When must a covered entity report a HIPAA breach to the Secretary of HHS, and does the deadline differ for small breaches?
45 CFR 164.408 requires a covered entity to notify the HHS Secretary of a breach of unsecured protected health information, with the timing keyed to whether the breach affected 500 or more individuals.
The answer
The duty to notify the Secretary
45 CFR 164.408(a) requires a covered entity, following discovery of a breach of unsecured protected health information, to notify the Secretary. The manner and timing of that notice depend on the number of individuals affected.
The small-breach log
For breaches involving fewer than 500 individuals, 164.408(c) does not require immediate reporting. The covered entity maintains a log and reports those breaches to the Secretary not later than 60 days after the end of the calendar year in which they were discovered.
The judged input
What the AI drafted
Submitted to the judgeThis is an excerpt from a draft breach-response advisory memo — the kind of work product a lawyer generates with a legal-AI drafting tool, then has to stand behind. Kingsfield does not write it; it rules on the citations the model put in it. This draft cites three authorities; one of them is wrong.
The judge ruled on every citation as the draft used it — it accepted 45 CFR 164.408(a) and 45 CFR 164.408(c) and rejected 45 CFR 164.404. Here is why.
The verdict
How Kingsfield ruled
Ruled 2026-06-23Each citation in the draft above was submitted to the Kingsfield judge and ruled against the primary-law corpus — Accept, Reject, or Inconclusive, per citation. These are live verdicts, not editorial. Each card shows the claim the draft made and the verbatim authority the verdict was rendered against.
The draft claimed: Following discovery of a breach of unsecured protected health information, a covered entity shall notify the Secretary.
“Standard. A covered entity shall, following the discovery of a breach of unsecured protected health information as provided in § 164.404(a)(2), notify the Secretary.”
Cite found; proposition supported by the cited text.
The draft claimed: For breaches involving fewer than 500 individuals, a covered entity must maintain a log and provide notification to the Secretary not later than 60 days after the end of the calendar year in which the breaches were discovered.
“Implementation specifications: Breaches involving less than 500 individuals. For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required by paragraph…”
Cite found; proposition supported by the cited text.
The draft claimed: Section 164.404 sets the deadline for reporting breaches affecting fewer than 500 individuals to the Secretary, requiring notice within 60 days after the end of the calendar year.
Cite found, but the cited text does not support the claim. 45 CFR 164.404 governs notification to affected individuals (within 60 days of discovery), not reporting to the Secretary; the Secretary-reporting deadline for small breaches is at 45 CFR 164.408(c). Regenerate with the correct authority.
Run your own work through the judge
Kingsfield rules on every citation, quote, and proposition your AI produces, against the primary law we cover. Accept, Reject, or Inconclusive, per citation, with a signed Audit Capsule.
Connect the Judge See the architectureThis page is legal information, not legal advice, and does not create an attorney-client relationship. The draft shown is an illustration of a typical AI answer; verdicts reflect the cited authority in the Kingsfield corpus as of the ruling date shown above.