Timeliness of breach notification
Plain English Translation
Business associates must provide breach notification to the covered entity without unreasonable delay and in no case later than 60 calendar days after discovering the breach. Notification may not be delayed except where a law enforcement official has requested a hold.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Establish an incident reporting email alias and require all staff to report suspected breaches to the security officer within 24 hours of discovery.
Required Actions (scaleup)
- Implement centralized logging and an incident tracking system with automated SLA timers to ensure the 60-day reporting deadline is never breached.
Required Actions (enterprise)
- Integrate SOAR platforms to automatically detect data exfiltration, isolate impacted systems, and instantly trigger business associate breach notification workflows.
The timeline mandates that a breach must be reported without unreasonable delay and no later than 60 calendar days from the exact date of discovery.
A business associate has a maximum of 60 calendar days to report the breach to the covered entity, though they should do so without unreasonable delay.
It means 60 consecutive days on the calendar, strictly including weekends and holidays, starting from the exact date the breach was discovered.
The clock starts on the very first day the breach is known, or by exercising reasonable diligence would have been known, to any employee of the organization.
It means the organization must report the incident as quickly as it has gathered the necessary facts, rather than artificially waiting until day 60.
The business associate must immediately notify the covered entity on whose behalf they were storing, processing, or transmitting the compromised protected health information.
It explicitly requires business associates to notify covered entities of any unsecured PHI breach without unreasonable delay and strictly within 60 days of discovery.
Yes, under 45 CFR 164.412, notification can be temporarily delayed if a law enforcement official formally states that reporting would impede a criminal investigation.
Missing the notification deadline is a direct violation of HIPAA regulations and can result in severe financial penalties, Office for Civil Rights audits, and contract termination.
Organizations should meticulously track the exact date of discovery, the date the internal investigation concluded, and the exact date the formal notification was transmitted. WatchDog Security's Compliance Center can help organize supporting evidence and audit-ready records tied to those notification milestones.
The main challenge is proving when a breach was discovered, escalated, reviewed, and reported. WatchDog Security's Compliance Center can help centralize evidence, reminders, and control status so teams have a clearer record of whether notification timing obligations were met.
Business associate timing problems often come from unclear vendor ownership, weak SLAs, or outdated assessment records. WatchDog Security's Vendor Risk Management can help maintain vendor catalogs, risk tiers, assessment history, and documented notification expectations before a breach occurs.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | Compliance Content Team | Initial publication |

