HIPAA requires covered entities and business associates to identify and respond to suspected or known security incidents. A well-prepared incident response plan minimizes damage and ensures regulatory compliance.
Benefits of Strong Incident Response
Consequences of Poor Response
Failure to properly respond to incidents can result in OCR penalties, increased breach severity, loss of patient trust, legal liability, and mandatory corrective action plans. Late breach notifications carry significant fines, and failure to have incident response procedures violates the Security Rule.
Understanding the difference between security incidents and breaches is critical for determining notification requirements.
Events that compromise the security, confidentiality, integrity, or availability of ePHI.
Impermissible acquisition, access, use, or disclosure of PHI that compromises security or privacy.
Assemble a cross-functional team with clear responsibilities for responding to incidents.
Follow these five phases to effectively respond to and recover from security incidents.
Detect and identify potential security incidents as quickly as possible.
Prevent further damage and limit the scope of the incident.
Remove the threat and vulnerabilities that allowed the incident.
Restore systems to normal operations and verify security.
Learn from the incident to prevent future occurrences.
Not every security incident is a breach requiring notification. Use this four-factor analysis to determine if an incident constitutes a breach under HIPAA.
Was there an impermissible acquisition, access, use, or disclosure of PHI?
This is the threshold question. If PHI was not acquired, accessed, used, or disclosed in a manner not permitted by the Privacy Rule, there is no breach. Examples that do NOT meet this threshold: encrypted PHI stolen but not decrypted, inadvertent glimpse of PHI without actual viewing.
Was the acquisition, access, use, or disclosure NOT permitted under HIPAA Privacy Rule?
Some uses and disclosures are permitted (treatment, payment, operations with proper authorization). If the activity was permitted under Privacy Rule, it's not a breach. Example: Sharing PHI for treatment coordination is permitted.
Was the PHI 'unsecured' (not encrypted or destroyed per HIPAA guidance)?
If PHI was encrypted according to HIPAA guidance and the encryption key was not compromised, the incident is NOT a breach (safe harbor). Similarly, if PHI was properly destroyed, it's not considered unsecured. This is why encryption is critical.
Is there a low probability that the PHI has been compromised?
If the first three factors are met, you must conduct a risk assessment considering: (1) Nature and extent of PHI involved, (2) Unauthorized person who used/accessed PHI, (3) Whether PHI was actually acquired or viewed, (4) Extent to which risk has been mitigated. If low probability of compromise, may not be a breach.
Important: Presumption of Breach
Under HIPAA, an impermissible use or disclosure of unsecured PHI is PRESUMED to be a breach unless you can demonstrate a low probability of compromise through a thorough risk assessment. The burden of proof is on you to show it's not a breach. When in doubt, treat it as a breach and provide notification. Document your entire breach determination process in writing.
Once you determine an incident is a breach, you must provide notifications within specific timelines.
Method: Written notice by first-class mail or email (if individual agreed)
Method: Notice to prominent media outlets serving the area
Method: Electronic submission via HHS Breach Portal
Method: Electronic submission via HHS Breach Portal
Method: Written notice to covered entity
Substitute Notice (Unable to Contact Individuals)
If you have insufficient or out-of-date contact information for 10+ individuals, you must provide substitute notice: (1) Post a conspicuous notice on your website for 90 days, OR (2) Notice in major print or broadcast media where affected individuals likely reside. If fewer than 10 individuals cannot be contacted, you may use alternative written notice, phone, or other means.
Follow these steps to establish a comprehensive incident response program.
Create a comprehensive, documented incident response plan tailored to your organization.
Identify and train personnel who will execute the incident response plan.
Deploy tools and processes to detect security incidents quickly.
Ensure all workforce members know how to identify and report incidents.
Regularly test and validate that the plan works effectively.
Keep the incident response plan current and effective over time.
Comprehensive documentation is critical for demonstrating compliance and supporting your response to incidents and breaches.
Retention: Maintain incident response documentation for at least 6 years from the date of creation or last effective date per HIPAA requirements (45 CFR 164.316(b)(2)). Breach records may need to be retained longer if litigation or investigation is ongoing.
45 CFR 164.308(a)(6)
Security Incident Procedures (Required)
45 CFR 164.308(a)(6)(ii)
Response and Reporting (Required implementation specification)
45 CFR 164.402
Breach definition and determination
45 CFR 164.404
Notification to individuals (60-day timeline)
45 CFR 164.406
Notification to media (500+ in same jurisdiction)
45 CFR 164.408
Notification to HHS Secretary (immediate for 500+, annual for <500)
45 CFR 164.410
Business associate notification to covered entity