The HIPAA Breach Notification Rule (45 CFR §§164.400–414) starts a clock the moment unsecured Protected Health Information (PHI) is compromised. Affected individuals must be notified without unreasonable delay and no later than 60 days after the breach is discovered. The Department of Health and Human Services (HHS) must also be notified, and for larger breaches the rule requires notifying prominent local media as well. For business associates, the duty is to alert the covered entity promptly so that entity can meet its own notification deadlines.
The single most important word in the rule is "unsecured." Properly encrypted PHI whose encryption keys were not also compromised is generally not considered unsecured, which can place an incident in a safe harbor and remove the notification obligation entirely. This is the strongest practical, business-level argument for encrypting PHI everywhere — in transit, at rest, in backups, in recordings: a stolen but properly encrypted laptop can be a non-event rather than a reportable, headline-making breach.
For a telemedicine product team, the rule should be treated as a design input, not just a legal afterthought. Your incident-response plan must be written against this 60-day clock, with clear detection, triage, and decision steps, because the timeline runs from discovery whether or not you are ready. Equally, you need the forensic ability to determine what data was actually exposed and whether it was encrypted, since that determination drives whether you must notify at all. A common pitfall is having strong encryption but weak key custody or poor logging, leaving you unable to prove the safe harbor applies — so you end up notifying out of an abundance of caution.
