HIPAA AgentHIPAA Agent
Deploy Your Agent
← Back to Guides
🚨
Advanced30 min read

Breach Response Handbook

What to do when a breach occurs: investigation, notification, and documentation requirements.

Breach DefinitionRisk AssessmentNotification TimelineHHS ReportingDocumentation

Understanding HIPAA Breaches

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information.

What Qualifies as a Breach?

The Definition

Under HIPAA, a breach is:

"The acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule which compromises the security or privacy of the protected health information."

The Presumption

HIPAA presumes that any impermissible use or disclosure of PHI is a breach unless you can demonstrate a low probability that the PHI was compromised.

Exceptions to Breach Definition

Not every incident is a breach. These exceptions apply:

  1. Unintentional access by workforce member acting in good faith, within scope of authority, without further impermissible use or disclosure

  2. Inadvertent disclosure between authorized persons at the same entity or organized health care arrangement

  3. Good faith belief that the unauthorized recipient could not have retained the information

Breach Response Process

Step 1: Identify and Contain

Immediate Actions:

  • Stop the unauthorized access or disclosure
  • Secure affected systems or records
  • Preserve evidence for investigation
  • Document initial findings

Containment Questions:

  • What PHI was involved?
  • How many individuals affected?
  • Who accessed or received the PHI?
  • Has the breach been stopped?

Step 2: Investigate

Conduct a thorough investigation to understand:

  • What happened?
  • When did it happen?
  • How did it happen?
  • Who was involved?
  • What PHI was affected?
  • How many individuals affected?

Document everything during the investigation.

Step 3: Conduct Risk Assessment

Perform a risk assessment considering these four factors:

Factor 1: Nature and Extent of PHI

  • What types of identifiers were involved?
  • Was clinical information included?
  • What's the potential for identification?
Low RiskHigh Risk
Name onlySSN, financial info
Appointment dateDiagnoses, treatment
Demographic infoMental health, HIV, substance abuse

Factor 2: Unauthorized Person

  • Who received or accessed the PHI?
  • Do they have obligations to protect PHI?
  • What's their likelihood of using the information?
Lower RiskHigher Risk
Covered entity employeeUnknown third party
Business associateCriminal actor
Wrong patientPublic posting

Factor 3: Whether PHI Was Actually Acquired or Viewed

  • Was the information actually accessed?
  • Was it just exposed but not accessed?
  • Can you determine through audit logs?
Lower RiskHigher Risk
Encrypted device lostEvidence of access in logs
Misdirected fax immediately recoveredConfirmed viewing
Email opened but attachments notInformation used fraudulently

Factor 4: Extent of Risk Mitigation

  • Was the PHI returned or destroyed?
  • Did recipient provide assurances?
  • What steps were taken to mitigate harm?

Step 4: Determine if Notification Required

If your risk assessment cannot demonstrate a low probability that PHI was compromised, you must provide notification.

Safe Harbors:

  • Encrypted data (NIST standards) where key not compromised
  • Successfully demonstrated low probability through risk assessment

Step 5: Notify Affected Individuals

Timeline: Within 60 days of discovery (sooner if possible)

Method:

  • First-class mail to last known address
  • Email if individual has agreed to electronic notice
  • Substitute notice for insufficient contact info:
    • Under 10 individuals: Alternative written or phone notice
    • 10 or more: Conspicuous posting on website (90 days) or media notice

Required Content:

  1. Brief description of what happened, including dates
  2. Types of PHI involved
  3. Steps individuals should take to protect themselves
  4. What you're doing to investigate, mitigate, and prevent future breaches
  5. Contact information for questions

Sample Notification Letter:

[Date]

Dear [Patient Name],

We are writing to inform you of a security incident that may have
affected your protected health information.

WHAT HAPPENED
On [date], we discovered that [brief description]. This incident
occurred between [dates].

WHAT INFORMATION WAS INVOLVED
The information that may have been affected includes: [list types
of PHI - name, date of birth, medical record number, etc.]

WHAT WE ARE DOING
We have [describe response actions - investigation, security
improvements, etc.]. We have also reported this incident to the
U.S. Department of Health and Human Services.

WHAT YOU CAN DO
We recommend that you [specific protective steps - monitor
statements, credit monitoring, etc.].

FOR MORE INFORMATION
If you have questions, please contact [name] at [phone] or [email].

We sincerely apologize for this incident and any inconvenience
it may cause you.

Sincerely,
[Name and Title]

Step 6: Notify HHS

For breaches affecting 500+ individuals:

  • Notify HHS within 60 days of discovery
  • Use the HHS breach portal: ocrportal.hhs.gov
  • HHS will post on public breach portal

For breaches affecting fewer than 500 individuals:

  • Notify HHS within 60 days of end of calendar year
  • Maintain log of breaches
  • Submit annual report through HHS portal

Step 7: Media Notification (If Required)

If breach affects 500+ residents of a state or jurisdiction:

  • Notify prominent media outlets in that state
  • Within 60 days of discovery
  • Same content as individual notice

Step 8: Document Everything

Maintain documentation of:

  • Incident discovery and initial response
  • Investigation findings
  • Risk assessment analysis
  • Notification decisions
  • Copies of all notifications sent
  • Mitigation steps taken
  • Policy/procedure updates

Retain for 6 years.

Common Breach Scenarios

Lost or Stolen Devices

  • Was device encrypted?
  • What PHI was stored?
  • Remote wipe capability?

Misdirected Communications

  • Fax to wrong number
  • Email to wrong recipient
  • Mail to wrong address

Hacking/Cyber Attacks

  • Ransomware
  • Phishing
  • Unauthorized access

Improper Disposal

  • Unshredded documents
  • Improperly wiped devices

Insider Threats

  • Unauthorized access by employees
  • Theft of information

Prevention Strategies

  1. Encrypt everything - Devices, transmissions, storage
  2. Train workforce - Security awareness, phishing recognition
  3. Implement access controls - Minimum necessary, audit logging
  4. Monitor systems - Intrusion detection, log review
  5. Have a response plan - Know what to do before it happens

Penalties for Non-Compliance

Failure to notify can result in:

  • Civil penalties up to $1.5 million per violation category per year
  • Criminal penalties for willful neglect
  • State attorney general actions
  • Reputational damage

Key Takeaways

  1. Assume breach until proven otherwise - Conduct proper risk assessment
  2. Act quickly - 60-day clock starts at discovery
  3. Document everything - Your documentation is your defense
  4. Be transparent - Honest communication protects your reputation
  5. Learn and improve - Update policies and procedures based on incidents

HIPAA Agent provides guided breach assessment workflows, automatic notification templates, and HHS reporting assistance to ensure you respond correctly and meet all deadlines.

Ready to Automate Your Compliance?

HIPAA Agent handles all of this for you automatically.

Deploy Your Agent

Related Guides

📋
Complete HIPAA Compliance Checklist
Beginner · 15 min read
🔍
Security Risk Assessment Guide
Intermediate · 25 min read
📄
HIPAA Policy Templates Guide
Intermediate · 20 min read