Breach Response Plan
HIPAA Breach Notification Rule Compliance
Effective Date: _________________ | Version: 1.0
Emergency Contacts
Privacy Officer:
Name: _________________________
Phone: _________________________
Email: _________________________
Security Officer:
Name: _________________________
Phone: _________________________
Email: _________________________
Legal Counsel:
Name: _________________________
Phone: _________________________
IT Support:
Name: _________________________
Phone: _________________________
1. Purpose
This Breach Response Plan establishes procedures for identifying, responding to, and reporting breaches of unsecured Protected Health Information (PHI) in compliance with the HIPAA Breach Notification Rule (45 CFR 164.400-414). The goal is to minimize harm to affected individuals and ensure timely notification as required by law.
2. What Constitutes a Breach
A breach is the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. A breach is presumed unless the organization demonstrates a low probability that PHI was compromised.
2.1 Exceptions (Not Considered Breaches)
- Unintentional acquisition by workforce member acting in good faith within scope of authority
- Inadvertent disclosure between authorized persons at same organization
- Disclosure where unauthorized recipient would not reasonably retain the information
3. Breach Response Team
| Role | Responsibilities |
|---|---|
| Privacy Officer (Team Lead) | Leads response effort, coordinates notifications, documents all actions, reports to management |
| Security Officer | Investigates technical aspects, implements containment, preserves evidence |
| Legal Counsel | Advises on legal obligations, reviews notifications, manages regulatory communications |
| IT Team | Contains breach, collects technical evidence, implements remediation |
| Communications | Drafts notifications, handles media inquiries, manages public relations |
4. Response Procedures
Phase 1: Identification (0-24 Hours)
- Receive and document initial breach report
- Activate Breach Response Team
- Conduct preliminary assessment to confirm breach
- Identify type and scope of PHI involved
- Determine number of individuals affected
- Begin documenting all actions and decisions
Phase 2: Containment (24-72 Hours)
- Isolate affected systems to prevent further exposure
- Revoke compromised access credentials
- Preserve evidence for investigation
- Implement temporary security measures
- Engage forensic investigators if needed
- Document containment actions
Phase 3: Risk Assessment (Within 7 Days)
Conduct a risk assessment considering these four factors:
- Nature and extent of PHI: Types of identifiers, clinical information
- Unauthorized person: Who accessed/received the PHI
- Actual acquisition/viewing: Was PHI actually accessed or viewed
- Mitigation: Steps taken to reduce risk of harm
Document the risk assessment. If low probability of compromise, document rationale.
Phase 4: Notification (Within 60 Days)
If breach is confirmed, notify the following:
| Notify | Deadline | Method |
|---|---|---|
| Affected Individuals | 60 days from discovery | First-class mail (or email if preferred) |
| HHS Secretary | 60 days (or annual log if <500) | HHS Breach Portal |
| Media (if 500+ in state) | 60 days from discovery | Press release |
| State Attorney General | Per state law | Per state requirements |
5. Notification Content
Individual notifications must include:
- Brief description of what happened and dates
- Types of PHI involved (e.g., names, SSNs, diagnoses)
- Steps individuals should take to protect themselves
- What the organization is doing to investigate and prevent future breaches
- Contact information for questions (toll-free number, email, address)
6. Post-Breach Actions
- Conduct root cause analysis
- Implement corrective actions to prevent recurrence
- Update security policies and procedures
- Provide additional workforce training
- Review and update risk assessment
- Document lessons learned
- Consider offering credit monitoring/identity protection services