HIPAA Breach Notification Deadline Builder

Calculate compliance deadlines and generate checklists based on the HHS Breach Notification Rule (45 CFR 164.400-414).

Enter incident details and click Calculate to view deadlines.

About the HIPAA Breach Notification Deadline Builder

Healthcare providers, business associates, and compliance officers rely on our calculator to accurately track HIPAA breach notification deadlines following a security incident. Calculate the strict 60-day maximum window for alerting affected individuals while evaluating the four-factor risk assessment. This ensures timely reporting to the HHS and media if the breach affects over 500 people, helping your organization avoid severe regulatory penalties.

How it works

  1. Input the date the breach was officially discovered by your organization.
  2. Answer the four-factor risk assessment questions to determine if a reportable breach actually occurred.
  3. Enter the number of affected individuals to determine whether media and immediate HHS notification are triggered.
  4. Review your personalized deadline timeline for individual notices, media alerts, and HHS reporting.

Frequently asked questions

When does the 60-day HIPAA breach notification clock start?

The clock begins on the date the breach is discovered, or reasonably should have been discovered, by any employee or agent of the covered entity. It does not wait for a full forensic investigation to conclude.

What is the four-factor risk assessment?

The assessment evaluates the nature of the protected health information involved, the unauthorized person who accessed it, whether it was actually acquired or viewed, and the extent to which the risk to the data has been mitigated.

How quickly must I notify the HHS if a breach affects more than 500 individuals?

For breaches involving 500 or more people, you must notify the HHS Secretary concurrently with the individual notices, which is no later than 60 days following the discovery of the breach.

What are the notification rules for breaches affecting fewer than 500 individuals?

Individual notices must still be sent within 60 days of discovery. However, reporting to the HHS can be submitted annually, no later than 60 days after the end of the calendar year in which the breach was discovered.

References