HIPAA Breach Response
Step-by-step workflow for responding to a breach of unsecured protected health information. Based on the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D).
Critical Timeline
Individual notification must occur within 60 days of discovering the breach. HHS notification for breaches affecting 500+ must happen within the same window. The clock starts on discovery, not occurrence. Delays in detection do not extend the deadline. If you should have discovered the breach through reasonable diligence, the clock may have already started.
Step 1: Contain and Investigate
Stop the breach if still in progress (revoke access, disable accounts, retrieve records)
Preserve evidence (logs, screenshots, emails, access records)
Document discovery date and time (this starts the 60-day clock)
Identify what PHI was involved and how many individuals affected
Determine whether the information was encrypted per NIST standards
Activate your incident response team
Compliance tip: The 60-day notification clock starts when the breach is discovered, or when it WOULD have been discovered through reasonable diligence. Delayed detection does not extend the deadline.
Step 2: Perform the Four-Factor Risk Assessment
Factor 1: Nature and extent of PHI involved (types of identifiers, clinical info, financial info)
Factor 2: Unauthorized person who used the PHI or to whom it was disclosed
Factor 3: Whether the PHI was actually acquired or viewed (vs. just exposed)
Factor 4: Extent to which the risk to the PHI has been mitigated (retrieved, destroyed, assurances obtained)
Compliance tip: If the risk assessment demonstrates a LOW probability that PHI was compromised, notification is not required. Document your analysis thoroughly. If in doubt, notify. OCR looks more favorably on over-notification than under-notification.
Step 3: Notify Affected Individuals
Send written notification by first-class mail (or email if individual previously agreed to electronic notice)
Include: brief description of what happened and dates
Include: types of PHI involved (name, SSN, diagnosis, etc.)
Include: steps individual should take to protect themselves
Include: what your organization is doing in response
Include: contact information for questions (toll-free number, email, postal address)
If 10+ individuals have outdated contact info: post conspicuous notice on your website for 90 days OR provide notice to major media
Compliance tip: The notification must be written in plain language. Do not use legal jargon. Include specific, actionable steps. Offering free credit monitoring is not required but is considered a best practice for breaches involving financial information.
Step 4: Notify HHS
500+ individuals affected: Notify HHS contemporaneously with individual notification (within 60 days)
Under 500 individuals: Log the breach and report to HHS within 60 days of the end of the calendar year
Submit via the HHS breach reporting portal at ocrportal.hhs.gov
Include all required data elements: entity name, breach date, discovery date, type of breach, type of PHI, safeguards in place, actions taken
Compliance tip: Breaches affecting 500+ individuals are posted on the HHS Breach Portal (the 'Wall of Shame') and are publicly searchable. This is permanent. There is no mechanism to remove a posting.
Step 5: Notify Media (If Required)
Required ONLY if 500+ residents of a single state or jurisdiction are affected
Provide notice to prominent media outlets serving that state or jurisdiction
Content must include the same elements as individual notification
Consider preparing a press statement and FAQ in advance
Designate a single spokesperson for media inquiries
Compliance tip: Even if media notification is not required, assume the breach will become public. Prepare a communication plan. Proactive, transparent communication protects reputation better than silence.
Step 6: Document and Remediate
Document the entire breach response process (investigation, risk assessment, notifications, remediation)
Retain all breach documentation for 6 years
Conduct a post-incident review: how did this happen and how do we prevent it
Update your risk analysis to account for the breach
Implement corrective actions (new policies, additional training, technical controls)
Update your HIPAA policies and procedures if gaps were identified
Brief your workforce on the incident and any policy changes
Report to your board or governing body
Compliance tip: The documentation is your defense in an OCR investigation. If you cannot prove you performed the risk assessment, notified on time, and took corrective action, OCR will assume you did not. Document everything.
Do I Need to Notify?
Was PHI acquired, accessed, used, or disclosed in a way not permitted by the Privacy Rule?
Continue to next question
Not a breach. Document your determination.
Does one of the three exceptions apply? (1) Unintentional access by workforce in good faith, (2) Inadvertent disclosure between authorized persons at same entity, (3) Good-faith belief recipient cannot retain the information
Not a breach under the exception. Document which exception applies.
Continue to risk assessment
Was the PHI encrypted per NIST standards and was the encryption key NOT compromised?
PHI is considered 'secured.' Breach notification is not required. Document.
Continue to risk assessment
Does the four-factor risk assessment demonstrate a LOW probability that PHI was compromised?
Notification not required. Document the risk assessment thoroughly.
Breach notification IS required. Begin Step 3.