The HIPAA Breach Notification Rule requires covered entities to notify HHS and affected individuals within 60 calendar days of discovering a breach of unsecured PHI. For MSPs, the clock starts when your client (the covered entity) becomes aware of the breach — which is typically when you tell them. This means your incident response process must be fast enough to investigate, contain, and document before the client's notification obligation begins to compress.
Not every security incident is a HIPAA breach. HIPAA defines a breach as unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. You can presume a breach has occurred unless you can demonstrate through a four-factor risk assessment that the probability of PHI compromise is low. The four factors are: the nature and extent of PHI involved, who made the unauthorized access, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.
Day-0 incident actions for HIPAA-covered clients: isolate the affected system immediately, preserve forensic evidence (do not wipe or reimage before you document), identify the PHI potentially involved, notify your client's designated HIPAA privacy officer within 24 hours, and open a formal incident record in your PSA with timestamps on every action.
The investigation phase must produce a written risk assessment that either documents a breach finding or documents your basis for concluding that a breach did not occur. Shortcuts here are expensive — HHS OCR audits frequently focus on the adequacy of post-incident documentation rather than the incident itself. If the documentation is thin, the presumption of breach stands even if the actual risk was low.
Notification requirements differ by breach size. Individual notifications for breaches affecting under 500 people in a state must be sent within 60 days and HHS notification is required annually. Breaches affecting 500 or more individuals in a state require notification to prominent media outlets in addition to HHS and individual notification — all within 60 days. Business Associate breach notification to the covered entity must happen 'without unreasonable delay' and no later than 60 days after discovery.
The most important thing you can do before an incident happens is run a tabletop exercise with each healthcare client once per year. Walk through a ransomware scenario, identify who calls who in the first 4 hours, confirm that the BAA includes breach notification provisions, and verify that you have the client's legal counsel contact in your documentation. The tabletop takes 90 minutes and materially improves the response when something real happens.