45 CFR § 164.404 requires covered entities to notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of a breach affecting their unsecured PHI. The 60-day clock starts at discovery. Under § 164.404(a)(2), discovery occurs when the covered entity knows of the breach — or, by exercising reasonable diligence, would have known. The "reasonable diligence" standard means that if a breach was detectable with your monitoring systems and you didn't detect it, the clock may be running before you know about it. The engineering decisions that determine whether you make the 60-day deadline are made during development, not during incident response.
What the 60 Days Actually Gets Spent On
The technical work required to execute a HIPAA breach notification divides into three phases. Phase 1 (typically days 1-20 for unprepared organisations): scope determination — identifying which PHI was accessed, which individuals are affected, and what the nature of the impermissible disclosure was. Phase 2 (days 20-40): notification preparation — drafting individual notices meeting the content requirements of § 164.404(b), preparing the HHS notification (§ 164.408), and for breaches affecting 500+ individuals in a state, preparing the media notification (§ 164.406). Phase 3 (days 40-60): delivery and documentation — sending notices, tracking delivery confirmation, and preparing the documentation package for OCR submission.
Organisations with no pre-built scope determination capability spend the entire 60 days on Phase 1. The scope determination problem is an engineering problem: it requires knowing, for every data access event in the relevant time window, which PHI fields were accessed, by which identity, through which application path. Without access logs structured to answer this query, you are rebuilding the access history from application logs, database logs, and API logs that were not designed to be queried together — a forensic exercise that routinely takes more than 60 days.
The OCR's breach notification audit methodology focuses heavily on whether the covered entity can demonstrate the scope determination: specifically, whether the organisation can identify the complete set of affected individuals within the 60-day window. Organisations that cannot demonstrate complete scope determination — even if they sent a notice — face findings of inadequate breach response. The engineering requirement is not just to detect breaches, but to have the data infrastructure to determine PHI scope within days, not weeks.
Automated PHI Scope Determination
PHI scope determination requires a structured access log that captures: the authenticated identity of every accessor, the specific PHI resources accessed (patient ID, PHI field names), the access timestamp, the access method (API endpoint, database query, application function), and the purpose of access. This is distinct from standard application logging, which captures errors and functional events. It is also distinct from database audit logs, which capture SQL queries but not the higher-level application context. The access log structure that enables scope determination must be designed into the application, not derived retrospectively from existing logs.
The scope determination query that OCR expects: given a time window and a set of access credentials or IP addresses associated with the breach, produce the complete list of patient IDs whose PHI was accessed, with the specific PHI fields accessed and the access timestamps. If your logging infrastructure cannot execute this query in hours rather than days, you have a scope determination risk that will manifest during breach response.
Notification Workflow Automation
- Maintain a current patient notification address database — HIPAA requires notification by first-class mail to the individual's last known address; for healthcare organisations with millions of patients, this requires integration with your EHR's patient demographics
- Pre-draft notification templates meeting the § 164.404(b) content requirements: description of the breach, types of information involved, steps individuals should take, steps you are taking, contact information for questions
- Build the HHS OCR notification form (available at hhs.gov/hipaa/for-professionals/breach-notification) into your incident response workflow — HHS notification for breaches affecting fewer than 500 individuals is due within 60 days of year end, not 60 days of discovery
- For breaches affecting 500+ individuals in a state: automate media outlet identification and notification — OCR expects notification to "prominent media outlets" serving the affected state
- Configure SIEM alerting to trigger the breach response workflow on detection of anomalous PHI access patterns — access velocity anomalies, bulk PHI extraction, access from anomalous geolocations
The engineering behind this article is available as a service.
We have done this work — not advised on it, not reviewed documentation about it. If the problem in this article is your problem, the first call is with a senior engineer who has solved it.