HHS HIPAA Breach Portal: How to File a Breach Notification
9 min read · Last reviewed May 23, 2026
If you must report a HIPAA breach to HHS, the filing is submitted through the OCR Breach Portal at ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf. Breaches affecting 500 or more individuals must be filed contemporaneously with the individual notice and within 60 days of discovery. Breaches affecting fewer than 500 are filed annually, no later than 60 days after the end of the calendar year of discovery, under 45 CFR § 164.408(c).
When the Portal is required
The breach-reporting obligation lives at 45 CFR § 164.408 and applies whenever the four-factor risk assessment under 45 CFR § 164.402 does not document a low probability of compromise. Two paths:
- 500 or more individuals affected. Report through the Portal contemporaneously with the individual notice — no later than 60 calendar days from the date of discovery. The submission appears within days on the OCR public breach list at ocrportal.hhs.gov/ocr/breach/breach_report.jsf, commonly called the "Wall of Shame." Media notice under 45 CFR § 164.406 is also required for 500+ residents of any single state or jurisdiction.
- Fewer than 500 individuals affected. Log the breach and submit the annual report through the Portal no later than 60 days after the end of the calendar year in which the discovery occurred. Each qualifying incident is a separate submission — the Portal does not bundle multiple incidents into one report.
Discovery is defined at 45 CFR § 164.404(a)(2) as the first day on which the breach is known, or by exercising reasonable diligence would have been known, by any workforce member or agent of the covered entity. Workforce knowledge is imputed to the entity.
What you'll need before filing
The Breach Portal form requires more granular numbers than most practices can produce in 60 days without prep. Assemble before you open the wizard:
- Covered entity name and address exactly as registered with HHS, including NPI and tax ID
- Contact person for OCR follow-up — typically the Privacy Officer or outside counsel
- Business associate information, if the breach occurred at or involved a BA, including BA name and contact
- Date of breach (or date range), distinct from the date of discovery
- Date of discovery — the date documented in your discovery memo per Step 1 of the 60-day window guide
- Approximate number of individuals affected — best estimate at filing; amend if the final number changes materially
- Type of breach — selected from the Portal taxonomy: hacking/IT incident, unauthorized access/disclosure, theft, loss, improper disposal, other
- Location of breached information — laptop, desktop, network server, email, paper, electronic medical record, other portable electronic device, other
- Type of PHI involved — clinical, demographic, financial, other
- Brief description of breach — narrative field; OCR uses this as the public-facing summary
- Safeguards in place before the breach — administrative, physical, technical
- Actions taken in response — notification, mitigation, sanctions, training, additional safeguards, policies and procedures updated, other
- Whether law enforcement was notified and any law-enforcement delay request under 45 CFR § 164.412
Counsel should review every narrative field before submission. The "Brief description" and "Actions taken" fields are the most visible to OCR investigators and to the public.
Walking through the form
The Portal wizard is a multi-step web form. The flow:
- Submitter information. Name, title, organization, contact email and phone. This is the person OCR calls — typically the Privacy Officer or outside counsel. The submitter is not the covered entity; the covered entity is identified separately.
- Covered entity information. Legal name, address, type (provider, health plan, healthcare clearinghouse), and contact. If the breach affected the covered entity but was caused at a business associate, the BA is identified in a separate section.
- Breach information. Dates of breach and discovery, approximate count of affected individuals, type of breach (drop-down), location of breached information (drop-down with multi-select), type of PHI (drop-down with multi-select). Required.
- Brief description. A free-text narrative. Keep it factual, neutral, and consistent with the individual notice content. Do not editorialize and do not minimize. OCR uses this on the public list verbatim.
- Safeguards in place before the breach. Multi-select with administrative, physical, and technical safeguard categories. Be honest — overclaiming here creates a credibility problem with OCR investigators who will request evidence.
- Actions taken in response. Multi-select: individual notice, HHS notice, media notice, law enforcement notification, mitigation, sanctions, training, additional safeguards, policies updated, business associate agreement updated, other. Tracks to the corrective action plan OCR will eventually request.
- Review and submit. The wizard generates a confirmation page with a tracking number. Save it. The number is required to amend the report later.
For 500+ breaches, the submission posts to the public OCR breach list within days. Under-500 breaches are submitted through the same Portal but are not publicly listed; the public list at ocrportal.hhs.gov/ocr/breach/breach_report.jsf is limited to HIPAA breaches affecting 500 or more individuals.
After you file
OCR opens an investigation on most 500+ Portal submissions. Smaller breaches sometimes draw investigations as well, particularly when they exhibit patterns OCR has flagged in recent Resolution Agreements (right-of-access failures, encryption gaps, BAA gaps, untrained workforce).
Expect within the following 30 to 90 days:
- An acknowledgment letter from the OCR Regional Office assigning a docket number and a lead investigator
- A request for documentation — Security Risk Analysis, policies and procedures, BAAs, training records, the four-factor analysis, the individual notice and mailing log, the law-enforcement delay request (if any), and the corrective actions taken
- A follow-up data request narrowing in on specific controls, often the addressable specifications under 45 CFR § 164.306(d)(3)
- A potential request for an interview with the Security or Privacy Officer
The Portal submission does not end the matter. It begins it. The guide on responding to an OCR investigation letter covers the response posture.
Common filing mistakes
Practices that confuse a single submission with a complete compliance act commonly stumble in five places:
- Filing without counsel review. The narrative is the most consequential document OCR will read about the breach. Counsel should draft or review every word.
- Inconsistent counts across the individual notice, the Portal, and state filings. OCR's first follow-up question is usually "why does your Portal filing say 542 and your individual mailing log say 537?" Reconcile before submission.
- Overclaiming safeguards. Marking "encryption at rest" when only the laptop was encrypted (not the affected server) is an evidence problem the moment OCR requests documentation.
- Filing the under-500 report late. The March 1 deadline (for prior-year discoveries) is missed routinely. Late annual filings are themselves violations under 45 CFR § 164.408(c).
- Forgetting state breach paths. The Portal is a federal filing only. CA, TX, NY, MA, FL, IL, and most other states require parallel notification to the state AG or other authority, often on shorter timelines.
A sixth, easy-to-miss issue: practices file the report but never document internally why filing was required (or why a particular four-factor analysis did not support a "low probability" finding). OCR routinely asks for the internal analysis after seeing the Portal submission.
State-law overlay
State breach laws frequently impose shorter clocks and additional content requirements:
- California (Civil Code § 1798.82; CMIA § 56.36) — notice to affected California residents and to the California Attorney General when 500+ California residents are affected. Licensed clinics also have a 15-business-day notice path to the California Department of Public Health.
- Texas (Business and Commerce Code § 521.053; HB 300) — 60-day notice with notification to the Texas Attorney General when 250+ Texas residents are affected.
- New York (General Business Law § 899-aa, SHIELD Act) — notification to affected individuals without unreasonable delay, plus parallel notice to the New York Attorney General, Department of State, and State Police.
- Massachusetts (G.L. c. 93H) — notice to affected residents, the Attorney General, and the Office of Consumer Affairs and Business Regulation as soon as practicable and without unreasonable delay.
- Florida (F.S. § 501.171, FIPA) — notification to affected individuals within 30 days of determination of a breach and to the Department of Legal Affairs if 500+ Florida residents are affected.
The HHS Portal does not relieve the practice of any state filing.
What not to touch
- Do not let the 60-day clock slip waiting for forensics. File on best information available and amend; missing the federal deadline is itself a violation.
- Do not paraphrase the individual notice differently in the Portal. Inconsistencies appear in OCR follow-up exhibits.
- Do not delete or rework the discovery memo, the four-factor analysis, or any pre-filing email. Litigation hold runs from discovery.
- Do not allow workforce members to discuss the breach publicly before the Portal submission and individual notice have gone out.
- Do not use the Portal narrative to argue your defense. Keep it neutral and factual. Defense belongs in the document response to the OCR letter.
How d3rx fits
The d3rx compliance binder maintains the breach response workflow that feeds the Portal filing: discovery memo, four-factor analysis, individual notification mailing log, HHS Portal submission record (tracking number, date, counts, narrative), media notice tracker, and the under-500 annual filing log. The d3rx audit defense workflow walks the first 48 hours after Portal submission, the OCR follow-up data request structure, and the tab-by-tab response. d3rx does not submit Portal filings on behalf of the practice and does not represent the practice before OCR. It is a source-grounded administrative documentation aid that counsel and the practice work from.
D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — HHS HIPAA Breach Portal: How to File a Breach Notification. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
I'm about to file my first breach — can I include preliminary numbers if forensics isn't done?
Yes, and you should not delay the filing for a final number when the 60-day window is closing. The Portal accepts the affected-individual count as known at the time of filing, and the submission can be amended later. Document in your internal file why the number is preliminary, what investigation is outstanding, and your planned amendment date. Filing with a placeholder of 'unknown' or a wildly conservative high number both invite OCR follow-up — better to file your best estimate based on forensic findings to date and explain the basis.
Does a single-patient misdirected fax need to be reported through the Portal?
Almost always yes, on the annual under-500 path under [45 CFR § 164.408(c)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408) — unless the four-factor risk assessment under 164.402 documents a low probability of compromise and you retain that analysis. A misdirected fax to another covered entity with written assurances of destruction often qualifies for the low-probability finding. A misdirected fax to a non-covered recipient typically does not.
Do I have to file twice if state law also requires breach notification to the Attorney General?
Yes — the HHS Portal does not satisfy state notification obligations. California, Texas, New York, Massachusetts, and many others operate independent breach-notice paths to the state AG, the Department of State, or the Department of Public Health, with their own forms, content requirements, and timelines that are often shorter than HIPAA's 60 days. Map the affected population by state of residence and file each state's required notice in parallel.
We submitted the Portal filing, and the affected count later dropped from 600 to 380. Do we amend?
Yes. Use the Portal's amendment workflow to update the count and the narrative. The over-500 submission appears on the public 'Wall of Shame' at the OCR Breach Portal; an amended count below 500 typically moves the report into the archived section. The Portal does not delete the original entry. Document the basis for the revised count internally with your forensic report — OCR almost always asks about a count revision in any follow-up investigation.
We discovered the breach in November. Do we need to file the under-500 annual report this March?
Annual reports are due no later than 60 days after the end of the calendar year in which the breach was discovered, per [45 CFR § 164.408(c)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408). A November discovery means the report is due by March 1 of the following year. File each qualifying breach as a separate Portal submission — the Portal does not accept a single submission summarizing multiple incidents.
Can our business associate file the Portal report on our behalf?
The covered entity remains the responsible party under [45 CFR § 164.408](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408). A BA may prepare the filing, but the submission should be made under the covered entity's name, with the covered entity's leadership reviewing the narrative and attesting to it. The BAA at [45 CFR § 164.504(e)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504) typically requires the BA to provide the data necessary for the filing, but does not transfer the legal obligation to report.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- ocrportal.hhs.gov/ocr/breach/wizard_breach.jsfhttps://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf
- 45 CFR § 164.408(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
- 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402
- ocrportal.hhs.gov/ocr/breach/breach_report.jsfhttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- 45 CFR § 164.406https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.406
- 45 CFR § 164.404(a)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
- 45 CFR § 164.412https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.412
- 45 CFR § 164.306(d)(3)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.306
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- ComplianceHIPAA Breach Notification: The 60-Day Window Step-by-StepFrom discovery you have 60 calendar days to notify individuals, HHS, and possibly media. Here is the procedure that actually protects the practice.
- ComplianceBreach Risk Assessment: The 4-Factor Analysis Required by 45 CFR 164.402After a possible PHI incident, the four-factor breach risk assessment at 45 CFR 164.402 determines whether you notify. Do it in writing, do it on the record.
- ComplianceOCR Investigation Letter: Your 30-Day Response PlaybookReceived an OCR HIPAA investigation letter? The first 30 days set the trajectory. Confirm the docket, freeze logs, route through counsel, and produce a tabbed response.
- ComplianceRecent OCR Settlements: What HHS Actually Penalizes (2025)Risk Analysis Initiative, ransomware, right-of-access. The deficiency patterns driving recent OCR Resolution Agreements and what they cost.
- ComplianceHealthcare Incident Response Plan — Template + Tabletop ExerciseA 2026 healthcare incident response plan template aligned to 45 CFR 164.308(a)(6) and NIST SP 800-61 Rev. 3, with a tabletop exercise script for small practices.
- GlossaryHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- RegulationHIPAA HHS and Media Breach Notification (45 CFR 164.406-408)Notification timing and content for HHS (annual for smaller breaches, 60 days for 500+) and the prominent media (500+ in a state or jurisdiction).
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).