HIPAA Breach Notification. 60 Days. The Clock Started Yesterday.
You just learned protected health information was exposed. Petronella Technology Group runs the forensic preservation, the 45 CFR 164.402 risk assessment, the OCR-ready breach report, and the state Attorney General notification packets so your counsel and your carrier do not have to invent the playbook in the next 72 hours.
The 60-Day HIPAA Breach Notification Clock: When It Starts, What It Triggers
Most covered entities lose two weeks arguing about when the clock started. The Office for Civil Rights enforces a discovery-based timeline, not an investigation-completed timeline. Here is how it actually runs.
Discovery is when any workforce member knew or should have known
Under 45 CFR 164.404(a)(2), a breach is treated as discovered the first day it is known to the covered entity, or by exercising reasonable diligence would have been known, by any person other than the person who committed the breach. That includes a help-desk technician opening a ticket, a billing clerk seeing a suspicious export, or a clinician noticing a missing laptop. You do not get to defer the clock until the investigation is complete or until executive leadership is briefed. The day the first qualified workforce member learns of the incident is Day 0.
That single sentence in the rule is responsible for the majority of late-notification settlements the Office for Civil Rights has published. Organizations document discovery on the day the CIO was briefed, not on the day a tier-one analyst opened the SIEM alert two weeks earlier. When OCR pulls the SIEM, the email threads, the SOC ticket history, and the help-desk audit log, the earlier date becomes the operative date and every notification window is recalculated from there.
Three notification audiences, three different deadlines
The Breach Notification Rule does not impose a single 60-day deadline. It imposes three deadlines that apply to three audiences, and the largest breaches add a fourth.
Affected Individuals
Written notice to each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery (45 CFR 164.404).
HHS Secretary (500+ records)
For breaches affecting 500 or more individuals, OCR notification is concurrent with individual notice (45 CFR 164.408). Smaller breaches batch by calendar year.
Prominent Media
If the breach affects more than 500 residents of a state or jurisdiction, prominent media notice in that state is required (45 CFR 164.406).
Business associate special rule: Under 45 CFR 164.410, a business associate must notify the covered entity of a breach without unreasonable delay and no later than 60 days from discovery. The covered entity then runs its own 60-day clock from the date the business associate notified them, unless the business associate is acting as the covered entity's agent under federal common-law agency principles. If agency applies, the business associate's discovery date is imputed to the covered entity and the original 60-day clock applies. This distinction is contractually fixed in the Business Associate Agreement.
Smaller breaches: the annual log batch
For breaches affecting fewer than 500 individuals, the covered entity must maintain a log and submit it to OCR within 60 days after the end of the calendar year in which the breaches were discovered. The individual notification 60-day rule still applies even for small breaches. The log is an additional obligation, not a substitution.
Most regional health systems carry a running roster of small-breach incidents, typically misdirected faxes, lost paper records, mis-mailed explanation-of-benefits letters, and lost or stolen unencrypted USB drives. Petronella Technology Group's HIPAA practice maintains a structured breach log alongside our client risk registers so the annual OCR submission is a 30-minute export rather than a quarterly reconstruction project.
What workforce training has to cover
OCR Resolution Agreements consistently penalize covered entities whose workforce training does not specifically address breach discovery and escalation. If your security awareness training is generic phishing-quiz material with no module on what triggers the clock, who to call, and how the matter gets escalated to the Privacy Officer within 24 hours, that training will not survive a Corrective Action Plan negotiation. Petronella delivers a Breach Discovery and Escalation module as part of our managed HIPAA program.
Risk Assessment First: The 4-Factor Analysis That Determines Whether You Must Notify
Not every impermissible use or disclosure of PHI is a reportable breach. Under 45 CFR 164.402, an impermissible use or disclosure is presumed to be a breach unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised, based on a four-factor risk assessment. The burden of proof is on you.
The presumption that bites covered entities
Read the rule carefully: every impermissible use or disclosure is presumed to be a breach. The clock starts running on Day 0 by default. The four-factor risk assessment is the legal mechanism by which a covered entity can rebut that presumption. If the documented assessment supports a low-probability conclusion, the incident is not a reportable breach. If the assessment is conclusory, undocumented, or missing one of the four factors, the presumption stands and the notifications go out.
Many in-house teams treat the risk assessment as a discretionary judgment call. OCR treats it as a documented evidentiary process. The difference shows up in the Office for Civil Rights' published Resolution Agreements: covered entities that performed undocumented risk assessments and chose not to notify have paid seven-figure settlements and signed multi-year Corrective Action Plans.
The four factors per 45 CFR 164.402(2)
Nature and extent of the PHI involved
Types of identifiers, likelihood of re-identification, sensitivity of the clinical content. Treatment notes for substance use disorder, mental health, or HIV status carry weight that demographic-only data does not. A name plus a diagnosis code is qualitatively different from a name plus a date of last appointment.
The unauthorized person who used or received the PHI
A misdirected fax that arrived at another HIPAA-covered provider is materially different from a misdirected fax that arrived at a marketing firm or a personal residence. Recipients with independent legal obligations to safeguard PHI lower the probability of compromise. Recipients with no such obligation raise it.
Whether the PHI was actually acquired or viewed
Forensic artifacts matter here. Did the file get opened, exfiltrated, screen-recorded, or simply sit at rest on a compromised endpoint? Petronella's DFE-led forensic preservation establishes this factor with evidence rather than conjecture. EDR file-access telemetry, M365 audit logs, and SaaS access logs are the primary sources.
Extent to which the risk has been mitigated
Did you obtain satisfactory assurances of destruction or non-use from the unauthorized recipient? Were credentials rotated, sessions invalidated, encryption keys re-issued, and forensic confirmation captured? Mitigation has to be documented contemporaneously, not reconstructed after a complaint is filed.
Petronella's conservative-interpretation default: Where the four-factor analysis produces a close call, our recommendation to counsel is to notify. The cost of a defensible notification is contained. The cost of a defensible non-notification that is later second-guessed by OCR, a state Attorney General, or a class-action plaintiff's bar is not. We document the assessment thoroughly either way, but we lean toward notification when factors are mixed.
Three encryption-or-destruction safe harbors that fully exit the rule
The Breach Notification Rule applies only to unsecured PHI. PHI that is encrypted in compliance with the Department of Health and Human Services Guidance issued under HITECH Section 13402(h)(2), or that has been properly destroyed per the same guidance, is not subject to breach notification because it is not unsecured PHI. The relevant standards are NIST SP 800-111 for data at rest (FIPS 140-2 validated cryptographic modules) and NIST SP 800-52 / 800-77 / 800-113 for data in transit. Paper records destroyed by shredding, burning, pulverizing, or pulping so that PHI cannot be read or reconstructed are also outside the rule.
This is why the question after a lost laptop is always: was the full-disk encryption enabled, was the recovery key escrowed properly, and can you produce contemporaneous evidence that the device was encrypted at the moment of loss? An after-the-fact BitLocker enablement report does not save you. A BitLocker or FileVault encryption log from the device-management platform timestamped before the loss does.
The OCR Wall of Shame: What Listing Costs You
The HHS Breach Portal is publicly searchable. Every breach affecting 500 or more individuals lands there permanently. Patients, journalists, state Attorneys General, and class-action plaintiffs' firms read it daily.
How the portal entry actually reads
Each portal entry lists the covered entity's name, the state, the covered entity type, the individuals affected, the breach submission date, the breach type (hacking, unauthorized access, theft, loss, improper disposal), and the location of the breached information (network server, email, paper, electronic medical record, laptop, desktop, portable electronic device). For breaches still under investigation, the entry remains in the active list. For closed investigations, the entry moves to the archive but stays publicly available. There is no expiration.
Within 30 days of a portal listing, plaintiffs' counsel typically files a putative class-action lawsuit in federal court using the portal entry as the predicate fact pattern. State Attorneys General with active health-privacy enforcement programs (including New York, California, Texas, Massachusetts, and Connecticut) routinely open parallel investigations citing the portal entry. Several states require additional notification triggers that the federal Breach Notification Rule does not.
The settlement-and-CAP economics
Office for Civil Rights settlements over the last decade have routinely included six- and seven-figure financial components plus a Corrective Action Plan running two to three years. The CAP terms typically include an external monitor, quarterly written progress reports, mandatory risk analyses, workforce retraining, and policy revisions subject to OCR approval. The financial settlement is rarely the largest cost. The CAP and the parallel class-action defense are.
A representative pattern: hacking incident exposing 50,000 records, OCR settlement in the high six figures, two-year CAP, parallel class action settled for low seven figures (largely consumed by credit monitoring offers), legal defense in the high six figures, breach-response forensic and notification costs in the mid six figures, premium increases on cyber-insurance renewal of 40 to 80 percent. The total cost of a single mid-size breach commonly clears two to three million dollars.
State-by-State Notification Variance: 50 Different Clocks
HIPAA is the floor, not the ceiling. Every state has its own data breach notification statute, and most apply on top of HIPAA, not in place of it. A single multi-state patient roster will routinely trigger 5 to 15 parallel state notifications, each on its own clock with its own content requirements and its own regulator.
Why state law compounds rather than replaces HIPAA
HIPAA does not preempt state laws that are more stringent. A state statute is more stringent if it gives individuals greater privacy rights, more notification, broader access, or a shorter notification window. In practice, the answer is almost always more stringent. A 2024 multi-jurisdiction breach response will commonly involve HIPAA notification, plus a state Attorney General notification under that state's general breach statute, plus a separate health-data notification under specialty statutes that several states have enacted (Texas Medical Records Privacy Act, California Confidentiality of Medical Information Act, New York SHIELD Act). The clocks rarely align.
North Carolina as the in-state example
For our home jurisdiction: North Carolina General Statute 75-65 requires notification to the Attorney General's office and to affected residents when a security breach involves personal information. The statute defines triggering data, prescribes content requirements, and requires notice without unreasonable delay. For HIPAA-covered entities, the state notification stacks on top of the federal Breach Notification Rule, not in place of it. Petronella Technology Group's HIPAA breach response service includes the NC Attorney General notification packet preparation as a default deliverable for any client based or operating in North Carolina.
| Audience | HIPAA Window | Typical State Window | Often Stacks? |
|---|---|---|---|
| Affected individuals | 60 days from discovery | Most: without unreasonable delay; many cap at 30 to 90 days | Yes, more stringent applies |
| State Attorney General | Not required federally | Most states require if threshold met (varies 250 to 1,000+ residents) | Yes, separate notification |
| HHS Secretary (500+) | 60 days from discovery | Not applicable | Federal only |
| Consumer reporting agencies | Not required federally | Several states (e.g. California, Texas) require if threshold met | Yes, additional |
| Prominent media (500+ in state) | 60 days from discovery | Not generally required | Federal driver |
Generalizations above are for orientation only. Each specific notification in a multi-state matter is governed by that state's statute as written and as interpreted by that Attorney General's office. Petronella Technology Group prepares jurisdiction-specific notification packets in coordination with breach counsel.
Multi-state scenario: A regional health system in Raleigh discovers a breach affecting patients seen during travel, telehealth visits, or out-of-state employer relationships. The affected-individuals roster spans 18 states. Each state's threshold, regulator-notification requirement, content rules, and timeline must be evaluated. Petronella delivers a single tracker spreadsheet aligned to the breach counsel's case management system, with parallel timelines and content checklists per jurisdiction.
Petronella's HIPAA Breach Response Playbook
Run by a Digital Forensics Examiner (Craig Petronella, DFE #604180) with CMMC Registered Practitioner certification and an MIT-certified background in AI and blockchain. Every engagement is structured so that breach counsel and the cyber-insurance carrier inherit a defensible evidentiary record, not a reconstruction project.
24-Hour Stabilization and Scoping
Inbound call routed to Penny, our AI dispatcher, who pages the on-call DFE-led response team. Engagement letter and statement of work delivered within hours, structured under direction of counsel where possible so the work product carries privilege. Initial scoping call within 24 hours covers regulatory scope, environment topology, the access path, the affected systems, and the known dwell time. No forensic action taken until the engagement is papered and the chain of custody log is opened.
Forensic Preservation with Chain of Custody
Where warranted: forensic disk images with hash baselining (MD5 plus SHA-256), volatile memory captures from live systems, EDR telemetry exports preserved in original format, M365 and Google Workspace unified audit logs, firewall and proxy logs, identity provider sign-in logs, cloud audit logs (AWS CloudTrail, Azure Activity Log, Microsoft 365 Audit). Every collection event is logged with collector identity, time, source, destination, integrity hashes, and transport method. Evidence is stored in our segregated forensic vault at the Raleigh lab.
4-Factor Risk Assessment per 45 CFR 164.402
Structured assessment documenting each of the four factors with evidence rather than conclusions. The deliverable is a memorandum to counsel that supports either the low-probability-of-compromise determination or the affirmative breach determination, with the underlying evidence cited and indexed. Counsel makes the final notification call; our role is to provide the evidentiary foundation for that decision.
OCR-Ready Breach Report Preparation
For breaches that move to notification, we prepare the HHS Breach Portal submission package: breach summary, individuals affected, breach type and location of PHI, date of breach and discovery, brief description of the breach, safeguards in place before the breach, and actions taken in response. The submission is reviewed by counsel before filing. For sub-500 breaches we maintain the running annual log for the year-end submission.
State Attorney General Notification Packets
For each state with affected residents, we prepare the jurisdiction-specific notification packet including AG notice form, sample individual notice text, breach summary, mitigation steps, and consumer protection resources. NC AG, California Attorney General, Texas Attorney General, New York Attorney General, and Massachusetts AG packets are templated and updated each year. Counsel reviews and submits.
Business Associate Agreement Review and Counterparty Coordination
When the breach involves or implicates a business associate, we pull every active BAA in scope, identify the notification timing and content requirements, and coordinate either inbound notification (you are the covered entity) or outbound notification (you are the business associate). Petronella maintains a BAA inventory tool that makes this a same-day exercise rather than a multi-week document hunt.
Containment, Eradication, and Recovery
Parallel to the notification track: credentials rotated, sessions invalidated, malicious persistence removed, vulnerable systems patched or rebuilt, network segmentation tightened, EDR coverage validated, MFA enforcement extended where gaps exist. Recovery is structured around the NIST SP 800-61 incident response lifecycle so the evidentiary record and the operational restoration do not contaminate each other.
Post-Incident Report and Corrective Action Plan Input
Within 30 days of closure, a written post-incident report covering timeline, root cause, evidence summary, regulatory notifications submitted, and recommended corrective actions. If OCR opens an inquiry or issues a Corrective Action Plan, this report and the underlying chain-of-custody evidence are what the CAP negotiation is built on. Petronella stays engaged through the OCR resolution where the client requests it.
When to Pay (Or Not Pay) Cyber Insurance Claims
Most cyber-insurance denials in HIPAA breach matters trace to the same three failure modes. Knowing them before the loss notice goes in changes the outcome.
IR provider credentialing is non-optional
Most cyber policies maintain a panel of pre-approved incident response providers. Engaging a non-panel firm without prior carrier approval routinely voids coverage for those costs. The right sequence is: notify the breach coach attorney designated by the carrier, who in turn coordinates IR provider selection from the panel and obtains pre-approval if a non-panel firm is preferred. Petronella Technology Group is positioned to coordinate with breach coach counsel under that structure; we recommend the engagement letter be papered by counsel for both privilege and coverage reasons.
Forensic findings drive the coverage analysis
Common denial bases include misrepresentation in the application (a security control claimed in the renewal questionnaire was not actually deployed), failure to maintain stated controls (MFA was enabled at renewal but disabled on the breached account), and exclusions for prior-known incidents (the SOC ticket trail shows the dwell time predates the policy effective date). Our forensic record either supports or undermines each of these denial bases. We deliver findings in a format that lets coverage counsel respond directly to reservation-of-rights letters.
Sequencing IR and carrier coordination
Day 0 to Day 2: open the breach engagement, notify the carrier (most policies require notice within a tight window of discovery), retain breach coach counsel via the carrier panel. Day 2 to Day 14: forensic preservation, 4-factor risk assessment, notification preparation. Day 14 to Day 60: notifications transmitted, OCR submission filed, state AG packets sent, individual notice letters mailed, credit monitoring engaged. The carrier funds the work on an as-incurred basis where the engagement was opened under the policy framework. Skipping the carrier in week one to get a head start almost always backfires on the back end.
FAQ: HIPAA Breach Notification Response
Most-asked questions from covered entities and business associates in the first 72 hours after discovery.
What exactly counts as "discovery" of a HIPAA breach?
Under 45 CFR 164.404(a)(2), discovery is the first day the breach is known, or by exercising reasonable diligence would have been known, to any workforce member or agent (other than the person who committed the breach). That includes a help-desk technician, a billing clerk, a SOC analyst, or a clinician. Discovery is not the day the CIO or General Counsel was briefed. When OCR reviews the SIEM, ticket history, and email threads, the earliest qualifying date becomes the operative date and every notification window recalculates from there. Document discovery on the actual earliest date and start the clock honestly.
Do I have to notify every state where an affected individual lives?
Almost always yes, but the answer is jurisdiction-by-jurisdiction. HIPAA does not preempt more-stringent state laws, and most state breach notification statutes apply on top of HIPAA when state residents are affected. State Attorney General notification triggers vary (often 250 or 500 residents). Content requirements vary. Timelines vary. A single multi-state breach commonly involves 5 to 15 separate state-level notifications in addition to the federal HHS Breach Portal submission. Petronella Technology Group prepares jurisdiction-specific packets in coordination with breach counsel so each notification is correct for the state where it lands.
If we encrypted the laptop, do we still have to notify?
Generally no, provided the encryption meets HHS guidance under HITECH Section 13402(h)(2). The Breach Notification Rule applies only to unsecured PHI. PHI encrypted with FIPS 140-2 validated cryptography (NIST SP 800-111 for data at rest) is not unsecured PHI and falls outside the rule. The critical evidentiary point: you need contemporaneous proof that encryption was enabled at the moment of loss. A BitLocker or FileVault encryption status report from the device management platform timestamped before the loss is the right artifact. An after-the-fact enablement report is not. We pull that evidence during the forensic preservation phase.
Can the 4-factor risk assessment let us legitimately skip notification?
Yes, when the assessment supports a low-probability-of-compromise conclusion under 45 CFR 164.402 and is fully documented with evidence. The presumption favors notification: every impermissible use or disclosure is presumed to be a breach unless the covered entity rebuts the presumption. A documented assessment that addresses each of the four factors (nature and extent of PHI, the unauthorized recipient, whether the PHI was actually acquired or viewed, and mitigation) can support a non-notification determination. An undocumented or conclusory assessment will not survive OCR scrutiny. Petronella's role is to produce the evidentiary record; counsel makes the notification call.
What is the difference between a covered entity and a business associate breach?
Covered entities (providers, health plans, healthcare clearinghouses) hold the primary notification obligation under 45 CFR 164.404, 164.406, and 164.408. Business associates have a derivative obligation under 45 CFR 164.410: notify the covered entity without unreasonable delay and no later than 60 days from discovery. The covered entity then runs its own 60-day clock from receipt of the BA notification, unless agency principles apply (in which case the BA's discovery date is imputed to the covered entity). Whether agency applies is fact-specific and is fixed contractually in the BAA. We review the BAA, the operational relationship, and the federal common-law agency factors as part of the engagement.
Are you a CMMC-aligned IR firm that can also handle DFARS reporting if we are a defense contractor?
Yes. Petronella Technology Group is a CMMC Registered Practitioner Organization (CyberAB RPO #1449) and our IR practice satisfies CMMC IR.L2-3.6.1 (incident handling), IR.L2-3.6.2 (incident reporting), and IR.L2-3.6.3 (incident response testing) for organizations at L1, L2, or L3. When CUI is involved, we coordinate DFARS 252.204-7012 reporting via the DIBNet portal in parallel with the HIPAA notification track if the same incident touches both regimes. Many healthcare-adjacent defense contractors and DoD subcontractors face this dual-regime scenario; we are built for it.
Day 0 or Day 30, the Same Phone Number
If you discovered a HIPAA breach this week, call. If you are not actively breached but want the runbook in place before you ever need it, call. Same Raleigh team, same DFE credential, same 45 CFR 164.402 evidentiary discipline.