A CE must notify affected individuals without reasonable delay and within sixty (60) calendar days from discovery of the breach except for circumstances involving delay requested by law enforcement. The notice of breach must provide information describing the PHI involved, steps the individual should take for protection, steps the CE is taking to investigate, mitigate harm and prevent further breaches, contact information for individuals to learn more including a toll-free telephone number, an e-mail address, website, or postal address.