Compliance · 2026-07-07 · 10 min read
The HIPAA Breach Notification Playbook: Every Deadline From Day 0 to Day 60
The Breach Notification Rule gives you 60 days — but the work starts in the first 24 hours. A step-by-step playbook: when the clock actually starts, the four-factor risk assessment, who gets notified and how, and the records that protect you when OCR comes asking.
Sooner or later, most healthcare organizations get the call. Sometimes it is your own IT team finding ransomware notes on a file server. Increasingly, it is a vendor — about 65% of the individuals affected by 2025's breaches were exposed through a business associate, not the covered entity itself. Either way, the moment you learn about it, a regulatory clock starts that does not pause for weekends, investigations, or legal review.
This is the playbook for what happens next. Not the theory — the actual sequence: what counts as "discovery," how to decide whether the incident is legally a breach at all, who has to be told, by when, through what channel, and what paperwork you must be able to produce afterward. Every deadline here comes from the Breach Notification Rule (45 CFR §§ 164.400–414); where something is best practice rather than law, we say so.
Day 0: the clock starts earlier than you think
The 60-day countdown runs from discovery, and the rule defines discovery aggressively: the first day the breach is known to your organization — or would have been known if you were exercising reasonable diligence. Two details catch people out:
- Knowledge is imputed from your workforce. If a front-desk employee noticed the misdirected records on March 3 and told no one until March 20, your clock started March 3. This is why incident-reporting training matters: an employee who sits on an incident doesn't delay your deadline, they consume it.
- "Should have known" counts. If the intrusion was sitting in security alerts nobody reviewed, OCR can argue discovery happened when a diligent organization would have seen it.
And one more thing before the checklist: 60 days is the ceiling, not the target. The actual legal standard is "without unreasonable delay." OCR has penalized organizations that notified within 60 days but could not justify why they waited — so document the reason for every week that passes.
Days 0–3: contain, preserve, assemble
Nothing in this section is a regulatory deadline. All of it determines whether you can meet the ones that follow.
- Contain the incident. Isolate affected systems, disable compromised accounts, rotate credentials, revoke suspicious sessions. If ransomware is involved, disconnect — don't wipe.
- Preserve evidence. Snapshot systems and export logs before remediation destroys them. Your four-factor risk assessment (below) will live or die on what the logs show about whether data was actually viewed or exfiltrated.
- Activate your incident response plan and name one owner. The single most common failure mode in small organizations is diffusion: everyone assumes someone else is tracking the deadline.
- Notify your cyber insurer and counsel early. Most cyber policies require prompt notice and some insist on using their approved forensics and notification vendors — using your own can jeopardize coverage.
- If you're the business associate, check your BAA today. The rule gives BAs up to 60 days to tell the covered entity, but most BAAs contractually shorten that to something like 5–10 business days — some to 24 or 72 hours.
Days 3–15: decide whether it's legally a breach
Not every security incident is a reportable breach, and this determination — the four-factor risk assessment — is the most consequential paperwork of the entire process. Here is the decision path the rule lays out:
Work it in order:
First, was there an impermissible acquisition, access, use, or disclosure of unsecured PHI? If the data was encrypted to NIST standards and the key wasn't compromised, it isn't "unsecured PHI" and you can stop — this is the safe-harbor argument for encrypting everything at rest.
Second, does one of the three narrow exceptions apply? Unintentional good-faith access by your own workforce member acting within their authority; inadvertent disclosure between two people authorized to access PHI at the same organization; or a good-faith belief the recipient could not reasonably have retained the information (the fax pulled back before anyone read it). These are narrower than they sound — "the recipient promised to delete it" is not one of them.
Third — and only if you get this far — run the four-factor assessment. An impermissible use or disclosure is presumed to be a reportable breach unless you can demonstrate a low probability that the PHI was compromised, based on at least:
- The nature and extent of the PHI — how identifiable, how sensitive (an SSN or diagnosis weighs heavier than an appointment date)
- The unauthorized person who received or used it — a fellow HIPAA-regulated entity that misreceived a fax is very different from an unknown attacker
- Whether the PHI was actually acquired or viewed, or merely exposed — this is where your preserved logs earn their keep
- The extent to which the risk has been mitigated — data returned, credibly destroyed, or covered by a signed confidentiality attestation
Two hard-won notes. Ransomware that encrypts ePHI is presumed a breach under OCR's guidance — the encryption itself is an "acquisition" — unless your forensics support a low-probability finding. And whichever way the assessment comes out, write it down and keep it six years: if you conclude no notification is required, that document is your only defense, because the burden of proof sits with you, not OCR.
Days 15–40: scope it, then draft everything
The reporting obligations split on one number: 500 affected individuals. Count carefully — the threshold is individuals, not records, and the media-notice trigger is 500+ residents of a single state or jurisdiction. A breach of 600 people spread across five states requires HHS and individual notice within 60 days, but no media notice anywhere.
Here is the full notification matrix:
| Who gets notified | When | How |
|---|
| Affected individuals (any size breach) | Without unreasonable delay, ≤60 days from discovery | First-class mail to last known address; email only if the individual agreed. Deceased: next of kin or personal representative |
| HHS — breach of 500+ | Same 60-day window as individual notice | OCR breach portal online filing |
| HHS — breach under 500 | Within 60 days after the calendar year ends (by ~March 1) | Same portal; log every small breach as it happens so February isn't archaeology |
| Prominent media — 500+ in one state/jurisdiction | Same 60-day window | Press notice to a broadcast or print outlet serving that area |
| State attorneys general | Varies by state — several run 30- or 45-day clocks | Per state law; many states require AG notice above resident thresholds |
| Covered entity (when you're the BA) | ≤60 days by rule, but your BAA almost certainly says less | Per the BAA — with identification of affected individuals |
That state-law row deserves emphasis: all 50 states have their own breach statutes, many with shorter deadlines than HIPAA and their own content requirements. HIPAA compliance does not satisfy them automatically. If you have patients in multiple states, someone needs to run the state-by-state analysis in parallel — this is usually where outside counsel earns their fee.
Days 40–55: the notice itself
The individual notice is a regulated document — 45 CFR 164.404(c) prescribes its contents, and it must be written in plain language, not legalese:
Practical points that separate a clean notification from a messy one:
- Be specific about the data types. "Some of your information may have been involved" invites complaints to OCR; "name, date of birth, and Medicare number" does not.
- Credit monitoring isn't required by HIPAA — but when SSNs or financial data are involved, it is the market expectation, and several states do mandate it. Budget for 12–24 months.
- Substitute notice has its own rules. If 10 or more notices come back undeliverable, you must post a conspicuous notice on your website homepage for 90 days (or run major print/broadcast media) and staff a toll-free number for 90 days. Fewer than 10 stale addresses can be handled by phone or other written means.
- Stand up the phone line before the letters land, not after. The letters include the number; the calls start immediately.
The paperwork that protects you
After every large breach, OCR opens a compliance review. What they ask for is predictable, so build the file as you go:
- The incident timeline — discovery date, containment steps, and the justification for when each notification went out
- The four-factor risk assessment (or the exception analysis), signed and dated
- Copies of every notice — individual letter, HHS filing confirmation, media notice, substitute notice screenshots
- Your security risk analysis predating the breach — the first thing OCR requests, because a missing SRA converts a breach investigation into a penalty case
- Evidence of remediation: what changed so it doesn't recur
Keep all of it six years. The stakes scale with sloppiness, not just size: the 2026 civil penalty ceiling is $2,190,294 per violation category, per year, and notification delays are their own violation category, separate from the underlying security failure. Meanwhile the average healthcare breach now costs $7.42 million before any penalty — the full statistics are grim reading, and we keep them updated on our healthcare data breach statistics page.
The five mistakes we see most
- Letting the investigation eat the clock. You can (and should) notify with facts still pending — the rule anticipates supplementing later. "Forensics isn't finished" is not a recognized reason to blow Day 60.
- Treating the 60 days as the deadline instead of the ceiling — and having no record of why notification took as long as it did.
- Skipping the written risk assessment when the team "knows" it wasn't a breach. Undocumented conclusions don't exist as far as OCR is concerned.
- Forgetting state law — notifying under HIPAA's clock while a 30-day state statute quietly lapses.
- BAs sitting on incidents while they investigate internally, blowing through the contractual window in their BAA and converting a security incident into a contract breach plus a compliance failure.
Rehearse it before you need it
Everything above is dramatically easier if the first time you run it isn't real. Shieldra's incident management tracks the discovery date and counts down each notification deadline automatically, the breach simulator lets your team walk a realistic scenario — four-factor assessment included — before the stakes are real, and the evidence vault keeps your risk analyses, policies, and training records audit-ready so the "paperwork that protects you" already exists on Day 0. Run our free compliance analyzer to see where your breach-response readiness stands today.
The bottom line
Breach response is a project with fixed deadlines and a hostile auditor at the end, and it rewards preparation over improvisation. Know that the clock starts at discovery — including the discovery your workforce should have made. Contain and preserve first, decide "is it a breach?" with a documented four-factor assessment, notify individuals well inside the 60-day ceiling, remember HHS, media, and state deadlines, and file every artifact for six years. Organizations that stumble rarely do so because the rule is complicated; they stumble because nobody owned the clock.