How to Respond to a HIPAA Breach — A Step-by-Step Guide

A potential HIPAA breach is one of the highest-pressure situations a healthcare organization faces. The steps you take in the first hours and days after discovery have direct consequences for your legal exposure, your patients, and your relationship with OCR. This guide walks through exactly what to do — in order.

The moment of discovery: what to do first

The most important thing to understand about breach response is that the 60-day clock starts the moment anyone at your organization knows or should have known about the incident — not when you confirm it is a breach, and not when your investigation concludes.

When a potential breach is discovered — whether by a front desk employee, an IT administrator, or a clinical staff member — four things must happen immediately:

1. Report it internally. Every employee must know to report potential incidents to the privacy officer or designated security official immediately. A workforce member who sits on a potential breach out of fear of getting in trouble is creating a much worse situation. Document the exact date and time the incident was first discovered by anyone at your organization.

2. Contain the incident. Stop the bleeding before investigating the scope. If systems are compromised, disconnect affected devices from the network. If a physical document was improperly disclosed, attempt to retrieve it. If access credentials were compromised, disable them. Containment does not wait for investigation.

3. Preserve evidence. Do not delete logs, reset systems, or alter anything related to the incident before forensic review. Evidence preservation is critical for your four-factor risk assessment and for any OCR investigation that follows.

4. Engage your response team. Notify your privacy officer, legal counsel, and IT security immediately. For larger incidents consider engaging a HIPAA attorney before taking further action — communications made to and from legal counsel may be protected by attorney-client privilege, which can be valuable if OCR investigates.

Step 1: Determine if PHI was involved

Before conducting the full four-factor assessment, confirm that the incident involved Protected Health Information. If no PHI was involved — for example, a security incident that only touched systems containing general business data — the HIPAA Breach Notification Rule does not apply.

PHI includes any individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate. This includes paper records, electronic records, and verbal communications. It includes the fact that someone is a patient, not just their clinical information.

If PHI was involved, move to Step 2.

Step 2: Determine if the PHI was unsecured

HIPAA's Breach Notification Rule applies to unsecured PHI — PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption meeting NIST standards or through physical destruction.

If the PHI was encrypted with a valid encryption key that was not compromised, the safe harbor applies and notification is generally not required. This is one of the strongest arguments for encrypting all ePHI — a breach of encrypted data is not a notifiable breach.

If the PHI was not encrypted, move to Step 3.

Step 3: Check for the three breach exceptions

Even if unsecured PHI was impermissibly used or disclosed, three exceptions to the breach definition exist. If any exception applies, breach notification may not be required — but the determination must be documented.

Exception 1 — Unintentional acquisition by authorized workforce member: An unintentional acquisition, access, or use of PHI by a workforce member acting in good faith within the scope of their authority, if the PHI is not further used or disclosed impermissibly. Example: a staff member who accidentally opens a misdirected email containing another patient's records and immediately closes it without reading or forwarding it.

Exception 2 — Inadvertent disclosure between authorized persons: An inadvertent disclosure between two people at the same organization who are both authorized to access PHI, if the PHI is not further used or disclosed impermissibly. Example: a nurse who accidentally sends a patient summary to the wrong provider within the same health system.

Exception 3 — Inability to retain: A disclosure to an unauthorized person where the covered entity has a good-faith belief that the unauthorized person could not have retained the information. Example: a fax sent to the wrong number where the recipient immediately confirmed by phone that they destroyed it without reading it.

Step 4: Conduct the four-factor risk assessment

If no exception applies, you must conduct the four-factor risk assessment to determine whether there is a low probability that the PHI has been compromised. This is the analysis that determines whether notification is required.

Factor 1 — Nature and extent of PHI involved

What types of identifiers were included? How many individuals are affected? What types of health information were involved? PHI that includes Social Security numbers, financial information, or particularly sensitive diagnoses (HIV status, mental health, substance use disorder) carries higher risk than PHI with fewer identifiers. The more sensitive the data, the higher the risk of compromise.

Factor 2 — Who accessed or could have accessed the PHI

Who is the unauthorized recipient? A misdisclosure to another covered entity carries lower risk than a disclosure to an unknown third party. A disclosure to a known individual who has provided written confirmation of destruction carries lower risk than a disclosure to a cybercriminal who specifically targeted your systems.

Factor 3 — Whether the PHI was actually acquired or viewed

Is there evidence that the unauthorized person actually accessed the PHI? For system intrusions, forensic analysis may be able to determine whether data was merely accessed versus actually exfiltrated. For a misdirected fax, did the recipient confirm they destroyed it unread? Evidence that PHI was not actually viewed significantly reduces the probability of compromise — but the burden of proof is on your organization.

Factor 4 — Extent to which risk has been mitigated

What steps have you taken to reduce the risk? Obtaining a signed confidentiality agreement from an unauthorized recipient, retrieving misdirected documents, or disabling compromised credentials all contribute to risk mitigation. Document every mitigation step with dates.

The outcome: If your four-factor assessment concludes there is a low probability that the PHI has been compromised, you are not required to send breach notifications — but you must document your assessment thoroughly. OCR may review it.

If your assessment cannot conclude low probability — or if you have any reasonable doubt — treat it as a notifiable breach and proceed to Step 5.

Step 5: Determine the scope and notify internally

Before sending external notifications, determine the full scope of the breach:

• How many individuals are affected?
• What specific PHI was involved for each individual?
• What is the date of the breach and the date of discovery?
• What systems, locations, or processes were involved?
• Has the vulnerability been contained?

Assemble a complete list of affected individuals with their last known contact information. This list drives your notification process.

Step 6: Send notifications within 60 days

If the breach is notifiable, covered entities must complete three types of notification — all within 60 days of discovery.

Individual notification

Notify every affected individual by first-class mail to their last known address. If the individual has agreed to electronic communication, email may be used. For individuals whose contact information is insufficient or out of date, substitute notice is required.

What the notification must include:

• A brief description of what happened and when
• A description of the PHI that was involved
• Steps individuals should take to protect themselves (credit monitoring, fraud alerts, etc.)
• What you are doing to investigate and mitigate
• Contact information including a toll-free phone number

Write the notification in plain language. Patients who receive breach notifications are often frightened and confused — clarity and empathy matter.

Substitute notice: If you have insufficient contact information for 10 or more individuals, post a conspicuous notice on your website for at least 90 days, or provide notice through major print or broadcast media in the geographic area where the affected individuals likely reside.

HHS notification

Breaches affecting 500 or more individuals: Report to HHS immediately — at the same time as individual notification — through the HHS breach portal at ocrportal.hhs.gov. These breaches are published publicly on the HHS "Wall of Shame."

Breaches affecting fewer than 500 individuals: Log the breach and include it in your annual breach report to HHS, submitted no later than 60 days after the end of the calendar year in which the breach occurred.

Media notification

For breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media outlets serving that state or jurisdiction — at the same time as individual and HHS notification. The media notification must contain the same information as individual notification.

Step 7: Business associate responsibilities

If you are a business associate — not a covered entity — your breach notification obligation runs to the covered entity, not to individuals directly.

You must notify the covered entity without unreasonable delay and no later than 60 days after discovery. Your notification must include:

• The identity of each individual whose PHI was involved (to the extent known)
• A description of the PHI involved
• A description of what happened
• What mitigation steps you have taken

Check your BAA — it likely requires notification within a shorter timeframe than 60 days. Many BAAs require 72-hour or 30-day notification. Your contractual obligation may be stricter than the regulatory minimum.

Step 8: Document everything

OCR's enforcement pattern makes one thing clear: organizations that cannot produce documentation of their breach response face far worse outcomes than those that can. Your breach response documentation should include:

• The date and time of discovery and by whom
• A complete timeline of response actions
• The four-factor risk assessment with supporting evidence
• Copies of all notifications sent with dates
• Evidence of HHS portal submission
• Corrective action steps taken to prevent recurrence
• All legal and privacy officer communications

Retain all breach documentation for six years from the date of creation or the date it was last in effect — whichever is later.

Role-specific responsibilities

Privacy officer / compliance officer: Lead the four-factor risk assessment. Coordinate legal counsel engagement. Oversee notification drafting and delivery. File with HHS. Maintain the breach log. Direct corrective action.

IT / security team: Contain the incident immediately. Preserve forensic evidence. Conduct technical investigation. Identify scope of PHI accessed. Implement technical remediation.

Legal counsel: Advise on applicability of exceptions and exceptions. Review notification letters. Assess state law requirements. Advise on OCR response strategy if investigation follows.

Executive leadership: Authorize resources for response. Approve notification communications. Engage cyber insurance carrier immediately. Prepare for potential OCR inquiry.

Front desk / administrative staff: Report any suspected incidents immediately. Cooperate with the investigation. Do not discuss the incident with patients, media, or unauthorized personnel.

State law considerations

HIPAA breach notification requirements exist alongside — not instead of — state breach notification laws. Many states impose:

• Shorter deadlines — California requires notification in the most expedient time possible. Several states require notification within 30 days or less.
• Broader definitions — Some state laws cover categories of information beyond HIPAA PHI.
• Additional requirements — Some states require credit monitoring offers, attorney general notification, or specific notification formats.

New Jersey specifically requires notification to the Division of State Police in addition to individuals for breaches of computerized records. If you operate in New Jersey or serve New Jersey residents, ensure your breach response procedures address this requirement.

What happens if OCR investigates

If your breach affects 500 or more individuals, OCR will receive your report and may open an investigation. OCR investigations typically request:

• Your breach response documentation
• Your most recent risk analysis
• Evidence of risk management actions
• Your policies and procedures
• Workforce training records

Organizations with documented compliance programs — even imperfect ones — consistently receive more favorable treatment than those that have not been managing compliance proactively. A well-documented breach response that demonstrates good-faith action can be the difference between a corrective action plan and a significant civil money penalty.