A Monday email from your billing service: "We've identified suspicious activity in our environment and are investigating." That is it. No date. No specifics. No timeline. You run a two-clinician practice. You have nine patients on today's calendar. You read it twice, file it under "deal with this later," and open your first chart.

Three weeks later a second email arrives with a phrase the first one did not have: "may have been accessed." You write back asking what data and which dates. They reply that the investigation is ongoing.

Six months later you get a letter, addressed to one of your patients, returned to sender because the address is stale. Inside, the billing service is offering credit monitoring and referencing a breach from last spring. You are reading this in December.

Here is the question that letter should have made you ask in month one, not month six: when did my sixty-day notification clock start. And does anyone in my practice know the answer.

Two breaches put that question in the headlines this week. DentaQuest, the largest Medicaid and CHIP dental benefits administrator in the country, had roughly 2.6 million records exposed by an extortion group, drawn mostly from insurance enrollment files. And Sandhills Medical Foundation, a small South Carolina health center, had the data of 169,000 patients dumped on a leak site on June 15, more than a year after it detected the intrusion on May 8, 2025. One is a giant vendor most practices never think about. The other is an independent clinic that missed the sixty-day window by eleven months. Different scale, same rule.

The rule is the clock.

The HIPAA Breach Notification Rule lives at 45 CFR Part 164 Subpart D. For your own breaches, the timing rule is at 45 CFR § 164.404(b): you must notify affected patients "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach."

The word that trips up small practices is "discovery." It is defined at 45 CFR § 164.404(a)(2) as the first day the breach is known to you, or would have been known by exercising reasonable diligence. In plain terms: the clock starts the day someone in your office first realizes something is wrong. Not the day the forensic firm finishes its report. Not the day your attorney approves the letter. Not the day you confirm exactly which records were taken. The investigation runs alongside the clock, not before it.

For a solo or two-person practice, the moment of discovery is messy and easy to misremember. A patient says they cannot log into the portal. Your EHR vendor is slow to call back. Someone says "let's wait and see." Three days later it is obvious something happened. When the dust settles and you reconstruct the timeline, the honest answer to "when did we first notice" is often earlier than you would like, and the calendar may already be against you. Sandhills is that story at scale: detection on day one, patient letters eleven months later, sixty days long gone.

The fix costs nothing and takes one sentence: write down the date and time of the first observation that turns out to be a breach, as it happens. The retrospective reconstruction is what gets practices in trouble.

DentaQuest is the other half of the problem, and it is the half most small practices get wrong. A vendor that touches your patient data is a business associate. When a business associate has a breach, 45 CFR § 164.410(b) gives it up to 60 days to notify you. Then your own 60-day clock starts under § 164.404(a)(2), running from when you receive that notice, or from when you reasonably should have known, whichever comes first.

That "whichever comes first" is the catch. If you learn your billing service was breached from a news story or a LinkedIn post before the formal letter reaches you, your clock may already be running. You do not get to wait for the certified letter. For a practice that leans on a handful of vendors, an EHR, a billing service, a scheduling tool, maybe an AI scribe, this is the realistic way a breach reaches you: sideways, through the news, weeks before any paperwork.

First, pull your breach response runbook and read the section on what starts the clock. If it points to anything other than "first observation of a possible breach," fix that line. This one sentence governs every deadline that follows.

Second, list your five most consequential vendors: the EHR, the billing service, the patient communication tool, the scheduling system, and the AI scribe if you use one. Pull each business associate agreement and find the breach notification clause. If it commits the vendor to notice "as soon as practicable but in no event later than" a specific number of days, good. If it says "within a reasonable time," that is a gap to renegotiate, and it sits on the same desk as your incident plan.

Third, before your next staff meeting, run a fifteen-minute tabletop. The scenario: a clinician says the portal "looks weird" first thing in the morning. Walk the first hour out loud. Who gets told. What gets written down, with a timestamp. Who is the designated breach-response lead. Who calls counsel. Who calls the cyber-insurance carrier. The goal is not to solve the breach. It is to decide, in advance, who makes which call, so nobody spends the first afternoon of a real incident inventing the process.

The notification rule exists because breach response is chaotic by nature. The rule does not care about the chaos. The clock starts whether your office is ready or not. The practices that come through it cleanly are the ones that decided, on an ordinary week like this one, exactly when their clock starts and who is watching it.

Know exactly when your clock starts, before it starts.

The Vault includes the Breach Response Runbook (24-Hour / 14-Day / 60-Day Timeline) and the BAA Demand and Vendor Audit Letter for tightening notification windows with your vendors. National edition $299. New York edition $349 (adds SHIELD Act and state-specific addenda).

With security,

Brad

Brad Lieberman, JD (retired), MSN, PMHNP-BC

Founder, The Encrypted Chart

www.encryptedchart.com · Vault: store.encryptedchart.com/l/binder

[email protected]