Breach Notification Procedure

Purpose: Establish procedures for responding to and reporting breaches of Protected Health Information (PHI).

Definitions

Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA that compromises the security or privacy of the PHI.

Unsecured PHI: PHI that is not secured through encryption or destruction that renders it unusable, unreadable, or indecipherable.

Discovery: The first day on which any employee, contractor, or agent knows or reasonably should have known of a breach.

Breach Assessment

Initial Risk Assessment

Upon discovery of a potential breach, conduct an immediate risk assessment:

Factors to Consider:

Nature and extent of PHI involved
Unauthorized person who accessed/received PHI
Whether PHI was actually acquired or viewed
Extent to which risk has been mitigated

Risk Levels:

Low Risk (Notification May Not Be Required):

Limited disclosure to authorized individual
PHI not sensitive
Low probability of re-identification
Immediate mitigation successful

High Risk (Notification Required):

Large number of individuals affected
Sensitive PHI exposed (SSN, financial, medical conditions)
PHI accessed by malicious actor
Public disclosure
No mitigation possible

Documentation Requirements

Breach Investigation Record:

Date and time of discovery
Description of breach
Type and amount of PHI involved
Number of individuals affected
Individuals/systems that accessed PHI
Investigation findings
Mitigation actions taken
Risk assessment conclusion

Notification Timelines

Individual Notification

Timeline: Within 60 days of breach discovery

Method:

First-class mail to last known address
Email if patient has agreed to electronic notification
Substitute notice if contact information insufficient:
- Web site posting for 90 days
- Major media notice (if 10+ individuals in jurisdiction)

Required Contents:

Brief description of breach
Types of PHI involved
Steps individuals should take to protect themselves
What the organization is doing to investigate and mitigate
Contact information for questions

Template:

HHS Notification (Office for Civil Rights)

500+ Individuals:

Within 60 days of discovery
Submit via HHS Breach Portal: https://ocrportal.hhs.gov/

Fewer than 500 Individuals:

Annual notification
Submit within 60 days of calendar year end
Aggregate all breaches from the year

Required Information:

Name of covered entity
Contact information
Business associate involved (if applicable)
Number of individuals affected
Date of breach
Date of discovery
Description of breach
Types of PHI involved
Actions taken in response

Media Notification

Required When:

Breach affects 500+ residents of a state or jurisdiction

Timeline:

Within 60 days of discovery

Method:

Prominent media outlet in affected jurisdiction
Press release via PR wire service
Organization website posting

Response Procedures

Immediate Actions (Within 24 Hours)

Containment:

Disable compromised accounts
Revoke exposed credentials
Block malicious IP addresses
Isolate affected systems
Preserve evidence for investigation

Notification:

Notify Privacy Officer immediately
Notify Security Officer
Notify Legal Counsel
Document discovery time and actions

Investigation (Within 72 Hours)

Forensic Analysis:

Review audit logs:
Identify affected individuals:
Determine PHI exposed:
- Review accessed records
- Check exported data
- Analyze system logs
Assess root cause:
- Technical vulnerability
- Human error
- Malicious insider
- External attack

Documentation:

Complete breach investigation form
Collect evidence (logs, screenshots, emails)
Timeline of events
List of affected individuals

Remediation (Within 7 Days)

Technical Fixes:

Patch vulnerabilities
Update access controls
Deploy security enhancements
Conduct security audit

Process Improvements:

Update policies and procedures
Enhance monitoring and alerts
Additional training for staff
Third-party security assessment

Breach Categories and Examples

Common Breach Types

1. Unauthorized Access

Employee accesses records without business need
Hacker gains access to database
Lost/stolen unencrypted device

Response:

Revoke access immediately
Review all accessed records
Notify affected individuals

2. Misdirected Communication

Email sent to wrong recipient
Fax sent to wrong number
Mail sent to wrong address

Response:

Attempt to retrieve communication
Request recipient to destroy/delete
Document attempt and response

3. Improper Disposal

PHI in regular trash
Unwiped hard drives
Unsecured file deletion

Response:

Recover materials if possible
Assess likelihood of access
Enhance disposal procedures

4. Loss or Theft

Lost laptop with PHI
Stolen backup drive
Missing patient files

Response:

Report to law enforcement
Remote wipe if possible
Assess encryption status

5. Cyber Attack

Ransomware attack
SQL injection
Phishing success

Response:

Engage incident response team
Forensic analysis
Law enforcement notification
Public statement if large-scale

Exceptions to Notification

Notification Not Required If:

Encrypted Data: PHI encrypted to NIST standards and key not compromised
Destroyed Data: PHI rendered unusable/unreadable/indecipherable (e.g., shredded, degaussed)
Low Probability of Compromise:
- Unintentional acquisition/access by workforce member acting in good faith
- PHI not further used/disclosed
- Inadvertent disclosure to authorized person at same organization
- No reasonable belief PHI was retained

Documentation Required: Even if notification exception applies, document the incident and risk assessment.

Roles and Responsibilities

Privacy Officer

Oversee breach response
Conduct risk assessment
Approve notifications
Submit HHS reports
Maintain breach log

Security Officer

Lead technical investigation
Implement containment measures
Conduct forensic analysis
Deploy remediation

Legal Counsel

Assess legal obligations
Review notifications
Advise on regulatory reporting
Coordinate with law enforcement

IT Team

Preserve evidence
Analyze logs and systems
Implement technical fixes
Support investigation

Communications Team

Draft notifications
Coordinate media response
Manage public relations
Update website

Vendor Breach Notification

Business Associate Breach:

If business associate (vendor) discovers breach:

BA must notify covered entity within 60 days
BA provides:
- Identification of affected individuals
- Description of breach
- Recommendations for notification
Covered entity responsibilities:
- Conduct own risk assessment
- Notify affected individuals (CE responsibility)
- Notify HHS
- Notify media if applicable

BAA Requirements:

Breach notification obligations
Timeline for notification
Information to provide
Cooperation requirements

See: docs/compliance/BAA_TEMPLATE.md

Breach Log

Maintain Record of All Breaches:

Required Information:

Date of breach
Date of discovery
Number of individuals affected
Description of breach
Disposition (notifications sent, HHS report filed)

Retention: 6 years from creation or last effective date

Location: Secure compliance management system (organizational responsibility)

Training

All Staff Must Know:

How to recognize potential breach
Immediate reporting procedures
Contact information for Privacy/Security Officers
Importance of timely response

Annual Training Topics:

Breach definition and examples
Reporting requirements
Response procedures
Recent breach incidents (case studies)

Contact Information

Breach Response Team:

Privacy Officer: [Name, Email, Phone]
Security Officer: [Name, Email, Phone]
Legal Counsel: [Name, Email, Phone]
IT Director: [Name, Email, Phone]

External Resources:

HHS Breach Portal: https://ocrportal.hhs.gov/
HHS OCR: (800) 368-1019
FBI Cyber Division: https://www.fbi.gov/investigate/cyber
Incident Response Partner: [Vendor name and contact]

Regulatory References

HIPAA Breach Notification Rule: 45 CFR §§ 164.400-414
HHS Guidance: https://www.hhs.gov/hipaa/for-professionals/breach-notification/
Breach Notification Checklist: https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html