Back to News

A Breach Starts a Clock You Cannot Pause

The moment a breach is discovered, HIPAA puts you on a deadline, whether or not you are ready. Here is the path a practice walks afterward, and why the work is so much easier to do before any of it begins.

1
Hour 0
Discovery
A device, an account, or a vendor is found compromised. The 60-day notification clock starts now.
2
Days 1–7
Contain & investigate
Lock it down and bring in forensics to learn what was reached and how many records are involved.
3
Within 60 days
Notify patients
Every affected individual must be notified in writing, without unreasonable delay.
4
Within 60 days
Notify HHS & the media
500 or more affected means HHS and the media are notified now. Fewer goes in an annual log.
5
Months to years
OCR review
An investigation by the Office for Civil Rights, the agency that enforces HIPAA, often with a corrective action plan.

That is the official path. What the timeline does not show is the cost running underneath every step of it.

Through every step above, the meter is running. The HIPAA fine, if there is one, is usually the smallest line on the bill. You are also paying for:

  • ForensicsFinding out what happened
  • Legal counselGuidance through every step
  • Patient notificationLetters and credit monitoring
  • Lost patientsFamilies who quietly leave
  • DowntimeDays you cannot fully operate
  • Corrective action planYears of federal oversight

Why the clock is the problem

A deadline is hard enough when you are prepared. After a breach you are anything but. You are trying to understand what happened, reassure your staff, keep the practice running, and meet a federal notification schedule all at once. Every decision is made under pressure, and pressure is expensive.

Almost none of this is about bad luck. It is about whether the basics were in place before the alarm went off. A practice that already has unique logins, multi-factor authentication, audit logs, encryption, tested backups, and a current risk assessment has a much shorter, much cheaper path through this timeline. In many cases it never reaches step one at all.

The cheapest day to fix this is before day one

A HIPAA risk assessment is the unglamorous work that keeps you off this timeline. It walks your actual setup, names the gaps in plain language, and tells you which to close first. None of it is heroic. It is just done before, instead of after.

A straight answer, not a guess

Get ahead of the clock.

Talk to our team about a HIPAA risk assessment. We will find the gaps while you still have time.

Let's connect Request a callback

Timeframes summarize the HIPAA Breach Notification Rule, 45 CFR 164.400–414. Average healthcare breach cost $7.42M per the IBM Cost of a Data Breach Report 2025. For general information only, not legal advice.