HIPAA Breach Response Plan

HIPAA BREACH RESPONSE PLAN

Organization Name: [________________________________]
Plan Version: [____]
Effective Date: [__/__/____]
Last Reviewed: [__/__/____]
Plan Owner: [________________________________] (Privacy Officer)
Classification: Confidential — Internal Use Only

SECTION 1: PURPOSE AND SCOPE

1.1 Purpose

This Breach Response Plan ("Plan") establishes comprehensive procedures for responding to breaches of unsecured protected health information ("PHI") as required by the HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414. This Plan governs the Organization's process for investigating potential breaches, conducting risk assessments, making breach determinations, and fulfilling all notification obligations to affected individuals, the U.S. Department of Health and Human Services ("HHS"), the media, and state regulators.

1.2 Scope

This Plan applies to:

• All breaches and potential breaches of unsecured PHI, whether in electronic, paper, or oral form
• All workforce members (employees, volunteers, trainees, contractors)
• All business associates and subcontractors
• All locations and systems where PHI is created, received, maintained, or transmitted

1.3 Relationship to Security Incident Response Plan

This Breach Response Plan addresses the regulatory notification obligations that arise when a security incident results in a breach of unsecured PHI. The Organization's HIPAA Security Incident Response Plan governs the technical detection, containment, eradication, and recovery processes. These two plans operate in parallel, and the transition from incident response to breach response occurs when the Privacy Officer determines that PHI may have been compromised.

SECTION 2: KEY DEFINITIONS

2.1 Breach

"Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI. (45 C.F.R. § 164.402(1))

An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on the four-factor risk assessment. (45 C.F.R. § 164.402(2))

2.2 Exceptions to the Definition of Breach

The following are NOT breaches under 45 C.F.R. § 164.402(1):

(i) Unintentional Workforce Access: Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority, and does not result in further use or disclosure not permitted by the Privacy Rule.

(ii) Inadvertent Disclosure Between Authorized Persons: Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate, or organized health care arrangement, and the information is not further used or disclosed in a manner not permitted by the Privacy Rule.

(iii) Good-Faith Belief of Non-Retention: A disclosure of PHI where a covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

2.3 Unsecured PHI

"Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by HHS guidance. (45 C.F.R. § 164.402(2))

Encryption Safe Harbor: PHI is considered "secured" (and therefore not subject to breach notification) if it is encrypted using methods consistent with NIST standards:

• Data at rest: Encryption consistent with NIST SP 800-111 (Guide to Storage Encryption Technologies), using algorithms validated under FIPS 140-2/140-3 (e.g., AES-128, AES-256)
• Data in motion: Encryption consistent with NIST SP 800-52 (TLS), SP 800-77 (IPsec VPNs), or SP 800-113 (SSL VPNs), using FIPS 140-2/140-3 validated processes

Destruction Safe Harbor: PHI is considered "secured" if it has been destroyed such that it cannot be read or reconstructed:

• Paper: Shredding, burning, pulping, or pulverizing
• Electronic media: Clearing, purging, or destroying consistent with NIST SP 800-88 (Guidelines for Media Sanitization)

2.4 Discovery of a Breach

A breach is treated as "discovered" as of the first day on which such breach is known to the covered entity or business associate, or, by exercising reasonable diligence, would have been known to the covered entity or business associate. (45 C.F.R. § 164.404(a)(2))

Knowledge Imputation: A covered entity or business associate is deemed to have knowledge of a breach if any workforce member (other than the individual who committed the breach) knew or should have known of the breach through the exercise of reasonable diligence.

Important: The discovery date starts the 60-day notification clock, regardless of whether the investigation is complete.

2.5 Security Incident vs. Breach

SECTION 3: BREACH RESPONSE TEAM

3.1 Team Composition and Roles

SECTION 4: BREACH RESPONSE PROCEDURES

Phase 1: Detection and Initial Response

Step 1: Receive and Log Report

☐ Receive report of potential breach through established channels (workforce report, BA notification, patient complaint, technical alert, external notification)
☐ Assign incident tracking number: [________________________________]
☐ Record date and time of report: [__/__/____] at [____:____]
☐ Record name and role of reporter: [________________________________]
☐ Initial description of potential breach: [________________________________]

Step 2: Determine Discovery Date

The "discovery date" is the earlier of:
☐ The date the potential breach was actually reported to the Privacy Officer
☐ The date the breach should have been discovered through reasonable diligence

Discovery Date Determination: [__/__/____]

CRITICAL: This date starts the 60-calendar-day clock for notification. Document the basis for this determination.

Step 3: Activate Breach Response Team

☐ Privacy Officer notifies Breach Response Team members
☐ Legal counsel engaged (assert privilege if appropriate)
☐ Coordinate with Security Incident Response Team if security incident is ongoing
☐ Notify cyber insurance carrier per policy requirements

Phase 2: Investigation

Step 4: Conduct Investigation

☐ Gather all facts regarding the incident:

• What happened? [________________________________]
• When did it happen? [________________________________]
• When was it discovered? [________________________________]
• Who was involved (workforce, BA, external)? [________________________________]
• What systems or locations were affected? [________________________________]
• What types of PHI were involved? [________________________________]
• How many individuals were affected? [________________________________]
• Was the PHI secured (encrypted/destroyed)? ☐ Yes ☐ No

☐ Review relevant logs, records, and forensic data
☐ Interview involved workforce members (coordinate with HR and legal)
☐ Obtain business associate investigation report (if BA-related)
☐ Determine whether any exception to the definition of breach applies (see Section 2.2)

Step 5: Determine if PHI Was Unsecured

☐ Was the PHI encrypted consistent with NIST standards? ☐ Yes ☐ No
☐ Was the PHI destroyed consistent with NIST SP 800-88? ☐ Yes ☐ No
☐ If encrypted, was the decryption key also compromised? ☐ Yes ☐ No

If the PHI was secured (properly encrypted with key not compromised, or properly destroyed), the Breach Notification Rule does NOT apply. Document the determination and retain for 6 years.

Phase 3: Risk Assessment

Step 6: Conduct Four-Factor Risk Assessment

Complete the HIPAA Breach Risk Assessment Worksheet (separate template) evaluating:

1. Nature and extent of PHI involved — types of identifiers, sensitivity, likelihood of re-identification
2. Unauthorized person who used/received PHI — identity, obligations, relationship to the individual
3. Whether PHI was actually acquired or viewed — forensic evidence of access vs. mere opportunity
4. Extent to which risk has been mitigated — steps taken to reduce harm (retrieval, attestation, remote wipe)

Overall Determination:

☐ Low probability of compromise — No breach notification required. Document thoroughly.
☐ Not low probability (breach presumed) — Proceed to notification.
☐ Organization elects to notify regardless — Voluntary notification. Document rationale.

Note: Under 45 C.F.R. § 164.414(b), the covered entity or business associate bears the burden of proof to demonstrate that all notifications were made or that an impermissible use or disclosure did not constitute a breach. When in doubt, treat as a breach and notify.

Phase 4: Breach Notification

Step 7: Determine Notification Obligations

SECTION 5: INDIVIDUAL NOTIFICATION (45 C.F.R. § 164.404)

5.1 Content Requirements

Every individual notification must include the following five elements (45 C.F.R. § 164.404(c)):

☐ What Happened: A brief description of what happened, including the date of the breach and the date of discovery (if known)
☐ Information Involved: A description of the types of unsecured PHI involved in the breach (e.g., name, SSN, date of birth, diagnosis, treatment, insurance)
☐ What Individuals Should Do: Steps individuals should take to protect themselves from potential harm resulting from the breach
☐ What the Organization Is Doing: A brief description of what the covered entity is doing to investigate the breach, mitigate harm to individuals, and protect against further breaches
☐ Contact Information: Contact procedures, including a toll-free telephone number, email address, postal address, or website URL

5.2 Notification Methods

Primary Method — Written Notice (45 C.F.R. § 164.404(d)(1)):
☐ First-class mail to last known address of the individual
☐ If the individual has agreed to electronic notice, notification may be sent by email

Substitute Notice — When Contact Information is Insufficient or Out of Date (45 C.F.R. § 164.404(d)(2)):

Urgent Telephone Notice (45 C.F.R. § 164.404(d)(2)):
☐ If there is possible imminent misuse of unsecured PHI, the Organization may provide urgent notice by telephone or other means, in addition to written notice
☐ Use the HIPAA Breach Notification Call Script template

5.3 Notification Timeline

5.4 Special Notification Circumstances

Minors: Send notification to the parent or legal guardian (follow applicable state law regarding minor consent)
Deceased Individuals: Send notification to the next of kin or personal representative of the estate (per 45 C.F.R. § 164.502(g))
Personal Representatives: Send notification to the individual's personal representative per documentation on file
Incapacitated Individuals: Send notification to the individual's personal representative or legal guardian

SECTION 6: HHS NOTIFICATION (45 C.F.R. § 164.408)

6.1 Two-Track Reporting System

Track 1 — Breaches Affecting 500 or More Individuals:

• Notify HHS without unreasonable delay and no later than 60 calendar days after discovery
• Submit through the HHS Breach Portal at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
• These breaches are posted publicly on the OCR "Wall of Shame" (Breach Portal)
• See HIPAA Breach Notification — HHS template for detailed submission guide

Track 2 — Breaches Affecting Fewer Than 500 Individuals:

• Maintain a log of all such breaches during the calendar year
• Submit the annual breach report to HHS within 60 days of the end of the calendar year in which the breach was discovered (i.e., by March 1 of the following year)
• Submit through the HHS Breach Portal
• See HIPAA Breach Notification — HHS template for annual report format

6.2 HHS Notification Checklist

☐ Determine number of affected individuals: [________________________________]
☐ Determine reporting track: ☐ Track 1 (500+) ☐ Track 2 (<500)
☐ Prepare HHS submission using the HIPAA Breach Notification — HHS template
☐ Submit to HHS Breach Portal
☐ Retain confirmation of submission
☐ If Track 2, add to annual breach log for year-end reporting
☐ Prepare for potential OCR investigation (breaches of 500+ are routinely investigated)

SECTION 7: MEDIA NOTIFICATION (45 C.F.R. § 164.406)

7.1 Trigger

Media notification is required when a breach affects more than 500 residents of a state or jurisdiction. The Organization must provide notice to prominent media outlets serving the state or jurisdiction without unreasonable delay and no later than 60 calendar days from discovery.

7.2 Media Notification Checklist

☐ Determine if 500+ residents of any single state/jurisdiction are affected
☐ If yes, identify prominent media outlets in the affected state(s)/jurisdiction(s)
☐ Draft press release using the HIPAA Breach Notification — Media template
☐ Legal counsel review and approval of all media communications
☐ Issue press release to identified media outlets
☐ Post notice on Organization website
☐ Prepare spokesperson talking points and media Q&A
☐ Establish media inquiry response procedures
☐ Document all media notifications issued

SECTION 8: STATE BREACH NOTIFICATION LAW COORDINATION

8.1 Overview

State breach notification laws apply in addition to HIPAA and may impose shorter timelines, different notification content, and state attorney general notification requirements. The Organization must comply with both HIPAA and all applicable state laws.

8.2 Key State Requirements (Highlights)

California (Cal. Civ. Code § 1798.82; SB 446 effective January 1, 2026):

• Individual notification within 30 calendar days of discovery
• AG notification: If breach affects 500+ California residents, submit sample notification to the California AG within 15 days of notifying individuals
• Entities compliant with HIPAA Breach Notification Rule are deemed compliant with state notice requirements
• California AG Breach Report: https://oag.ca.gov/privacy/databreach/reporting

Texas (Tex. Bus. & Com. Code § 521.053):

• Individual notification without unreasonable delay, no later than 60 days after determination
• AG notification: If breach affects 250+ Texas residents, notify the Texas AG no later than 60 days after determination
• Texas AG Breach Report: https://www.texasattorneygeneral.gov/consumer-protection/data-breach-reporting

Florida (Fla. Stat. § 501.171 — Florida Information Protection Act):

• Individual notification within 30 days of determination of breach
• AG notification: If breach affects 500+ Florida residents, notify the Florida Department of Legal Affairs within 30 days
• Includes healthcare and medical information in definition of personal information
• Penalties: $1,000/day for first 30 days of noncompliance; $50,000 for each subsequent 30-day period; maximum $500,000

New York (N.Y. Gen. Bus. Law § 899-aa; SHIELD Act, as amended 2025):

• Individual notification within 30 days of discovery (amended December 2024/February 2025)
• AG notification: If breach affects 500+ New York residents, written notification to AG within 10 days of determination; HIPAA breaches require AG notification within 5 business days of HHS notification
• Must also notify NY Department of State and Division of State Police
• Definition of "private information" expanded to include medical and health insurance information (effective March 21, 2025)

8.3 State Notification Tracking

Note: As of 2025-2026, approximately 36 states require notification to the state AG or another state agency for data breaches meeting specified thresholds. Legal counsel must review all applicable state laws based on the residency of affected individuals.

SECTION 9: BUSINESS ASSOCIATE OBLIGATIONS (45 C.F.R. § 164.410)

9.1 BA Notification to Covered Entity

Business associates must notify the covered entity of breaches of unsecured PHI without unreasonable delay and no later than 60 days after discovery (or shorter if specified in the BAA).

The BA notification must include:
☐ Identification of each individual whose unsecured PHI has been or is reasonably believed to have been breached
☐ Any other information the covered entity needs to fulfill its notification obligations

9.2 Covered Entity Responsibilities When BA Reports Breach

☐ Treat the breach as "discovered" on the date the BA notifies the covered entity (or the date the CE knew/should have known)
☐ Conduct independent investigation to verify BA's findings
☐ Perform four-factor risk assessment
☐ Determine notification obligations
☐ The covered entity (not the BA) is responsible for individual, HHS, and media notifications unless the BAA delegates this responsibility
☐ Evaluate whether the BA has fulfilled its contractual obligations
☐ Consider whether corrective action against the BA is warranted

9.3 Business Associate Breach Tracking

SECTION 10: LAW ENFORCEMENT DELAY (45 C.F.R. § 164.412)

10.1 Delay Procedures

If a law enforcement official provides a statement that notification would impede a criminal investigation or cause damage to national security:

Written Request:
☐ If the request is in writing, delay notification for the time period specified by the law enforcement official
☐ Document the written request and retain with breach records

Oral Request:
☐ If the request is oral, delay notification for no more than 30 days from the date of the oral request
☐ Document the oral request, including the date, identity of the official, and substance of the request
☐ If the law enforcement official does not provide a written follow-up within 30 days, proceed with notification

10.2 Law Enforcement Delay Documentation

Important: A law enforcement delay does not eliminate the notification obligation; it only postpones it. The Organization must issue notifications promptly upon expiration of the delay period.

SECTION 11: CREDIT MONITORING AND IDENTITY THEFT SERVICES

11.1 Decision Framework

While HIPAA does not require covered entities to offer credit monitoring or identity theft protection services, offering such services is strongly recommended when the breach involves:

☐ Social Security numbers
☐ Financial account information
☐ Driver's license or state identification numbers
☐ Medicare or Medicaid beneficiary numbers
☐ Other information that could be used for identity theft or financial fraud

11.2 Service Provisions

SECTION 12: REMEDIATION AND CORRECTIVE ACTION

12.1 Immediate Remediation

☐ Address the root cause of the breach
☐ Implement additional safeguards to prevent recurrence
☐ Retrain workforce members involved (if human error contributed)
☐ Discipline workforce members who violated policies (coordinate with HR and legal)
☐ Review and update Business Associate Agreements if BA was involved
☐ Patch vulnerabilities or address security gaps identified during investigation
☐ Reset compromised credentials

12.2 Corrective Action Plan

12.3 Policy and Procedure Updates

☐ Privacy policies updated: [__/__/____]
☐ Security policies updated: [__/__/____]
☐ Breach response plan updated: [__/__/____]
☐ Workforce training conducted: [__/__/____]
☐ BAA provisions reviewed and updated: [__/__/____]

SECTION 13: OCR INVESTIGATION PREPAREDNESS

13.1 Overview

Breaches affecting 500 or more individuals are routinely investigated by the HHS Office for Civil Rights ("OCR"). Smaller breaches may also be investigated based on complaints or patterns. The Organization should be prepared to respond to OCR inquiries.

13.2 OCR Investigation Process

1. Data Request: OCR will send a data request letter seeking documentation of the incident, investigation, risk assessment, notification, and corrective actions
2. Response: The Organization typically has 30 days to respond to the data request
3. Review: OCR reviews the Organization's response for compliance
4. Outcome: OCR may close the investigation, issue technical assistance, require a corrective action plan, negotiate a resolution agreement with monetary settlement, or impose civil monetary penalties

13.3 Documentation Readiness Checklist

Maintain the following documentation for OCR review:

☐ Complete incident report and investigation records
☐ Four-factor risk assessment worksheet (completed)
☐ Breach determination documentation and rationale
☐ Copies of all notification letters sent to individuals
☐ Proof of mailing / delivery of notifications
☐ HHS breach portal submission confirmation
☐ Media notification records (if applicable)
☐ State AG notification records (if applicable)
☐ Notification timeline documentation (demonstrating compliance with 60-day deadline)
☐ Law enforcement delay documentation (if applicable)
☐ Corrective action plan and implementation records
☐ Workforce training records
☐ Current HIPAA policies and procedures
☐ Most recent risk analysis and risk management plan
☐ Business Associate Agreements (if BA-related breach)
☐ Evidence of encryption or other security measures in place at time of breach

13.4 Civil Monetary Penalty Tiers (2025 Adjusted Amounts)

Resolution Agreements: OCR frequently negotiates resolution agreements in lieu of civil monetary penalties. These typically include a monetary settlement and a corrective action plan with 2-3 years of monitoring.

SECTION 14: INSURANCE CARRIER NOTIFICATION

14.1 Cyber Insurance

14.2 Professional Liability / Malpractice Insurance

14.3 Notification Checklist

☐ Cyber insurance carrier notified: Date [__/__/____]
☐ Carrier claim number: [________________________________]
☐ Carrier-approved forensics firm engaged: ☐ Yes ☐ No ☐ N/A
☐ Carrier-approved breach counsel engaged: ☐ Yes ☐ No ☐ N/A
☐ Professional liability carrier notified: Date [__/__/____]

SECTION 15: DOCUMENTATION AND RETENTION

15.1 Breach Log

The Organization shall maintain a log of all breaches of unsecured PHI, regardless of size. This log serves as the basis for the annual HHS report of breaches affecting fewer than 500 individuals.

15.2 Retention Requirements

Per 45 C.F.R. § 164.530(j), all documentation related to this Breach Response Plan, including breach investigations, risk assessments, notification records, and corrective actions, must be retained for a minimum of six (6) years from the date of creation or the date when it was last in effect, whichever is later.

Note: State law, litigation hold obligations, and insurance policy requirements may mandate longer retention. Consult legal counsel.

SECTION 16: PLAN MAINTENANCE AND TESTING

16.1 Review Schedule

This Plan shall be reviewed and updated:

☐ Annually (at minimum)
☐ After every breach or significant security incident
☐ When changes to HIPAA regulations or OCR guidance are published
☐ When significant changes occur to the Organization's operations or IT infrastructure
☐ When state breach notification laws change
☐ After each tabletop exercise

16.2 Version History

SECTION 17: PLAN APPROVAL

This Breach Response Plan has been reviewed and approved by:

Privacy Officer:
Name: [________________________________]
Signature: ______________________________
Date: [__/__/____]

Security Officer:
Name: [________________________________]
Signature: ______________________________
Date: [__/__/____]

Legal Counsel:
Name: [________________________________]
Signature: ______________________________
Date: [__/__/____]

Executive Leadership:
Name: [________________________________]
Title: [________________________________]
Signature: ______________________________
Date: [__/__/____]

SECTION 18: CROSS-REFERENCE TO RELATED TEMPLATES

This Breach Response Plan works in conjunction with the following Organization documents:

• HIPAA Security Incident Response Plan — Technical incident detection, containment, eradication, and recovery
• HIPAA Breach Risk Assessment Worksheet — Four-factor risk assessment documentation
• HIPAA Breach Notification — HHS — HHS breach portal submission guide and annual report template
• HIPAA Breach Notification — Media — Media notification, press release, and crisis communication
• HIPAA Breach Notification Call Script — Individual notification call procedures and FAQ responses

SOURCES AND REFERENCES

1. 45 C.F.R. §§ 164.400-414 — HIPAA Breach Notification Rule
2. 45 C.F.R. § 164.402 — Definitions (Breach, Unsecured PHI, Four-Factor Risk Assessment)
3. 45 C.F.R. § 164.404 — Notification to Individuals
4. 45 C.F.R. § 164.406 — Notification to Media
5. 45 C.F.R. § 164.408 — Notification to Secretary (HHS)
6. 45 C.F.R. § 164.410 — Notification by Business Associate
7. 45 C.F.R. § 164.412 — Law Enforcement Delay
8. 45 C.F.R. § 164.414 — Administrative Requirements and Burden of Proof
9. 45 C.F.R. § 164.530(j) — Documentation Retention (6 Years)
10. HHS OCR — Breach Notification Rule (https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)
11. HHS OCR — Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable (https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html)
12. HHS OCR — Resolution Agreements (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html)
13. Cal. Civ. Code § 1798.82 and SB 446 (effective Jan. 1, 2026) — California Breach Notification
14. Tex. Bus. & Com. Code § 521.053 — Texas Breach Notification
15. Fla. Stat. § 501.171 — Florida Information Protection Act
16. N.Y. Gen. Bus. Law § 899-aa — New York SHIELD Act (as amended Dec. 2024 / Feb. 2025)
17. NIST SP 800-88 — Guidelines for Media Sanitization
18. NIST SP 800-111 — Guide to Storage Encryption Technologies

This template is provided for informational purposes only and does not constitute legal advice. Organizations should have this plan reviewed and customized by qualified legal counsel and privacy professionals before implementation. HIPAA compliance requirements are subject to change based on OCR guidance and regulatory updates.

For use on ezel.ai — a legal template platform for solo practitioners and small firms.