Step 4: Resolution
OCR resolves investigations through one of the following:

4.2 Response Timeline

☐ OCR data request response is typically due within 30 days of receipt
☐ Extensions may be granted upon written request with good cause
☐ Consult legal counsel immediately upon receiving an OCR data request
☐ Assert attorney-client privilege as appropriate in the response

SECTION 5: CORRECTIVE ACTION PLAN (CAP) PROVISIONS

5.1 Common CAP Requirements

If OCR determines a HIPAA violation occurred in connection with the breach, a Corrective Action Plan may require:

☐ Conducting a comprehensive, enterprise-wide risk analysis
☐ Developing and implementing a risk management plan
☐ Revising HIPAA policies and procedures
☐ Distributing revised policies to all workforce members
☐ Providing HIPAA workforce training
☐ Reporting to OCR on compliance status (typically annually for 2-3 years)
☐ Reporting any further breaches or compliance failures during the monitoring period
☐ Engaging an independent monitor (in some cases)
☐ Submitting implementation reports and attestation of compliance

5.2 Resolution Agreement and Monetary Settlements

5.3 Civil Monetary Penalty Tiers (2025 Adjusted Amounts)

Note: Penalty amounts are adjusted for inflation annually. Criminal penalties (imprisonment up to 10 years and fines up to $250,000) may also apply under 42 U.S.C. § 1320d-6 for knowing violations.

SECTION 6: ANNUAL BREACH REPORT FOR SMALL BREACHES (<500)

6.1 Overview

Breaches affecting fewer than 500 individuals are reported to HHS annually. The annual report must be submitted within 60 days of the end of the calendar year in which the breach was discovered. For breaches discovered during calendar year [____], the report must be submitted by March 1 of [following year].

6.2 Annual Breach Log

Maintain this log throughout the calendar year and submit as part of the annual report:

6.3 Annual Submission Checklist

☐ Compile all breaches affecting fewer than 500 individuals discovered during calendar year [____]
☐ Verify individual notifications were sent for each breach
☐ Review breach log entries for completeness and accuracy
☐ Privacy Officer review and approval
☐ Legal counsel review
☐ Submit through HHS Breach Portal by March 1, [____]
☐ Save confirmation/transaction number
☐ Retain all documentation for 6 years

SECTION 7: STATE ATTORNEY GENERAL NOTIFICATION REQUIREMENTS

7.1 Overview

In addition to HHS notification, many states require separate notification to the state Attorney General or other state agencies for data breaches exceeding state-specific thresholds. These state notifications must be made in parallel with (or sometimes prior to) HHS notification.

7.2 Key State AG Notification Requirements

California (Cal. Civ. Code § 1798.82; SB 446 effective Jan. 1, 2026):
- Threshold: 500+ California residents
- Deadline: Submit sample notification to CA AG within 15 days of notifying individuals
- Submission: https://oag.ca.gov/privacy/databreach/reporting
- Note: HIPAA-compliant entities are deemed to comply with state notification requirements

Texas (Tex. Bus. & Com. Code § 521.053):
- Threshold: 250+ Texas residents
- Deadline: Within 60 days of breach determination
- Submission: https://www.texasattorneygeneral.gov/consumer-protection/data-breach-reporting
- Must include: description of breach, number of Texas residents affected, number notified, description of measures taken

Florida (Fla. Stat. § 501.171):
- Threshold: 500+ Florida residents
- Deadline: Within 30 days of determination of breach
- Submission: Florida Department of Legal Affairs
- Must include: synopsis of events, number of individuals affected, services being offered, copy of individual notification
- Penalties: $1,000/day first 30 days; $50,000/each subsequent 30-day period; max $500,000

New York (N.Y. Gen. Bus. Law § 899-aa, as amended):
- Threshold: Any breach affecting New York residents (no minimum for AG notice)
- Deadline: For HIPAA breaches, AG notification within 5 business days of HHS notification
- Must also notify: NY Department of State, NY Division of State Police, and NYSDFS (if regulated)
- For 500+ NY residents: Written determination to AG within 10 days of determination
- Expanded definition of "private information" includes medical and health insurance information (effective March 2025)

7.3 State AG Notification Tracking

Note: Approximately 36 states require notification to the AG or another state agency. Legal counsel should review all applicable state laws based on the residency of affected individuals.

SECTION 8: DOCUMENTATION RETENTION CHECKLIST

8.1 Required Documentation

Retain the following documentation for a minimum of six (6) years per 45 C.F.R. § 164.530(j):

☐ Completed HHS Breach Portal submission (print/save before submission)
☐ HHS confirmation/transaction number
☐ All correspondence with HHS/OCR
☐ Breach investigation report
☐ Four-factor risk assessment worksheet
☐ Breach determination documentation and rationale
☐ Individual notification letters (template and proof of mailing)
☐ Media notification documentation (press release, distribution records)
☐ State AG notification documentation
☐ Law enforcement correspondence and delay documentation (if applicable)
☐ Corrective action plan and implementation records
☐ Annual breach log (for Track 2 small breaches)
☐ OCR investigation correspondence and data request responses
☐ Resolution agreement and CAP monitoring records (if applicable)
☐ Insurance carrier correspondence and claims documentation

8.2 Storage

☐ Documentation stored securely with access restricted to authorized personnel
☐ Both electronic and paper copies maintained (as applicable)
☐ Backup copies maintained in a separate secure location
☐ Retention schedule tagged with destruction date (minimum 6 years from creation or last effective date)

SECTION 9: HHS CONTACT INFORMATION

SECTION 10: ADDENDUM SUBMISSION PROCEDURES

10.1 When to Submit an Addendum

An addendum to a previously filed breach report should be submitted when:

☐ The number of affected individuals has changed (increased or decreased)
☐ The types of PHI involved have been updated based on further investigation
☐ The type or nature of the breach has been reclassified
☐ Additional business associate involvement has been identified
☐ Individual notification status has been updated
☐ Media notification has been completed
☐ Other material information has become available

10.2 Addendum Submission Process

1. Navigate to the HHS Breach Portal
2. Select "Addendum" as the report type
3. Enter the original transaction/tracking number: [________________________________]
4. Update only the fields that have changed
5. Provide explanation of the update in the description field
6. Submit and save the new confirmation number

☐ Addendum submitted: Date [__/__/____]
☐ New confirmation/transaction number: [________________________________]
☐ Reason for addendum: [________________________________]

SECTION 11: CROSS-REFERENCE TO RELATED TEMPLATES

This HHS Notification template works in conjunction with the following Organization documents:

• HIPAA Breach Response Plan — Comprehensive breach response procedures and notification decision framework
• HIPAA Security Incident Response Plan — Technical incident detection, containment, and recovery
• HIPAA Breach Risk Assessment Worksheet — Four-factor risk assessment documentation
• HIPAA Breach Notification — Media — Media notification and press release template
• HIPAA Breach Notification Call Script — Individual notification call procedures and FAQ responses

SOURCES AND REFERENCES

1. 45 C.F.R. § 164.408 — Notification to the Secretary (HHS)
2. 45 C.F.R. § 164.408(a) — Breaches Affecting 500 or More Individuals
3. 45 C.F.R. § 164.408(c) — Breaches Affecting Fewer Than 500 Individuals
4. 45 C.F.R. § 164.404(c) — Content Requirements for Notification
5. 45 C.F.R. § 164.414 — Administrative Requirements and Burden of Proof
6. 45 C.F.R. § 164.530(j) — Documentation Retention (6 Years)
7. HHS OCR — Submitting Notice of a Breach to the Secretary (https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html)
8. HHS OCR — Breach Portal Required Information (https://ocrportal.hhs.gov/ocr/breach/doc/Breach_Portal_Questions_508.pdf)
9. HHS OCR — Breach Portal (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)
10. HHS OCR — Breach Notification Rule (https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)
11. HHS OCR — Resolution Agreements and Civil Monetary Penalties (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html)
12. Cal. Civ. Code § 1798.82 and SB 446 — California AG Notification
13. Tex. Bus. & Com. Code § 521.053 — Texas AG Notification
14. Fla. Stat. § 501.171 — Florida AG Notification
15. N.Y. Gen. Bus. Law § 899-aa — New York AG Notification (SHIELD Act, as amended)
16. HITECH Act § 13402(e)(3)-(4) — Notification to Secretary

This template is provided for informational purposes only and does not constitute legal advice. Organizations should have HHS breach portal submissions reviewed by qualified legal counsel before filing. HIPAA compliance requirements are subject to change based on OCR guidance and regulatory updates.

For use on ezel.ai — a legal template platform for solo practitioners and small firms.