Patient Notification of Breach
Description
Notify affected individuals of a breach of unsecured PHI within 60 days of discovery.
⚠️ Risk Impact
60-day patient-notification clock starts at discovery. Internal investigation that extends past 60 days is a separate violation, regardless of breach scope.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.
🔧 Remediation
Document discovery date. Internal investigation must complete + notification dispatched within 60 days. Pre-built notification template. Authority to dispatch documented.
💀 Real-World Attack Scenario
A health system discovered a breach on Day 1; conducted internal investigation for 75 days before notifying patients. HHS treated this as a separate violation (untimely notification); $400K + corrective action on top of underlying breach.
💰 Cost of Non-Compliance
Untimely notification: $100K-$1.5M per violation category.
📋 Audit Questions
- 1.Discovery date tracked?
- 2.60-day countdown enforced?
- 3.Notification authority documented?
- 4.Pre-built templates per breach scope?
⚡ Common Pitfalls
- ⛔Investigation extends past 60 days without filing
- ⛔Authority to notify centralized — bottleneck during weekends/holidays
- ⛔Notification template missing required elements
📈 Business Value
Timely notification prevents the double-penalty of breach + notification delay.
⏱️ Effort Estimate
Per-incident notification + tracking
EchelonGraph integrates IR runbook with 60-day notification tracking
🔗 Cross-Framework References
Automate HIPAA 164.404 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →