Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

Breach notification timing and contingency planning: what the HIPAA clock demands before you're ready to talk

When ransomware silences phone systems across a health center, the 60-day HIPAA notification clock is already running — here's what contingency planning and breach response controls must include.

Patient Protect ResearchMay 4, 2026First reported in HIPAA Pulse →

The control gap

HIPAA's Breach Notification Rule starts a 60-day countdown the moment a covered entity discovers a breach — not the moment it finishes investigating, not the moment it issues a public statement, and not the moment it confirms the attack vector. For organizations experiencing ransomware-driven infrastructure failures, that clock begins running while systems are still down, staff are still improvising on paper, and leadership is still assessing scope. The Cherry Health situation — a Michigan federally qualified health center where widespread phone and infrastructure outages stretched into multiple days without a public characterization of the cause — illustrates precisely how the gap between operational response and regulatory obligation opens the moment an incident begins. First reported in HIPAA Pulse →

The same incident that consumes every IT and clinical hour is simultaneously generating a compliance deadline. Organizations without a pre-built notification protocol — one that defines who declares the discovery date, who drafts the HHS filing, and what can be said publicly while the investigation is still open — face compounded regulatory exposure on top of operational disruption.

The HIPAA Security Rule provision in play

Two regulatory frameworks are simultaneously triggered in incidents of this type:

  • §164.308(a)(7) — Contingency Plan: Requires covered entities to establish data backup, disaster recovery, and emergency mode operation procedures, including documented and tested recovery plans. Infrastructure-wide outages are exactly the scenario this provision is designed to address.
  • §164.404 and §164.408 — Breach Notification Rule: Requires notification to affected individuals within 60 days of discovery and notification to HHS "without unreasonable delay." Vague public language about "technology issues" does not satisfy — and may complicate — these obligations if a breach of ePHI has occurred.

How Patient Protect addresses this

  • Security Risk Assessment (SRA): Patient Protect's SRA surfaces gaps in contingency planning and incident response before an event occurs, creating the documented risk analysis that OCR reviews first in any enforcement inquiry.
  • Autonomous Compliance Engine: Continuously recalculates your compliance posture as conditions change, flagging contingency plan deficiencies rather than waiting for an annual review cycle.
  • Policy Generation: Produces written breach notification procedures — including discovery-date determination, notification drafting, and HHS filing workflows — so the protocol exists before the incident does.
  • Workforce Management and Office Training (80+ modules): Ensures staff understand their role in an incident response scenario, including what can and cannot be communicated externally during an active investigation.
  • Event Log: Maintains an audit-ready record of incident response actions, supporting the good-faith demonstration OCR evaluates when reviewing notification timeliness.

Practical next steps

  • Define your discovery date now, in writing. Your breach notification policy must specify who has authority to declare that a breach has been "discovered" — this determination starts the 60-day clock and cannot be revisited retroactively.
  • Separate "we're operationally open" from "no breach occurred." Draft two template communications: one for operational continuity and one for data-security status. They are different documents answering different questions.
  • Verify your backups cannot be reached from your primary network. Backups on the same network segment as production systems are routinely encrypted alongside them in ransomware events.
  • Name a legal contact in your incident response plan today. Decisions about public disclosure during an active incident carry regulatory and liability consequences that require counsel from hour one.
  • Schedule a tabletop exercise for your breach response scenario. Organizations that have rehearsed the notification workflow — including the HHS filing — execute it faster and with fewer compliance errors under pressure.

Try Patient Protect

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/cherry-health-silent-on-ransomware-as-technology-disruptions-stretch-into-multiple-days-e1d6d69f