When Does the HIPAA Breach Notification Clock Start? The 60-Day Rule Most Teams Misread
Key Takeaways
HIPAA’s Breach Notification Rule requires affected individuals to be notified within 60 days of breach discovery. The clock starts at discovery, not at confirmation.
“Discovery” means the first moment any workforce member knew or should reasonably have known a breach occurred. That can be hours or days before formal incident declaration.
If a breach affects 500 or more individuals, HHS must be notified concurrently with affected individuals, and media notification is required for incidents affecting more than 500 in a state or jurisdiction.
Smaller breaches (under 500 individuals) get reported to HHS annually, by March 1 of the year following the breach.
Encrypted ePHI may qualify for the safe harbor and exempt the incident from notification entirely. Confirm encryption and key separation before assuming the safe harbor applies.
Every team running a HIPAA program will face a potential incident eventually. The deciding factor in whether it becomes a regulatory issue is how the team interprets the breach notification clock from the first moment of discovery.
This is the practical reading: when the clock starts, what triggers it, who must be notified, what notice must contain, and where the most common failure modes hide.
When the Clock Actually Starts: Discovery vs Confirmation
HIPAA defines “discovery” as the first day on which the breach is known or should reasonably have been known to the covered entity or business associate. “Should reasonably have known” is the dangerous half of that definition. It means the clock does not wait for formal escalation.
Practical example: an on-call engineer flags a misconfigured S3 bucket exposing patient records on day 1. The security team investigates and confirms exposure on day 14. Legal makes the breach determination on day 21. The 60-day clock started on day 1, not day 21. You now have 39 days remaining, not 60.
The fix is procedural: any potential PHI exposure flagged by any workforce member starts an investigation timer and triggers the breach notification workflow in parallel. The two tracks run side by side until either the exposure is ruled out or the notification is sent.
Who Gets Notified, When, and How
Affected individuals must receive written notice by first-class mail within 60 days of discovery, or by email if the individual has agreed in advance to electronic notice. The notice must be in plain language and include specific elements (covered below).
HHS Secretary notification: breaches affecting 500 or more individuals must be reported to HHS at the same time as individual notification. Smaller breaches are reported in an annual log submitted by March 1 of the following year. The HHS breach portal handles both.
Media notification: required when a breach affects more than 500 residents of a state or jurisdiction. Notice goes to prominent media outlets in that area. This is the trigger that turns a private incident into a public one.
Business associate notification: if you are a business associate (most SaaS healthcare vendors are), you notify the covered entity within 60 days of discovery. The covered entity then handles individual, HHS, and media notification on your shared timeline.
What the Notification Must Contain
Individual notice must include: a brief description of what happened, the types of PHI involved (names, SSNs, dates of birth, account numbers, diagnoses, etc.), steps individuals should take to protect themselves, what you are doing to investigate and mitigate, and contact procedures for questions (toll-free number, email, website, or postal address).
Plain language matters. OCR has cited covered entities for technical jargon, legal hedging, or vague descriptions that did not actually inform recipients. Write it for a non-technical reader.
Common Failure Modes in the First 60 Days
Misreading the clock. Treating the formal incident declaration date as the start of the 60 days instead of the first knowledge moment. This is the single most common error and almost always shows up in post-breach OCR reviews.
Incomplete affected-individual scoping. Not identifying everyone whose PHI was potentially exposed because the affected dataset was hard to determine. The duty is to make a reasonable effort, document the methodology, and over-notify when in doubt.
Skipping HHS notification because the count is under 500. The annual report still applies. Missing the March 1 deadline triggers separate enforcement risk.
Generic notification language. Templates that say “we recently discovered an incident” without specifying what data was involved, what risk it creates, or what individuals can do are inadequate under the rule and visible to OCR.
Assuming the safe harbor without verifying. Encrypted ePHI may qualify, but only if the encryption keys were not also compromised and the encryption met NIST standards. Verify both before relying on it.
Frequently Asked Questions
Is there really a 72-hour HIPAA rule?
Federal HIPAA does not have a 72-hour rule. The federal Breach Notification Rule sets a 60-day outer limit. Some state laws have shorter notification windows for healthcare data (California’s CMIA has tight timelines), and GDPR has a 72-hour rule for EU residents, which sometimes gets conflated with HIPAA in healthcare SaaS contexts.
Do we notify before we are certain a breach happened?
Run the investigation and the notification workflow in parallel. The clock is already running. If your investigation concludes there was no breach before the 60-day window closes, you stop the notification process. If you cannot conclude no breach, you notify within the window. Waiting for full certainty is what causes most missed-deadline scenarios.
What if the breach was caused by our vendor (subprocessor)?
Your BAA with the subprocessor obligates them to notify you. Your obligation to notify your covered entity client (or affected individuals, if you are the covered entity) still runs on the 60-day clock from the moment you discovered the breach, regardless of where in the chain the incident originated.
Where to Go From Here
Breach response readiness is one of the seven HIPAA gaps in the Compliance Snapshot. If your team has never walked through an incident response tabletop or written a breach notification template, that is the fastest way to identify and close the gaps before an incident forces the issue.
Related Services
Compliance Snapshot: 10-hour HIPAA gap assessment including breach response readiness.
Policy Foundation: drafts the breach response procedure, notification templates, and incident response playbook for HIPAA programs.
Embedded Principal: ongoing fractional compliance ownership including incident advisory and notification support.
Recommended Reads
HHS Breach Portal for required breach reporting submissions
OCR enforcement summaries (look at the Breach Notification Rule resolution agreements for examples of penalty patterns and root causes)
