HIPAA Ready

Breach Notification and Incident Response Plan

Regulatory basis: 45 CFR 164.308(a)(6) requires policies and procedures to address security incidents. 45 CFR 164.402-414 (Breach Notification Rule) defines breach, establishes notification requirements, and sets timelines.

Definitions

Security Incident

45 CFR 164.304

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Breach

45 CFR 164.402

The acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. A use or disclosure is presumed to be a breach unless the covered entity demonstrates a low probability that the PHI has been compromised based on a risk assessment of at least four factors.

Breach Risk Assessment (Four-Factor Test)

Per 45 CFR 164.402(2), when an impermissible use or disclosure occurs, the following four factors must be assessed to determine whether there is a low probability that PHI has been compromised:

Factor 1

The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.

Factor 2

The unauthorized person who used the PHI or to whom the disclosure was made.

Factor 3

Whether the PHI was actually acquired or viewed.

Factor 4

The extent to which the risk to the PHI has been mitigated.

Incident Response Phases

Phase 1: Detection and Reporting

  • Establish reporting channels for workforce members to report suspected incidents
  • Monitor audit logs, intrusion detection systems, and access reports
  • Document the date and time the incident was discovered -- this starts the notification clock
  • Assign an incident handler to coordinate the response

Phase 2: Investigation and Containment

  • Determine the scope: what systems, what data, how many individuals affected
  • Contain the incident to prevent further unauthorized access
  • Preserve evidence for potential law enforcement involvement
  • Conduct the four-factor breach risk assessment per 45 CFR 164.402(2)
  • Involve legal counsel to evaluate notification obligations

Phase 3: Notification

If the four-factor test does not demonstrate a low probability of compromise, breach notification is required:

Individual Notice (45 CFR 164.404)

Written notice to each affected individual without unreasonable delay, and no later than 60 calendar days from discovery. Must include: description of the breach, types of information involved, steps individuals should take, what the entity is doing in response, and contact procedures.

HHS Notification (45 CFR 164.408)

Breaches affecting 500 or more individuals: notify the Secretary of HHS contemporaneously with individual notice. Breaches affecting fewer than 500 individuals: maintain a log and submit to HHS within 60 days of the end of the calendar year in which the breaches were discovered.

Media Notice (45 CFR 164.406)

Breaches affecting 500 or more residents of a state or jurisdiction: provide notice to prominent media outlets serving that state or jurisdiction.

Business Associate Notification (45 CFR 164.410)

A business associate that discovers a breach must notify the covered entity without unreasonable delay and no later than 60 days from discovery.

Phase 4: Remediation and Post-Incident Review

  • Implement corrective actions to address the root cause
  • Update the risk assessment to reflect the incident and remediation
  • Revise policies and procedures as needed
  • Conduct workforce retraining if the incident resulted from human error
  • Document all actions taken and retain records per 45 CFR 164.316(b)(2)(i)
  • Apply sanctions per 45 CFR 164.308(a)(1)(ii)(C) if workforce members violated policies

Exceptions to Breach Notification

Under 45 CFR 164.402(1), the following do not constitute a breach:

  • Unintentional acquisition, access, or use by a workforce member or person acting under authority, made in good faith within the scope of authority, and without further impermissible use or disclosure.
  • Inadvertent disclosure by an authorized person to another authorized person at the same entity or an organized health care arrangement, and the information is not further used or disclosed impermissibly.
  • Good faith belief that the unauthorized person would not reasonably have been able to retain the information.

Key Timelines

ActionDeadline
Individual notification60 days from discovery
HHS notification (500+ individuals)Contemporaneous with individual notice
HHS notification (fewer than 500)Within 60 days of end of calendar year of discovery
Media notification (500+ in a state)Contemporaneous with individual notice
BA notification to CE60 days from BA discovery
Documentation retention6 years from creation or last effective date