🚨 HIPAA Breach Response Playbook

Responsible: Security Officer leads containment; Privacy Officer is notified; Incident Response Team activated; Executive sponsor notified within 4 hours of confirmed incident

• ● Activate the incident response team and notify the Security Officer and Privacy Officer
• ● Contain the incident to prevent further unauthorized access or disclosure (disable compromised accounts, isolate affected systems, change passwords, revoke vendor access if applicable)
• ● Preserve all evidence: do NOT modify, delete, or power off affected systems until forensic evidence is preserved
• ● Begin an incident timeline log documenting every action taken, by whom, and when
• ● If the incident involves a crime (theft, hacking, extortion), notify law enforcement as appropriate
• ● Activate outside resources if needed: forensics firm, outside legal counsel, public relations firm

Responsible: Security Officer leads investigation; IT security team or external forensics firm conducts technical analysis; Privacy Officer assesses PHI scope; Legal counsel advises throughout

• ● Conduct a thorough investigation to determine: what happened, when it happened, what PHI was involved, how many individuals were affected, who had unauthorized access, and whether PHI was actually viewed or acquired
• ● Identify all affected systems and data repositories
• ● Determine the types of PHI involved (names, SSNs, diagnoses, financial information, etc.)
• ● Determine the number of affected individuals (this determines notification obligations)
• ● Interview relevant personnel and review access logs, system logs, and security camera footage
• ● Engage digital forensics experts for complex incidents (ransomware, sophisticated hacking, unknown attack vectors)
• ● Determine if the PHI was encrypted or otherwise unsecured (if encrypted per HHS guidance, it is NOT a breach)

Responsible: Privacy Officer leads the risk assessment with input from Security Officer, legal counsel, and investigation team; Compliance Committee or executive leadership reviews and approves the determination

• ● Conduct the HIPAA 4-factor risk assessment to determine if the impermissible use or disclosure constitutes a breach requiring notification
• ● Factor 1: Assess the nature and extent of the PHI involved — what types of identifiers and clinical information were exposed? Highly sensitive data (SSNs, financial data, HIV status, mental health) increases risk.
• ● Factor 2: Assess who the unauthorized person was — was it an internal workforce member, a Business Associate, an unknown external party, or a known criminal organization? An internal person may be lower risk than an unknown external party.
• ● Factor 3: Assess whether the PHI was actually acquired or viewed — was there evidence of actual access, or was the data merely exposed? Did the unauthorized party have the means and motive to use the data?
• ● Factor 4: Assess the extent to which the risk has been mitigated — has the PHI been recovered? Has the unauthorized party provided assurances of destruction? Has the compromised system been secured?
• ● Document the risk assessment with detailed analysis of each factor and the overall determination
• ● If the assessment demonstrates a low probability that the PHI was compromised, the incident is NOT a breach and notification is not required (but document the determination thoroughly)
• ● If the assessment cannot demonstrate low probability of compromise, treat it as a breach and proceed to notification

Responsible: Privacy Officer drafts notifications; Legal counsel reviews; Communications team coordinates mailing; Executive sponsor approves

• ● Prepare individual notification letters containing all required elements (see notification_requirements below)
• ● Send notifications via first-class mail to the last known address of each affected individual
• ● If the individual has agreed to receive electronic notices, email notification may be used instead of or in addition to mail
• ● If contact information is insufficient or outdated for 10 or more individuals, post a conspicuous notice on the organization's website for 90 days AND provide a toll-free number for 90 days
• ● If contact information is insufficient for fewer than 10 individuals, use alternative written notice, telephone, or other means
• ● If urgency warrants, supplement written notice with telephone or other outreach
• ● Consider offering credit monitoring and identity theft protection services if SSNs or financial information were involved

Responsible: Privacy Officer submits HHS notification; Communications team manages media relations; Legal counsel reviews all external communications; Executive spokesperson handles press inquiries

• ● For breaches affecting 500 or more individuals: submit notification to HHS via the breach portal (ocrportal.hhs.gov) within 60 days of discovery
• ● The HHS notification will be posted publicly on the 'Wall of Shame' (HHS Breach Portal) — prepare for potential media inquiries
• ● For breaches affecting fewer than 500 individuals: log the breach and submit to HHS within 60 days after the end of the calendar year in which the breach was discovered
• ● For breaches affecting 500+ residents of a single state or jurisdiction: notify prominent media outlets serving that state/jurisdiction within 60 days
• ● Prepare a media statement and FAQ document in advance of any public notification
• ● Designate a single spokesperson for all media inquiries

Responsible: Security Officer leads the post-incident review; Privacy Officer documents lessons learned; Compliance Committee reviews and approves remediation plan; Relevant department heads implement corrective actions

• ● Conduct a thorough post-incident review (lessons learned) with all incident response team members
• ● Perform root cause analysis to determine the underlying factors that allowed the breach to occur
• ● Identify specific remediation actions to prevent recurrence (technical controls, policy changes, training improvements)
• ● Update the risk analysis and risk management plan to reflect findings from the incident
• ● Update the incident response plan based on lessons learned (what worked, what did not, what needs to change)
• ● Provide targeted training to workforce members in the affected area
• ● Implement additional monitoring or controls as needed
• ● Report final incident summary and remediation plan to executive leadership and the Compliance Committee
• ● If required by a corrective action plan from OCR, implement all required actions within specified timelines