Breach response
This is a step-by-step action plan for healthcare practices that have experienced a data breach. Seven steps covering containment, investigation, notification deadlines, and regulatory obligations — in the order you need to execute them.
Based on HIPAA Breach Notification Rule · 45 CFR §§ 164.400–414
Action plan
These steps follow the sequence mandated by the HIPAA Breach Notification Rule. Containment comes first. Notification comes after you understand the scope.
Isolate every affected system immediately. Change all compromised credentials — passwords, API keys, admin accounts. Disable any user accounts that show unauthorized access. The priority is containment: stop the bleeding before you assess the damage.
Designate a single incident lead with decision-making authority. From this moment forward, every action, conversation, and finding must be documented with timestamps. If you do not have a formal incident response plan, assign roles now: lead, IT, legal, communications.
Determine exactly what data was accessed or exfiltrated. How many patient records are involved? Which systems were compromised? How long did the unauthorized access persist? The answers to these questions determine every obligation that follows.
HIPAA requires a four-factor risk assessment: the nature and extent of the PHI involved, the unauthorized person who accessed it, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. If this assessment shows more than a low probability of compromise, notification is required.
For breaches affecting 500 or more individuals, you must notify the HHS Office for Civil Rights within 60 calendar days of discovery. For breaches affecting fewer than 500, you may log them and submit annually — but do not treat that as permission to delay your investigation.
Written notification must go to every affected individual within 60 days. Each notice must include: a description of what happened, the types of PHI involved, steps individuals should take to protect themselves, what your practice is doing in response, and contact information for questions.
If 500 or more individuals in a single state or jurisdiction are affected, you must notify prominent media outlets in that area. You must also check state-specific breach notification laws — many states have additional requirements, shorter timelines, or separate filing portals.
What not to do
Under pressure, practices make decisions that compound their exposure. Every item on this list has led to increased penalties, extended investigations, or litigation.
Delaying notification hoping the problem resolves itself
Destroying or altering logs and evidence
Notifying patients before understanding the full scope
Failing to document your investigation process
Not involving legal counsel early enough
Assuming cyber insurance handles everything
Key deadlines
Day 0
The 60-day clock starts the moment you know — or should have known — a breach occurred.
Immediately
Isolate systems, preserve evidence, begin your incident log. Every hour of delay increases exposure.
Within 48 hours
Retain breach counsel to establish privilege. Start the four-factor HIPAA risk assessment.
Within 60 days
Submit breach report to HHS. Send written notification to every affected patient.
If 500+
Contact prominent media outlets in each state where 500+ residents are affected.
Ongoing
Implement corrective actions, monitor for further exposure, and update your security policies to prevent recurrence.
Do not build this from scratch during a crisis
Patient Protect provides breach response workflows, incident documentation, and OCR-ready reporting — so you are not building this from scratch during a crisis. The practices that recover fastest are the ones that had a plan before day zero.
14-day free trial · No charge until trial ends
FAQ
You must notify HHS OCR and affected individuals within 60 calendar days of discovering the breach. The clock starts when you know — or reasonably should have known — that a breach occurred. For breaches affecting fewer than 500 individuals, you may log them and submit to HHS annually, but individual notifications still follow the 60-day rule.
Yes. There is no minimum threshold for patient notification under HIPAA. If your four-factor risk assessment determines that a breach occurred — even if it involves a single record — you must notify the affected individual within 60 days. The only exception is if your risk assessment demonstrates a low probability that the PHI was compromised.
HHS OCR penalties range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. Willful neglect that is not corrected carries the highest penalties. State attorneys general can also pursue separate enforcement actions. Beyond fines, failing to report destroys patient trust and invites intensified regulatory scrutiny.
Yes — and do it before you begin your formal investigation. Engaging breach counsel early establishes attorney-client privilege over your investigation findings, which can protect your practice in subsequent litigation. Many cyber insurance policies include breach counsel coverage. This is not optional for any breach that may require notification.
