How to Handle a HIPAA Breach: Step-by-Step Guide to Response and Reporting

Definition of a HIPAA Breach

A HIPAA breach is an impermissible use or disclosure of Protected Health Information (PHI) that compromises its security or privacy. Under the Breach Notification Rule, a breach is presumed unless you can demonstrate a low probability that PHI was compromised based on a documented risk assessment.

PHI includes any individually identifiable health information in any form—electronic, paper, or oral. Breaches can arise from lost devices, misdirected emails, unauthorized access, or events like a ransomware attack that renders PHI unavailable to authorized users.

Common exceptions

• Unintentional access in good faith by a workforce member, within scope and without further use or disclosure.
• Inadvertent disclosure between authorized persons within the same organization, if not further used or disclosed improperly.
• Disclosures where the recipient could not reasonably retain the information.

If PHI was properly secured (for example, strongly encrypted) at the time of the incident, notification may not be required. Not every security incident is a breach, but all incidents must follow your Security Incident Procedures.

Initial Response Steps

Your first moves determine containment, evidence quality, and the accuracy of notifications. Treat the date and time of discovery as “day 0” for all Breach Notification Rule timelines.

Activate Security Incident Procedures

• Identify and contain: isolate affected systems, disable compromised accounts, and block malicious traffic.
• Preserve evidence: capture logs, memory, disk images, and configurations before rebuilding systems.
• Convene your Incident Response Team (privacy, security, compliance, legal, IT, communications) and assign an incident commander.
• Engage forensics and outside counsel as needed; consider law enforcement if criminal activity is suspected.
• Notify the covered entity or business associate per contracts; begin an incident log to document every action and decision.
• Stabilize operations with short-term compensating controls and initiate patient-safety checks if clinical systems are involved.

Ransomware Attack Response

• Quarantine infected endpoints and servers; remove them from networks immediately.
• Assess whether PHI was accessed, exfiltrated, altered, or merely encrypted in place.
• Verify intact, offline backups; restore only to a clean environment with patched, hardened systems.
• Hunt for data theft indicators; paying a ransom does not remove HIPAA obligations or ensure data was not copied.
• Document findings to support the subsequent breach risk assessment and notification decisions.

Conducting a Risk Assessment

The risk assessment determines whether the incident is a reportable breach and defines who must be notified. Base conclusions on facts, not assumptions, and document your rationale.

Approach

• Reconstruct the event timeline and the systems, accounts, and data involved.
• Inventory PHI elements exposed (names, diagnoses, SSNs, images, claims data) and count affected individuals by state/jurisdiction.
• Corroborate with forensic evidence, access logs, application traces, and vendor confirmations.
• Record compensating controls, mitigation steps, and whether PHI was secured at the time.

Evaluate the four Risk Assessment Factors

• Nature and extent of PHI involved (sensitivity and likelihood of re-identification).
• Unauthorized person who used or received the PHI (and their obligations to protect it).
• Whether PHI was actually acquired or viewed (versus merely exposed).
• The extent to which the risk has been mitigated (e.g., signed attestations, data deletion, or containment).

Conclude whether there is a low probability that PHI was compromised. If not, proceed with notifications under the Breach Notification Rule.

Notification to Affected Individuals

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Coordinate with law enforcement if a documented delay is requested to avoid impeding an investigation.

Timing and methods

• Primary method: first-class mail to the last known address; email is permitted if the individual has agreed to electronic notice.
• If fewer than 10 addresses are outdated, use an alternative form (e.g., phone). If 10 or more are outdated, provide substitute notice such as a conspicuous website posting and a toll-free number available for at least 90 days.

Content of the notice

• A brief description of what happened, including dates of the breach and discovery.
• Types of PHI involved (e.g., names, diagnoses, account numbers, SSNs).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact information for questions (toll-free number, email, and postal address).

Reporting to the Secretary of HHS

HHS Secretary Notification is required for reportable breaches and must align with your individual notices. Submit through the designated online portal and retain confirmations in your breach file.

Thresholds and timing

• 500 or more individuals affected: report to the Secretary without unreasonable delay and no later than 60 days from discovery.
• Fewer than 500 individuals affected: log the breach and submit to the Secretary no later than 60 days after the end of the calendar year in which the breach was discovered.

What to include

• Entity information, point of contact, and whether you are a covered entity or business associate.
• Dates of breach and discovery, number of individuals, and states/jurisdictions affected.
• Type and source of the breach, PHI elements involved, and mitigation actions.
• Whether a law-enforcement delay applies and the status of individual notifications and any media notice.

Media Notification Requirements

If a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. Issue a press release that mirrors the individual notice content and prepare a call center to address inquiries.

Media notice supplements—never replaces—direct notification to affected individuals.

Documentation and Record-Keeping

Maintain comprehensive records of your Security Incident Procedures, risk assessment, decisions, and all notifications. Retain documentation for at least six years from creation or last in effect, including drafts, approvals, and submission receipts.

• Incident timelines, forensic reports, and access logs.
• Copies of individual, HHS, and media notices; scripts and FAQs used by support teams.
• Business associate communications, contractual notices, and corrective actions.
• Policy updates, training records, tabletop exercises, and post-incident reviews.

Continuous improvement

• Conduct an after-action review to identify control gaps and update your incident response plan.
• Strengthen access management, backup/restore practices, and monitoring.
• Train your workforce and test your Incident Response Team with realistic scenarios.

Conclusion

Handling a HIPAA breach demands fast containment, a defensible risk assessment, and precise, timely notifications. By activating your Incident Response Team, applying the Risk Assessment Factors, and executing clear communications to individuals, HHS, and the media when required, you meet Breach Notification Rule obligations and strengthen long-term resilience.

FAQs.

What constitutes a HIPAA breach?

A HIPAA breach is an impermissible use or disclosure of PHI that compromises its security or privacy. It is presumed to be a breach unless you document, via a risk assessment, a low probability that the PHI was compromised. Limited exceptions apply for good-faith, inadvertent, or non-retainable disclosures.

How soon must affected individuals be notified?

Notify individuals without unreasonable delay and no later than 60 calendar days after discovery. Use first-class mail (or agreed email), and provide substitute notice if addresses are outdated. Coordinate any law-enforcement delay in writing and retain it in your breach file.

When is notification to the Secretary of HHS required?

For breaches affecting 500 or more individuals, report to the Secretary without unreasonable delay and within 60 days of discovery. For fewer than 500, log the incident and submit your annual report no later than 60 days after the end of the calendar year in which you discovered the breach.

What steps are included in the initial breach response?

Contain the incident, preserve evidence, activate Security Incident Procedures, and convene your Incident Response Team. Engage forensics and legal, begin the risk assessment, communicate per contracts with business associates, and document every action to support notifications and remediation.