HIPAA Breach Response Checklist: Steps to Take After a Violation

Breach Identification

Confirm you’re dealing with a HIPAA breach

Start by verifying whether protected health information (PHI) was involved and whether it was unsecured. A breach is generally the acquisition, access, use, or impermissible disclosure of unsecured PHI that compromises its privacy or security under the HIPAA breach notification rule.

Differentiate incidents from breaches

Not every incident is a breach. Validate if an internal, unintentional access in good faith, a workforce misdirection corrected promptly, or a recipient unable to retain the information applies. If none fit, treat the event as a breach and proceed.

Capture essential facts immediately

• What happened, when, where, and how it was discovered.
• Systems, records, or devices involved and the types of PHI potentially exposed.
• Who used or received the information and whether it was actually viewed or acquired.

Containment and Mitigation

Execute breach containment procedures

• Isolate affected systems or applications; disable compromised accounts and revoke tokens.
• Retrieve, sequester, or securely delete misdirected PHI and request recipient attestations of destruction.
• Block outbound transmissions (email gateways, file shares) and apply remote wipe to lost or stolen devices.
• Preserve forensic evidence while stopping further impermissible disclosure.

Mitigate harm to individuals

• Offer credit monitoring or identity protection when appropriate.
• Provide tailored safety steps (e.g., password changes, fraud alerts) based on the data types involved.
• Coordinate with cyber insurance and incident response partners to scale resources quickly.

Risk Assessment

Apply risk assessment criteria

Determine the probability of compromise to decide on notification. Evaluate and document:

• Nature and extent of PHI involved (identifiers, diagnoses, financial or credential data).
• The unauthorized person who used PHI or to whom it was disclosed.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (e.g., verified deletion, return of data).

Decide and document

If your documented analysis shows a low probability of compromise, notification may not be required; otherwise, initiate notices. If data were encrypted to a standard rendering it unusable, unreadable, or indecipherable, the event may not be a reportable breach.

Notification to Affected Individuals

Meet notification deadlines

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Start the clock when the breach is known or should reasonably have been known to you.

Choose the proper delivery method

• Send written notice by first-class mail; use email if the individual has agreed to electronic notice.
• If contact information is insufficient, provide substitute notice (e.g., website posting or call center) consistent with HIPAA rules.

Include all required content

• A brief description of what happened, including dates of the breach and discovery.
• Types of PHI involved (for example, names, diagnoses, account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent a recurrence.
• Clear contact information for questions and assistance.

Coordinate with business associates

Business associates must notify the covered entity without unreasonable delay (and within HIPAA’s time limits) and share identities of affected individuals and available details to support timely notices.

Notification to the Secretary

Follow size-based requirements

• Breaches affecting 500 or more individuals: notify the Secretary without unreasonable delay and no later than 60 days after discovery.
• Breaches affecting fewer than 500 individuals: log them and submit an annual report no later than 60 days after the end of the calendar year in which they were discovered.

Ensure the submission aligns with your individual notices and retains all supporting evidence of timeliness and accuracy.

Media Notification

If a breach affects more than 500 residents of a single state or jurisdiction, notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. Coordinate messaging with your individual notices, and prepare spokesperson guidance and FAQs to manage public inquiries.

Documentation and Record-Keeping

Meet breach documentation requirements

• Incident log entries, timelines, and decision records supporting your risk assessment.
• Copies of notifications (letters, emails, substitution notices) and proof of mailing.
• Forensic reports, mitigation evidence (e.g., deletion attestations), and remediation plans.
• Policies, training records, sanctions, and updates tied to the incident.
• Business associate correspondence and contractual notices.

Retain breach-related documentation for at least six years from the date of creation or last effective date, whichever is later.

Post-Breach Analysis and Improvement

Conduct a thorough lessons-learned review

• Identify root causes (human error, control gaps, vendor issues) and prioritize corrective actions.
• Update policies and procedures, close audit findings, and assign owners with deadlines.
• Refresh workforce training, focusing on the specific error patterns revealed by the incident.
• Reassess vendor risk management and business associate agreements to tighten obligations and response times.

Legal Consultation

Align with federal and state obligations

Engage counsel early to preserve privilege, interpret overlapping state breach laws (which may impose shorter deadlines), and confirm whether law enforcement has requested a temporary delay of notices. Counsel can help evaluate potential liabilities, contractual duties, and communication strategies that minimize legal risk.

Strengthening Security Measures

Reinforce administrative, technical, and physical safeguards

• Administrative: risk analyses, least-privilege access, separation of duties, and continuous training.
• Technical: multifactor authentication, encryption at rest and in transit, data loss prevention, timely patching, endpoint detection and response, and audit logging.
• Physical: device locking, secure media disposal, visitor controls, and inventory tracking.

Institutionalize readiness

• Maintain a tested incident response plan with clear roles, escalation paths, and decision checklists.
• Run tabletop exercises simulating common scenarios (misdirected email, lost laptop, vendor breach).
• Adopt recognized security practices and measure progress against mature frameworks to reduce risk over time.

In practice, a disciplined approach—quick containment, careful risk assessment, timely notifications, and rigorous documentation—keeps you compliant while restoring trust and strengthening your security posture.

FAQs

What should I do if my HIPAA rights are violated?

Document what happened, when, and who was involved. Contact the provider or plan’s Privacy Officer to request an explanation and corrective action, and keep copies of all communications. You may also file a complaint with the appropriate federal authority, generally within 180 days of when you knew or should have known of the violation. Consider consulting an attorney if you suffered harm.

How soon must a healthcare provider notify me of a HIPAA breach?

You should receive notice without unreasonable delay and no later than 60 calendar days after the breach is discovered. The notice must explain what happened, the types of data involved, steps you can take to protect yourself, and how the organization is addressing the issue.

What legal actions can I take if my PHI is compromised?

While HIPAA itself doesn’t typically provide a private right of action for damages, you can file a complaint with regulators and explore state-law claims such as negligence, breach of contract, or privacy torts. An experienced attorney can assess options based on the facts, your state’s laws, and any financial or reputational harm you experienced.

How is the severity of a HIPAA breach assessed?

Organizations apply risk assessment criteria: the nature and extent of PHI involved, who used or received it, whether it was actually acquired or viewed, and how effectively the risk was mitigated. The outcome guides whether notification is required and what mitigation steps are appropriate.