BreachNotificationTimelines:60vs72HourClocksandEverythingBetween

A healthcare breach triggers multiple notification obligations, each with its own clock, definition of trigger, and scope. The federal HIPAA 60-day clock is the most familiar, but it is rarely the only clock. State attorneys general have their own timelines. CMS has reporting obligations for specific programs. International patients pull in GDPR's 72-hour rule. Each has different consequences for missing the deadline.

This article maps the major clocks, explains when each starts, and sequences the notifications so nothing gets missed.

The HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule (45 CFR §§164.400–414) requires covered entities to notify affected individuals, HHS, and in larger breaches, prominent media.

When the Clock Starts

The clock starts on the date the breach is discovered. Discovery is defined as the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is a workforce member or agent of the covered entity.

"Reasonably should have known" matters. You cannot extend the clock by declining to investigate a suspicious event. If your monitoring detected unusual access on a Tuesday and you didn't look at the alert until the following Monday, your discovery date is likely still the Tuesday.

Individual Notification

Notify affected individuals without unreasonable delay, and no later than 60 calendar days after discovery. Notification must be by first-class mail (or by email if the individual has agreed to electronic notice). Substitute notice may be used if contact information is insufficient.

HHS Notification

For breaches affecting fewer than 500 individuals, HHS must be notified within 60 days after the end of the calendar year. For breaches affecting 500 or more individuals, HHS must be notified concurrently with individual notification — in no event later than 60 days after discovery.

Media Notification

For breaches affecting 500+ residents of a state or jurisdiction, prominent media outlets serving that state or jurisdiction must be notified. Same 60-day deadline.

Business Associate Notification to Covered Entity

A business associate must notify the covered entity of any breach without unreasonable delay, and no later than 60 days after discovery. In practice, BAAs frequently shorten this to 24, 48, or 72 hours to give the covered entity time to meet its own 60-day individual notification deadline.

State Attorney General Notifications

State AG notification requirements vary widely. Key examples:

Texas

Texas Identity Theft Enforcement and Protection Act (§521.053): if 250+ Texas residents affected, notify Texas AG within 30 days of determining the breach occurred. Applies to any breach affecting Texas residents, regardless of business location.

California

California law requires AG notification when 500+ California residents are affected, via an online submission form. Timing is "most expedient time possible and without unreasonable delay."

New York

SHIELD Act requires notification to NY Attorney General, NY Department of State, and NY State Police for any SHIELD-covered breach affecting NY residents. Timing is "as expediently as possible."

Massachusetts

201 CMR 17 requires notification to MA Attorney General and the Director of Consumer Affairs. Specific content requirements.

Other States

Most states have AG notification requirements, often triggered by breach size (50+, 250+, 500+, or 1,000+ residents depending on state). Consult a breach-notification matrix current to the incident date — requirements change frequently.

GDPR: The 72-Hour Rule

If the breach affects personal data of individuals in the European Economic Area, GDPR Article 33 requires notification to the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

"Becoming aware" is interpreted to mean having a reasonable degree of certainty that a breach has occurred. An initial alert that turns out to be a false positive does not start the clock; confirmed discovery does.

For US healthcare practices, GDPR applies if:

• The practice offers services to EEA residents (some telehealth and specialty practices)
• The practice monitors EEA residents' behavior (some research and clinical trials contexts)
• Data on EEA residents is processed, regardless of the residents' location at the time of the breach

The 72-hour clock is the tightest notification timeline US healthcare organizations routinely face. If GDPR applies, it drives the schedule.

CMS Reporting for Specific Programs

Providers participating in specific CMS programs have additional reporting obligations:

• Medicare / Medicaid participating entities: Privacy and security incidents affecting these programs may require reporting to CMS or state Medicaid agencies under contract
• Medicare Advantage and Part D plans: additional CMS notification obligations
• Health Information Exchanges: may have contractual reporting obligations that flow to participating providers

Other Potential Notifications

• Consumer Reporting Agencies: many state laws require CRA notification for large breaches
• Cyber insurance carrier: immediately, to activate coverage and engage breach coach
• Law enforcement (FBI, CISA, state AG cybercrime unit): voluntary but recommended, particularly for ransomware
• Professional licensing boards: some states require notification of breaches affecting professional practice
• Accrediting bodies: AAAHC, Joint Commission, and others may have reporting expectations
• Payers and health plans: contractual obligations may require notification
• Business partners: other covered entities whose data was affected

Sequencing: What to Do First

On discovery, the sequencing usually looks like:

1. Hour 0–1: Internal incident declaration, containment, preservation of evidence
2. Hour 1–4: Cyber insurance carrier notification, engagement of breach coach (outside counsel)
3. Hour 4–24: Forensics engagement begins, law enforcement notification (voluntary) if recommended
4. Hour 24–72: GDPR 72-hour clock expires if applicable; preliminary scope understood; communication planning begins
5. Day 3–30: Forensic scope finalized; individual lists compiled; notification letters drafted; state AG notifications queued
6. Day 30–60: Individual notification letters mailed; state AG notifications sent; HHS notification submitted; media notification if applicable
7. Day 60–90: Response monitoring; call center operations; credit monitoring enrollment tracking
8. Day 90–365: OCR follow-up inquiries, state AG follow-up, any civil litigation

Substitute and Delayed Notification

HIPAA permits substitute notice if contact information is insufficient. Substitute notice includes conspicuous posting on the covered entity's website home page and notice in major print or broadcast media.

Law enforcement can request delayed notification if notice would impede a criminal investigation or cause damage to national security. The delay request must be in writing; an oral request must be followed by written within 30 days or the delay expires.

The Most Common Timing Failures

• Treating "discovery" as "investigation complete" — the clock starts earlier
• Focusing only on HIPAA and missing state AG clocks
• Missing the GDPR 72-hour clock entirely because the organization didn't know it applied
• Late cyber insurance notification, forfeiting coverage
• Counting business days when the rule says calendar days

Build the Playbook Before the Event

Notification timelines are not knowable during an event. They have to be pre-built, rehearsed, and updated as regulations change. Every healthcare organization's incident response playbook should include a notification matrix with every applicable clock, trigger, recipient, and content requirement.

For help building or auditing your incident response and breach notification playbook, see our healthcare incident response resources or schedule a consultation.