Know your breach notification deadlines to the day.

When the clock starts: the day of discovery

Every deadline in the HIPAA Breach Notification Rule runs from one moment: the day the breach is discovered. The rule, at 45 CFR 164.404(a)(2), defines that day precisely. A breach is treated as discovered on the first day it is known to the organization, or the first day it would have been known by exercising reasonable diligence. Just as important, the breach is treated as known to the organization if any workforce member or agent, other than the person who caused the breach, knew or reasonably should have known about it. In other words, the clock does not politely wait until the news climbs the org chart to the privacy officer. If a help-desk technician saw the alert in March, the organization discovered the breach in March, even if leadership only heard about it in May.

This is why the discovery date, and not the incident date, is the input that drives this calculator. An attacker may have been inside a system for months before anyone noticed, but the 60-day clock does not start at intrusion. It starts at detection, real or constructive. The practical takeaway is that the speed of your monitoring and the clarity of your internal escalation directly shorten or lengthen the time you actually have. An organization with fast detection and a clear path to the privacy officer keeps most of its 60 days. An organization where incidents sit unreported in a junior queue can burn weeks of its window before anyone with notification responsibility even learns the breach exists.

Notice to individuals: the core 60-day deadline

The central obligation, and the one the calculator surfaces first, is notice to the affected individuals. Under 45 CFR 164.404(b), a covered entity must notify each individual whose unsecured protected health information was, or is reasonably believed to have been, involved in the breach. The deadline is without unreasonable delay and in no case later than 60 calendar days after discovery. Notice normally goes by first-class mail to the individual's last known address, or by email if the individual previously agreed to electronic notice. When you lack current contact information for ten or more individuals, the rule requires substitute notice, such as a conspicuous posting on your website for 90 days or notice in major print or broadcast media in the area.

The content of the notice is prescribed, not freeform. It must describe what happened and the date of the breach and its discovery, the types of information involved, the steps individuals should take to protect themselves, what the organization is doing to investigate and mitigate and prevent recurrence, and how to ask questions, including a toll-free number, email, website, or postal address. Writing that letter well takes time, legal review, and coordination with whatever credit monitoring or remediation you offer, which is one more reason the 60 days fills up faster than teams expect. The calculator dates the outer limit so you can work backward to when drafting and approval actually need to start.

The 500 threshold: where the rules change

The single most important number in breach notification, after the 60 days, is 500. The number of individuals affected decides which HHS deadline applies and whether you must involve the media, which is why the calculator asks for it and switches behavior at that line. Below 500, your obligations to HHS are lighter and there is no media notice. At 500 or above, two additional clocks start running alongside the individual-notice clock, and the breach becomes a public event.

It is worth being precise about how the threshold is counted, because it appears in two different rules with slightly different geography. For HHS reporting, the 500 is a national count: 500 or more individuals affected anywhere. For media notice, the 500 is counted per State or jurisdiction: you owe media notice only if 500 or more residents of a single State or jurisdiction are affected. A breach affecting 800 people spread thinly across many states would cross the HHS large-breach threshold but might not trigger media notice in any one state. The calculator treats the affected count as the trigger for the large-breach path; confirm the per-state distribution before deciding on media notice in a multi-state event.

Notice to HHS: two very different deadlines

Reporting to the Secretary of Health and Human Services, handled through the Office for Civil Rights breach portal, runs on one of two timelines depending entirely on that 500 threshold. For a breach affecting 500 or more individuals, 45 CFR 164.408(b) requires you to notify the Secretary contemporaneously with the notice to individuals and in no case later than 60 days after discovery. In practice organizations file the HHS report at the same time they send patient letters. These large breaches are then posted on the public HHS breach portal, the list often called the wall of shame, where they remain visible to patients, journalists, and competitors.

For breaches affecting fewer than 500 individuals, 45 CFR 164.408(c) takes a different approach. You are not required to report each small breach to HHS within 60 days. Instead you may maintain a log of all breaches discovered during the calendar year and submit that log to the Secretary no later than 60 days after the end of the calendar year, which lands around the start of March of the following year. The calculator computes that year-end-plus-60 date for you when the affected count is below 500. The catch many teams miss is that the relaxed HHS timeline applies only to the HHS report. Individual notice for a small breach still runs on the same 60-day clock as a large one, and you should record each small breach in your log when it happens rather than scrambling to reconstruct a year of incidents the following February.

Notice to the media: the public step teams forget

The third notice, media notification under 45 CFR 164.406, applies only to large breaches and only at the state level. If a breach affects 500 or more residents of a single State or jurisdiction, the covered entity must notify prominent media outlets serving that area, without unreasonable delay and no later than 60 days after discovery. In practice this is usually satisfied with a press release to major outlets in the affected region. It is not a paid advertisement and it is not the same thing as the substitute notice that applies when you cannot reach individuals; it is a distinct obligation that exists so that affected people who do not receive a letter still have a reasonable chance of learning about the breach.

Teams forget media notice because it feels counterintuitive to publicize a breach, and because most breaches never reach the threshold. But when a breach does cross 500 in a single state, skipping the media step is a standalone violation even if every individual letter went out on time. The calculator surfaces media notice on the large-breach path so it is on your checklist from day one rather than discovered late, when a missed press release has already become part of the enforcement story.

Business associates: a separate clock, usually a faster one

If you are a business associate rather than a covered entity, your obligation is different and the calculator reflects it. Under 45 CFR 164.410, a business associate that discovers a breach of unsecured protected health information must notify the covered entity, without unreasonable delay and no later than 60 days after discovery. The notice must identify each individual whose information was or is believed to have been involved, to the extent possible, and provide the other information the covered entity needs to make its own notifications. The business associate generally does not notify patients, HHS, or the media directly; it hands the covered entity what it needs to do so.

The federal outer limit is 60 days, but the contract almost always shortens it. Because the covered entity has to fit its own full 60-day cycle inside the time the business associate gives it, a well-written business associate agreement typically requires the vendor to report a breach within a handful of days, sometimes as few as five or ten. When the agreement is stricter than the rule, the agreement controls, and missing the contractual deadline is both a breach of contract and evidence of noncompliance. If you are a business associate, read your agreements before an incident, because the date that actually binds you is usually not the 60 the rule allows. If you are a covered entity relying on vendors, set those windows deliberately when you build the agreement.

Before any clock runs: is it even a reportable breach?

One step logically comes before every deadline in this calculator: deciding whether the incident is a reportable breach at all. Not every impermissible use or disclosure of PHI triggers notification. Under 45 CFR 164.402, an impermissible use or disclosure is presumed to be a breach unless the organization demonstrates a low probability that the PHI was compromised, based on a four-factor risk assessment. The four factors are the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom it was disclosed; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated.

There are also defined exceptions, such as certain good-faith, unintentional access by a workforce member acting within their role, and disclosures to another person at the same organization who is also authorized to access PHI, where the information is not further used or disclosed improperly. And the rule applies only to unsecured PHI: data encrypted to the standards HHS specifies, so that it is rendered unusable, unreadable, or indecipherable, is not unsecured, so the loss of a properly encrypted laptop is generally not a reportable breach. The discipline that protects you is to document the risk assessment for every incident, including the ones you conclude are not reportable. Whether you notify or not, you want a contemporaneous record showing who reviewed the facts, which factors they weighed, and why they reached their conclusion, because that file is your defense if a regulator later asks why you did or did not send notice.

Turning the deadlines into a plan

The reason to date these obligations precisely is that breach response fails on coordination far more often than on knowledge of the rule. The deadlines are not the hard part; running several notice streams at once, under time pressure, with legal review and executive sign-off in the loop, is. Use the calculator the moment an incident is confirmed: enter the discovery date, set the affected count, and you immediately know which notices you owe and the latest date each is due. Then work backward. If individual letters are due in 60 days, drafting and legal review need to start in week one, not week eight. If HHS and media notice are in play, assign an owner to each before the first draft exists. A quick worked example shows why the dates matter. Say a clinic discovers on March 1 that a vendor exposed records for 1,200 patients in a single state. The calculator dates individual notice, HHS notice, and media notice all to April 30, the 60th day. That looks comfortable until you map the real work: a forensic confirmation of scope, an executive briefing, legal review of the letter, a vendor for printing and mailing, a call center stood up for questions, and a press release cleared by communications. Run in parallel from day one, that fits. Started in mid-April, it does not, and the date that was always fixed becomes a missed obligation.

The most reliable way to keep these dates from becoming a crisis is to make them unnecessary in the first place. The large majority of reportable breaches trace back to ordinary, preventable failures: a lost or stolen unencrypted device, a phishing email that harvested credentials, a misdirected batch of records, or a vendor without a proper agreement. Each of those is addressed by routine compliance work and, above all, by a workforce that has been trained to recognize and escalate incidents quickly. Training both prevents the incidents that start the clock and shortens the gap between something going wrong and someone who can act finding out. Score your current posture with a risk assessment, certify everyone who touches PHI, and build the incident response plan that assigns these notice streams in advance. The deadline you never have to meet is the one you spent a little on training to avoid.