HIPAA Investigation Workflow: Step-by-Step Guide for Handling Incidents and Potential Breaches

This step-by-step workflow helps you investigate incidents involving Protected Health Information (PHI), determine whether they rise to a reportable breach, and act under the HIPAA Breach Notification Rule. Follow each section in order to contain risk, meet deadlines, and document defensible decisions.

Use this guide to move from initial detection to closure: define the incident, complete a Breach Risk Assessment, apply exceptions, manage unsecured PHI, deliver required notices, coordinate with business associates, and harden your administrative policies.

Defining a HIPAA Breach

A HIPAA breach is the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. An incident is presumed to be a breach unless you demonstrate a low probability that PHI has been compromised based on a documented assessment.

“Discovery” occurs on the first day the incident is known to you (including any workforce member or agent) or would have been known with reasonable diligence. Start a case file immediately, capture who discovered the issue, when it occurred and was discovered, systems involved, types of PHI, and steps taken to contain it.

Conducting Risk Assessments

Complete a Breach Risk Assessment to determine the probability that PHI was compromised. Your analysis must address the following four factors and conclude whether the probability is low or not low, with rationale and evidence.

• Nature and extent of PHI involved: the identifiers present and the likelihood of re-identification, plus the sensitivity of the data.
• Unauthorized person: who received or could access the PHI and whether they are obligated to protect its confidentiality.
• Whether PHI was actually acquired or viewed: logs, screenshots, DLP alerts, or forensic artifacts should support your conclusion.
• The extent of Incident Mitigation: containment actions such as secure deletion, password resets, recalls, or attestations of non-use/non-disclosure.

Document your methodology, evidence, and decision. If the outcome is “low probability,” record the justification and close the matter as an incident. If not, treat it as a breach and proceed with notifications.

Identifying Exceptions to Breach

Before concluding that notification is required, test the incident against HIPAA’s specific exceptions. If an exception applies, it is not a breach, though you must still document your analysis and mitigation.

• Unintentional acquisition, access, or use of PHI by a workforce member or business associate acting in good faith and within scope of authority.
• Inadvertent disclosure by a person authorized to access PHI to another person authorized to access PHI within the same covered entity, business associate, or organized health care arrangement.
• A disclosure where you have a good-faith belief the unauthorized person could not reasonably have retained the information (for example, returned unopened mail or an auto-deleted message).

Managing Unsecured PHI

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable through technologies or methods such as strong encryption or proper destruction. If PHI is secured, the incident typically is not reportable under the Breach Notification Rule, but you should still investigate and document.

• Immediate containment: disable compromised accounts, revoke access, isolate devices, and stop further transmission or sharing.
• Forensic preservation: capture logs, timestamps, and system states; avoid altering potentially probative data.
• Remediation: patch vulnerabilities, rotate credentials, enable encryption at rest and in transit, and correct misconfigurations.
• Validation: verify that data was not exfiltrated or retained and obtain written attestations from recipients when feasible.

Track all containment and remediation actions in the case file; these steps directly influence the Breach Risk Assessment outcome.

Complying with Breach Notification Requirements

If your assessment finds that the probability PHI was compromised is not low and no exception applies, you must notify without unreasonable delay and in no case later than 60 calendar days from discovery. Build a notification plan that covers who, how, when, and what to include.

• Individuals: Send written notice by first-class mail (or email if the individual has agreed). If contact information is insufficient for fewer than 10 individuals, use an alternative method such as telephone; if for 10 or more, provide substitute notice (for example, a conspicuous website posting or media notice) for at least 90 days with a toll-free number active for the same period.
• Media: If the breach involves 500 or more residents of a state or jurisdiction, notify prominent media outlets serving that area within 60 calendar days.
• Secretary Reporting Requirements: Notify the Secretary of Health and Human Services. For 500 or more affected individuals, report contemporaneously and no later than 60 days from discovery. For fewer than 500, log the incident and report within 60 days after the end of the calendar year in which the breach was discovered.
• Law enforcement delay: If a law enforcement official states that notice would impede a criminal investigation or threaten national security, delay notifications for the time specified in a written statement or up to 30 days for an oral statement (to be followed by written confirmation).

Content of the notice to individuals must include: a clear description of what happened (including dates of breach and discovery), the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate harm and prevent recurrence, and how to contact you (toll-free number, email, and postal address).

Notifying Business Associates

Business associates and their subcontractors must notify upstream parties of breaches of unsecured PHI without unreasonable delay and no later than 60 calendar days from discovery, providing information you need to fulfill your obligations. Business Associate Agreements (BAAs) may require shorter timeframes and specific data elements, so review them at the outset of every investigation.

• What to provide: identities of affected individuals, a description of the incident, dates, the types of PHI involved, and the mitigation performed; send supplements as details emerge.
• Delegation: Covered entities may delegate individual notifications to the business associate, but remain accountable for ensuring accuracy, completeness, and timeliness.
• Subcontractors: Require subcontractor-to-BA notifications that flow promptly to the covered entity through the chain of responsibility.

Implementing Administrative Policies

Strong administrative safeguards reduce incident likelihood and sharpen your response. Establish written, enforceable procedures and train your workforce to follow them consistently.

• Security incident procedures and Incident Mitigation playbooks that define triage, containment, evidence handling, and escalation paths.
• Workforce Sanctions that are timely, consistent, and documented for violations of privacy or security policies.
• Ongoing risk analysis and risk management to address vulnerabilities, apply minimum necessary access, and enforce encryption and disposal standards.
• Vendor governance: standardized Business Associate Agreements, security due diligence, and periodic reviews of controls and reporting obligations.
• Training and awareness: onboarding, role-based refreshers, phishing simulations, and tabletop exercises of the Breach Notification Rule workflow.
• Documentation and retention: maintain assessments, decisions, notices, and logs for at least six years and conduct periodic internal audits for readiness.

By operationalizing these policies, you improve prevention, accelerate investigations, and consistently meet HIPAA’s Breach Notification Rule requirements.

FAQs.

What constitutes a HIPAA breach?

A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. It is presumed to be a breach unless your documented assessment shows a low probability that the PHI was compromised.

How is risk assessed during a HIPAA investigation?

You evaluate four factors: the nature and extent of PHI involved, who received or accessed it, whether it was actually acquired or viewed, and the effectiveness of mitigation. Your Breach Risk Assessment must explain evidence and reasoning leading to a “low probability” or “not low” conclusion.

When must breach notifications be sent?

Send notices without unreasonable delay and no later than 60 calendar days from discovery. Notify affected individuals, the media if 500 or more residents of a state or jurisdiction are affected, and the HHS Secretary according to the applicable threshold and timing rules.

What are the exceptions to reporting a breach?

No notification is required if the incident qualifies for an exception: good-faith, unintentional access or use within scope; inadvertent disclosure between two authorized persons within the same entity or arrangement; or disclosures where the recipient could not reasonably have retained the information. You must still document the analysis and mitigation.