What to do after a HIPAA breach: a step-by-step response guide

When a HIPAA breach occurs, the 60-day notification clock starts immediately. Here is the complete response sequence — from the first hour of discovery through patient notification, HHS reporting, and documentation.

By CoreFolio

Published May 20, 2026Verified May 20, 20269-minute read

A breach of unsecured protected health information (PHI) is not the end of a HIPAA compliance story — it is the beginning of a mandatory, time-bound response sequence. The 60-day notification clock starts the moment a workforce member discovers the breach, or should have discovered it with reasonable diligence.

The practices that get through breach response with minimal additional exposure are the ones that execute a documented, methodical sequence. The ones that face compounded problems are those that either move too slowly, skip the required risk assessment, or fail to document each step.

This guide covers the full response sequence in order.

Step 1: Contain the incident (first hours)

Before the legal analysis begins, stop the bleeding. Containment is not a HIPAA obligation in itself, but failing to contain an active breach while you deliberate about notification is negligence — and it expands the scope of what you eventually have to report.

Actions in the first hours:

Isolate affected systems from the network if active unauthorized access is occurring (ransomware, hacker access, active exfiltration)
Revoke compromised credentials or suspend affected accounts
Preserve evidence — do not wipe or reformat systems before preserving logs, screenshots, and system state
If a portable device was stolen or lost, initiate remote wipe only after confirming it has been backed up and that logs have been exported
Notify your Security Official immediately — this is the point person for the response

Start the clock: Document the date and time of discovery and how it was discovered. If a workforce member first identified the incident on a specific date, that is your discovery date even if leadership was not informed until later.

Step 2: Assess whether unsecured PHI was involved

Under 45 CFR § 164.402, breach notification obligations apply only to “unsecured” PHI — PHI that has not been encrypted to HHS-specified standards (NIST SP 800-111 for data at rest; TLS 1.2 or higher for data in transit) or destroyed.

Assess:

Was the data in the affected system encrypted at rest? If yes, and the encryption meets HHS standards, there may be no reportable breach
Was the data being transmitted encrypted in transit at the time of interception? If yes, similarly
If the affected data was not encrypted, proceed to Step 3

If encryption was not in place, assume PHI is unsecured and proceed with the breach response. The encryption question is often resolved quickly — most small practices know whether their devices and backups are encrypted.

Step 3: Conduct the four-factor risk assessment

Even if the PHI is unencrypted and was clearly involved in the incident, notification is not automatically required. Under 45 CFR § 164.402(2), you may rebut the presumption of a reportable breach by demonstrating — through a documented risk assessment — a low probability that PHI was compromised.

The assessment must evaluate at minimum four factors:

Factor 1 — Nature and extent of PHI: What types of identifiers were involved? Was it a name and appointment date, or was it a name, Social Security number, diagnosis, and financial information? Sensitive identifiers (SSN, financial data, substance use disorder records, mental health records) weight toward higher risk.

Factor 2 — Who accessed or received the PHI: Was the recipient a workforce member acting in good faith (lower risk) or an unknown external party (higher risk)? Was the unauthorized party likely to use the PHI impermissibly based on available information about them?

Factor 3 — Whether PHI was actually acquired or viewed: Do technical or other evidence show the PHI was accessed, viewed, or exfiltrated — or only that the opportunity existed? Audit logs, system access records, and forensic analysis are relevant. If you cannot determine from the evidence whether PHI was actually viewed, default toward notification.

Factor 4 — Extent to which risk was mitigated: Did the unauthorized recipient return or confirm destruction of the data? Did they provide credible written assurances that the PHI would not be used or disclosed?

Document every factor and your conclusion. A written risk assessment is not optional — it is the only thing that allows you to claim a low-probability conclusion. An undocumented assessment will be treated by OCR as if it was not conducted.

If the assessment does not support a low-probability conclusion: notification is required. Proceed to Step 4.

Step 4: Determine the scope — who is affected

Identify each individual whose unsecured PHI was involved in the breach. For a device theft involving a database, this may require querying the EHR for the patient records stored on the device. For a misdirected fax, it may be one patient. For a ransomware attack, it may be every patient in the system.

Document:

The total number of individuals affected
The types of PHI involved for each individual
Whether you have current contact information for each individual (addresses, email if they have opted in to electronic communication)

This count determines which notification tracks apply.

Step 5: Send individual notifications — within 60 days

Under 45 CFR § 164.404, each affected individual must receive written notification without unreasonable delay, and no later than 60 calendar days from the discovery date.

Method: First-class mail to the individual’s last known address. Email is acceptable if the individual has agreed to receive electronic notices. If you have insufficient current contact information for 10 or more individuals, you must post a prominent notice on your website for 90 days or provide notice through major print or broadcast media.

Required content (45 CFR § 164.404(c)):

A brief description of what happened, including the date of the breach and the date it was discovered
A description of the types of unsecured PHI involved
Steps individuals should take to protect themselves from potential harm
A brief description of what you are doing to investigate and mitigate harm and prevent future occurrences
Contact procedures for individuals to ask questions (toll-free number, email, website, or mailing address)

Step 6: Report to HHS

Breaches affecting 500 or more individuals: Report to HHS without unreasonable delay and no later than 60 calendar days from discovery — contemporaneously with individual notification. Submit electronically through the HHS breach reporting portal at hhs.gov/hipaa/for-professionals/ breach-notification/breach-reporting.

Breaches affecting fewer than 500 individuals: Maintain an internal log of the breach (all breaches, even those not requiring individual notification), and report to HHS within 60 days after the end of the calendar year in which the breach occurred. Breaches discovered in any month of 2026 must be reported by March 1, 2027.

Step 7: Notify media if applicable

Under 45 CFR § 164.406, if the breach affects 500 or more individuals in a single state or jurisdiction, you must also notify prominent media outlets (newspapers, broadcast stations) serving that state or jurisdiction within 60 days.

This requirement applies in addition to — not instead of — individual notification.

Step 8: Notify your business associate (if you are a BA)

If your organization is a business associate that discovered the breach, your obligation is to notify the covered entity without unreasonable delay and no later than 60 calendar days from discovery.

Provide:

Identification of each individual whose PHI was involved, or the best available information for use by the covered entity in making individual notifications
All other information you have that the covered entity needs to provide notice — including the nature of the breach, types of PHI involved, and steps taken to contain it

Remember: the covered entity’s 60-day individual notification clock runs from your discovery date. Delayed reporting by a business associate creates legal exposure for the covered entity.

Step 9: Law enforcement delay (if applicable)

Under 45 CFR § 164.412, if a law enforcement official requests in writing that you delay notification because it would impede a criminal investigation or cause damage to national security, you may delay for the period specified, or up to 30 days (renewable by written request). Document the law enforcement request and the delay period.

Step 10: Document everything

Every step in the breach response must be documented — not for the OCR investigation you hope will never happen, but because the investigation response will be built entirely from your breach documentation.

Maintain in your breach log:

Date and time of discovery
How the breach was discovered
Systems and data involved
The four-factor risk assessment with your conclusion
The number of individuals affected and their contact information status
Copies of notification letters sent
Dates notifications were sent
The HHS reporting confirmation or the annual log entry
Any law enforcement contact and delay periods
Steps taken to contain and mitigate the breach
Changes made to safeguards in response

Six-year retention applies to breach documentation, consistent with 45 CFR § 164.316(b)(2).

Preparing before a breach occurs

Breach response under pressure is significantly more difficult than working from a pre-built plan. The most important preparation:

A written incident response and breach notification policy (required under 45 CFR § 164.308(a)(6))
An internal escalation chain with contact information
A four-factor risk assessment template, ready to complete
A breach log template
Template notification letters (individual and media)
Bookmarked access to the HHS breach reporting portal
Clarity on which business associates are involved in your data flows and what their reporting obligations are to you

Sources: 45 CFR § 164.400–414 (Breach Notification Rule); 45 CFR § 164.402 (definitions; four-factor risk assessment); 45 CFR § 164.404 (individual notification requirements and content); 45 CFR § 164.406 (media notification); 45 CFR § 164.408 (HHS notification); 45 CFR § 164.410 (business associate notification obligations); 45 CFR § 164.412 (law enforcement delay); 45 CFR § 164.316(b)(2) (six-year document retention); HHS Breach Notification Rule guidance, hhs.gov/hipaa/for-professionals/breach-notification. Last verified May 20, 2026.

FAQ

Common questions

When does the 60-day notification clock start after a HIPAA breach?

The 60-day clock begins on the date of discovery — defined as the date the covered entity knew, or by exercising reasonable diligence would have known, about the breach. Importantly, knowledge by any workforce member or agent is imputed to the organization. A breach discovered by a front-desk employee on Monday is discovered on Monday, not when it is escalated to leadership on Wednesday.

Do I have to notify patients even if the data was probably not accessed?

Not necessarily. You must conduct a documented four-factor risk assessment to determine whether there is a low probability the PHI was compromised. If your assessment supports a low-probability conclusion — and is documented — you are not required to send notification. The assessment itself is mandatory regardless of the outcome. An undocumented 'gut feeling' that nothing bad happened is not a defensible substitute.

Can law enforcement delay breach notification?

Yes. Under 45 CFR § 164.412, if a law enforcement official states in writing that notification would impede a criminal investigation, the covered entity may delay notification for the period specified by law enforcement (or up to 30 days if no specific period is stated, extendable if needed). The delay applies only while law enforcement requests it.

What if the breach involved a business associate?

The business associate must notify the covered entity without unreasonable delay and no later than 60 days after discovery. The covered entity's 60-day notification clock runs from when the business associate discovered the breach — not when the covered entity received notice. A business associate who delays reporting shrinks the covered entity's response window.

Keep learning

How-to
HIPAA breach notification requirements: what your practice must do and when
The HIPAA Breach Notification Rule sets mandatory timelines and procedures for notifying patients and regulators after a security incident. Here is every obligation, every deadline, and the four-factor analysis that determines whether you must notify at all.
May 20, 20268-minute read
Enforcement
What triggers an OCR HIPAA audit or investigation
OCR investigates covered entities through three channels: patient complaints, breach reports, and proactive enforcement initiatives. Here is how each channel works, what OCR does next, and how to reduce your practice's risk profile.
May 20, 20267-minute read
How-to
HIPAA administrative safeguards: the complete checklist for small practices
Administrative safeguards under 45 CFR § 164.308 are the most commonly cited standard in OCR enforcement actions. Here is every requirement, what 'addressable' actually means, and what a small practice must have documented.
May 20, 20268-minute read