HIPAA breach notification, the 60-day clock and what trips it

The HIPAA Breach Notification Rule places a 60-day cap on the time between discovery of a breach and notification to affected individuals. The cap is a maximum, not a target, and the clock runs continuously regardless of internal investigation, vendor coordination or legal review. The single most common timing failure in OCR enforcement actions is starting the clock too late, usually because the practice anchored on the date leadership confirmed the breach rather than the date someone in the organization first knew or should have known.

This post covers when the clock actually starts, what triggers a breach versus an incident, the notification paths and the pre-incident readiness that makes the 60 days survivable.

The regulatory frame

Three pieces of the Breach Notification Rule (45 CFR Part 164, Subpart D) carry the timing obligation:

• 45 CFR 164.402 defines a breach and provides the four-factor Risk of Compromise Assessment that determines whether an incident qualifies.
• 45 CFR 164.404 sets the notification requirements for covered entities to affected individuals, HHS and (for large incidents) prominent media.
• 45 CFR 164.410 sets the notification requirements for business associates to covered entities.

The 60-day cap appears in all three sections. The clock starts from “discovery” of the breach, which has a specific regulatory meaning that is broader than most practices assume.

When the clock starts

Discovery is defined in 45 CFR 164.404(a)(2):

“A breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence, would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity.”

Two things this regulation does:

1. The “should have known” standard. If a workforce member receives a reasonable indicator that PHI may have been compromised and does not escalate, discovery starts at that point, not when escalation eventually happens.
2. Discovery applies to any workforce member or agent. The clock does not wait for the Privacy Officer, the Security Officer or the practice owner. A medical assistant who notices an unauthorized access alert at 8:14 AM on a Tuesday triggers discovery at 8:14 AM on that Tuesday.

The most common timing failure: practices document discovery as the date the Security Officer confirmed the breach in writing. OCR has, repeatedly, treated discovery as the earlier date when a workforce member first had the information. The gap between those two dates can be days or weeks.

The operational implication: every workforce member needs to recognize potential breach indicators and escalate immediately, and the discovery timestamp needs to be documented the moment escalation lands.

The four-factor Risk of Compromise analysis

Not every incident is a breach. The Breach Notification Rule presumes that an unpermitted use or disclosure of PHI is a breach unless the entity can demonstrate, through the four-factor analysis, that there is a low probability that PHI has been compromised. The factors are:

1. The nature and extent of the PHI involved: types of identifiers, sensitivity of the information, likelihood of re-identification.
2. The unauthorized person who used the PHI or to whom the disclosure was made: was the recipient another covered entity bound by HIPAA, an unrelated third party, an unknown actor?
3. Whether the PHI was actually acquired or viewed: not just whether it could have been, but whether evidence supports that it was.
4. The extent to which the risk to the PHI has been mitigated: returned, deleted, destroyed, contained.

Each factor is documented with the rationale. “Low probability” must be defensible, not assumed. OCR has, in published enforcement, treated weakly-supported low-probability conclusions as breach determinations after the fact.

The four-factor analysis is itself work. Building the analysis takes time, and the clock is running while it is being built. Pre-incident readiness shortens the analysis cycle dramatically.

Notification paths

The notifications, in the order they tend to land:

Affected individuals. Written notice by first-class mail to the last known address, or by email if the individual has previously agreed to electronic communication. Content requirements are specific (45 CFR 164.404(c)): a description of what happened, what PHI was involved, steps the individual should take to protect themselves, what the entity is doing to investigate and mitigate, contact information.

Substitute notice applies when contact information is insufficient for 10 or more individuals: posting on the entity’s home page for at least 90 days, or a major print or broadcast outlet, with a toll-free number active for at least 90 days.

HHS. Two paths depending on size:

• 500+ individuals affected: notification to HHS through the OCR Breach Reporting Portal within 60 days. These breaches are listed on the OCR public-facing portal.
• Fewer than 500 individuals affected: log internally throughout the year, submit to HHS annually within 60 days after the end of the calendar year.

Prominent media. If 500 or more individuals in a single state or jurisdiction are affected, notification to prominent media outlets in that state. Same 60-day cap. Most small practices never trigger this requirement; large multi-state systems do.

Business associate to covered entity. When the breach occurs at a business associate, the BA must notify the CE without unreasonable delay and not later than 60 days after discovery. The CE then runs the individual, HHS and (where applicable) media notifications under its 60-day clock that started when the BA discovered. Strong BAAs shorten the BA’s notification timeline below 60 days, often to 24-72 hours, so the CE retains meaningful time inside its own clock.

Common timing failures

Patterns that recur in OCR settlements:

• Late-starting clock: the entity uses the date leadership confirmed the breach rather than the earlier “should have known” date. OCR adjusts the start date and the notifications land outside the 60-day window.
• No BA notification timeline in the contract: the BAA does not specify how quickly the BA must notify the CE. The BA notifies at day 58. The CE has 2 days. Notifications go out late or incomplete.
• Incomplete content: notifications go out within 60 days but omit required elements. OCR cites both the timing and the content separately.
• Substitute notice not executed correctly: the entity could not reach 12 individuals by mail, posted a notice that was not at all prominent and removed it after 30 days. Substitute notice requirements have specific duration and prominence expectations.
• No documentation of the four-factor analysis: the entity concluded an incident was not a breach but cannot produce the documented analysis. OCR treats this as a breach determination by default.

The defensible pattern: discover, escalate, document the timestamp, execute the four-factor analysis within the first few days, decide breach vs not-breach with documentation, notify on the documented path with complete content, preserve everything.

Pre-incident readiness

What makes the 60-day clock survivable:

• A documented breach notification procedure that names roles, decision points, content templates and the four-factor analysis framework.
• Workforce training that covers what to escalate and to whom, refreshed at hire and annually.
• BAAs that require BA notification within 24-72 hours of BA discovery, not 60 days.
• A standing relationship with HIPAA-specialized legal counsel so engagement does not consume the first week.
• A prepared individual-notice template with the required content elements scaffolded.
• Cyber insurance with breach response coverage that includes notification logistics, credit monitoring offerings and call-center support.
• A documented chain-of-custody process for forensic evidence in case the incident escalates.

A practice that has all of these in place can usually run the 60-day clock cleanly. A practice that builds each element during the incident usually runs out of time.

The scope disclaimer

Atticus Rowan’s HIPAA practice covers the Security Rule and the Breach Notification Rule operationally; we build the incident response procedure, the four-factor analysis framework and the documentation workflow. HIPAA-specialized legal counsel handles the legal sufficiency of notifications and any OCR investigation that follows. The Privacy Rule, governing uses and disclosures of PHI beyond breach context, is outside our scope.

For incidents that may involve law enforcement, criminal investigation or potential ransomware-actor engagement, we coordinate with specialized incident response and forensic firms. We do not perform the forensic investigation ourselves; we coordinate the workflow and preserve the documentation chain.

Where this fits

The breach notification framework is downstream of the Security Rule risk analysis (the program) and upstream of the OCR investigation (the consequence if notification is mishandled). Our HIPAA risk analysis post covers the regulatory artifact that defines the program. Our Medical Practice HIPAA 60-90 day post walks the full administrative, physical and technical safeguards baseline. Our HIPAA Readiness Guide covers the full Security Rule and Breach Notification Rule program.

If your practice has had an incident and is unsure whether it triggers notification, or wants to pressure-test the breach response procedure before an incident lands, schedule a discovery call. We can walk through the four-factor analysis with the specific facts and surface gaps in the documented procedure.