Emergency Response

HIPAA Breach Notification: The 60-Day Window Step-by-Step

7 min read · Last reviewed May 23, 2026

If you discovered a HIPAA breach, you have 60 calendar days from the date of discovery to notify affected individuals, the HHS Secretary, and in some cases prominent media outlets under 45 CFR §§ 164.404–164.408. The deadline is firm. Missing it drives Resolution Agreements with multi-year corrective action plans.

Step 1: Confirm the date of discovery

Discovery starts the clock and is the most-litigated date in any breach matter. 45 CFR § 164.404(a)(2)(2)) defines discovery as the first day on which the breach is known, or by exercising reasonable diligence would have been known, by any workforce member or agent of the covered entity — except the person who committed the breach.

Workforce knowledge is imputed to the entity. A front-desk employee who notices a misdirected fax on a Friday and reports it Monday established discovery on Friday, not Monday. A vendor's alert to your help desk establishes discovery the moment your help desk received it.

Document the discovery date in a memo to file the day discovery occurs. Include source of the report, time, recipient, and the initial scope description. This document determines every downstream deadline.

Step 2: Run the four-factor risk assessment

Under 45 CFR § 164.402, an acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule is presumed to be a breach unless the covered entity demonstrates a low probability that the PHI has been compromised. The four factors:

  1. Nature and extent of the PHI involved, including identifiers (name, SSN, DOB, MRN, diagnosis, financial information) and the likelihood of re-identification.
  2. The unauthorized person who used the PHI or to whom the disclosure was made. A misdirected fax to another covered entity is different from a disclosure to the open internet.
  3. Whether the PHI was actually acquired or viewed, versus merely accessible. Forensic logs matter here.
  4. The extent to which the risk has been mitigated, including written assurances of destruction or non-use.

The analysis must be documented and retained for six years under 45 CFR § 164.530(j)). A documented "low probability" finding means no notification — but the documentation itself is the practice's defense if OCR later disagrees.

Step 3: Check the encryption safe harbor

If the affected PHI was encrypted to NIST standards under the HHS Guidance to Render Unsecured PHI Unusable, it is not "unsecured PHI" under 45 CFR § 164.402 and the Breach Notification Rule does not apply. This is the single highest-leverage control. Document encryption status of the affected data at the time of the incident.

The exclusions at 45 CFR § 164.402(1) are narrow: unintentional access by workforce in good faith, inadvertent disclosure between authorized people at the same entity, and disclosures the recipient could not reasonably retain. Document the conclusion when claimed; OCR scrutinizes the exclusions tightly.

Step 4: Build the individual notice

If notification is required, the notice to affected individuals must go out without unreasonable delay and no later than 60 calendar days from discovery under 45 CFR § 164.404(b)). Required content under 45 CFR § 164.404(c)):

  • A brief description of what happened, including the date of breach and date of discovery
  • A description of the types of unsecured PHI involved (name, SSN, diagnosis, etc.) — not the specific data
  • Steps individuals should take to protect themselves
  • A brief description of what the covered entity is doing to investigate, mitigate harm, and prevent recurrence
  • Contact procedures (toll-free number, email, website, or postal address)

Delivery is by first-class mail to the individual's last known address, or by email if the individual has agreed to electronic notice. For 10 or more individuals with insufficient or out-of-date contact info, substitute notice under 45 CFR § 164.404(d)) applies: conspicuous posting on the home page of the covered entity's website for 90 days, OR conspicuous notice in major print or broadcast media, plus a toll-free number active for at least 90 days.

Step 5: Notify the HHS Secretary

Two paths under 45 CFR § 164.408:

  • 500 or more individuals affected: Submit to the HHS Breach Reporting Portal contemporaneously with the individual notice — no later than 60 days after discovery. The submission appears on the OCR public "Wall of Shame" at OCR Breach Portal.
  • Fewer than 500 individuals affected: Log the incident and submit an annual report through the same portal no later than 60 days after the end of the calendar year in which discovery occurred.

Step 6: Media notice if 500+ in one state or jurisdiction

Under 45 CFR § 164.406, breaches affecting 500 or more residents of a single state or jurisdiction require notice to prominent media outlets serving that area, contemporaneously with the individual notice and within 60 days of discovery. The media notice content matches the individual notice content. A practice press release published on the website is not a substitute for actual media outreach to prominent outlets.

What NOT to touch

  • Do not delete logs, emails, or backups referencing the incident. Litigation hold begins on discovery.
  • Do not edit the affected records to "clean up" the chart. Forensic integrity matters.
  • Do not negotiate ransom payments without counsel and FBI engagement. The HHS ransomware guidance is the agency's baseline position and treats ransomware on ePHI as a presumptive breach.
  • Do not communicate publicly before the notice is finalized. Inconsistent statements appear in subpoena exhibits.
  • Do not delay the four-factor analysis pending "more information." OCR has repeatedly cited delayed analyses as independent violations.

State-law overlay

State breach notification statutes can run faster than HIPAA and require parallel notification.

  • California (CMIA, Civil Code § 56.36; CCPA breach notice) — broad definition of medical information, separate notification path to the California Attorney General when 500+ California residents affected.
  • Texas (Business and Commerce Code § 521.053; HB 300) — individual notice no later than 60 days from determination of the breach under § 521.053(b); separately, when 250+ Texas residents are affected, notice to the Texas Attorney General is due as soon as practicable and no later than 30 days under § 521.053(i).
  • New York (SHIELD Act, General Business Law § 899-aa) — notification required without unreasonable delay; notice to the New York Attorney General, Department of State, and State Police.
  • Massachusetts (201 CMR 17.00; G.L. c. 93H) — strict notification timeline plus written information security program requirements.

Many states have shorter clocks than HIPAA's 60-day federal maximum. Map the affected population by state and check each state's separate notification path.

Documentation retained for six years

Under 45 CFR § 164.530(j)) and 45 CFR § 164.316(b)) the practice retains for at least six years:

  • The discovery memo
  • The four-factor analysis worksheet
  • Encryption status of affected systems at time of incident
  • The individual notification letter and mailing log
  • The HHS portal submission confirmation
  • The media notice (where applicable) and outlet list
  • The law enforcement delay request (where applicable)
  • The corrective action plan and evidence of completion

When to engage outside healthcare counsel

Engage immediately on any breach involving 500+ individuals, ransomware on ePHI, an insider threat or potentially terminated employee, payment-card data adjacent to PHI, or any incident with media exposure. Counsel coordinates the four-factor analysis under privilege, runs the notification process, and manages OCR if an investigation opens after the portal submission. OCR opens an investigation on most 500+ submissions.

How d3rx fits

d3rx maintains the breach response workflow inside the compliance binder: incident intake form, four-factor analysis worksheet, individual notification templates, HHS portal submission record, media notice tracker, and the under-500 annual report log. The binder is a source-grounded administrative aid. It does not represent the practice before OCR, does not provide legal advice, and does not replace counsel. See audit defense for broader response support and the compliance binder overview for binder structure.

D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversHIPAA Breach Notification: The 60-Day Window Step-by-Step. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

What if the breach affects fewer than 500 people but I cannot confirm the exact count?

Treat it as 500-plus until you can confirm otherwise. The HHS Secretary notice path differs for over-500 vs. under-500 incidents at 45 CFR § 164.408, and missing the over-500 contemporaneous notice is far worse than over-notifying. Document the basis for the count, refine through the investigation, and amend the HHS Breach Portal submission if the final count comes in under 500.

When does the 60-day clock actually start?

On the date of discovery, defined at 45 CFR § 164.404(a)(2) as the first day on which the breach is known, or should reasonably have been known, by any workforce member or agent of the covered entity (except the person committing the breach). A workforce member's knowledge is imputed to the entity. This is the same construct the OCR Resolution Agreements have repeatedly enforced.

Does a ransomware attack count as a breach?

Almost always yes. Per the HHS ransomware fact sheet, the presence of ransomware on a system containing ePHI is presumed to be a breach because the ePHI was acquired (encrypted) by an unauthorized actor. The four-factor analysis at 45 CFR § 164.402 may rebut the presumption, but the default posture is notification. Encryption of PHI prior to the incident is the safe harbor; backup-only is not.

Can law enforcement delay our notification?

Yes, under 45 CFR § 164.412, but only on a written statement from a law enforcement official that notice would impede a criminal investigation or cause damage to national security. An oral request delays only 30 days unless followed by a written statement. The delay is bounded, not indefinite, and the practice must still notify when the delay expires.

What if our business associate had the breach?

The BA notifies the covered entity under 45 CFR § 164.410 without unreasonable delay and within 60 days of BA discovery. The covered entity still owns notification to individuals, HHS, and media. The BAA at 45 CFR § 164.504(e) typically tightens the BA's notice clock and may delegate the individual notification by contract. The 60-day individual notice clock runs from the covered entity's date of discovery, which the BAA usually defines as the date the BA notifies the CE.

What happens if I miss the 60-day window by 10 days?

Notify immediately and document the delay. Late notification is itself a violation under 45 CFR § 164.404(b) and a frequent driver of OCR Resolution Agreements. The corrective action plan attached to typical OCR settlements requires updated breach-response procedures and training. Practices that self-correct and document a reasonable cause typically see lower penalties than practices that delay further or attempt to minimize the count.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR §§ 164.404–164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
  2. 45 CFR § 164.404(a)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404#p-164.404(a
  3. 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402
  4. 45 CFR § 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
  5. HHS Guidance to Render Unsecured PHI Unusablehttps://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
  6. 45 CFR § 164.404(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404#p-164.404(b
  7. 45 CFR § 164.404(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404#p-164.404(c
  8. 45 CFR § 164.404(d)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404#p-164.404(d
  9. 45 CFR § 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
  10. HHS Breach Reporting Portalhttps://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true
  11. OCR Breach Portalhttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  12. 45 CFR § 164.406https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.406
  13. ransomware guidancehttps://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
  14. 45 CFR § 164.316(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides