HIPAA Breach Playbook: What to Do in the First 72 Hours

You notice something you can't unsee. A practice-issued tablet that should be in the locked drawer and isn't. An access log showing an employee opened seventeen charts outside their assigned caseload last Tuesday. A business associate emailing you that their platform was hit by ransomware and your patient roster was on the affected tenant.

The HIPAA clock does not wait for you to be sure. The Breach Notification Rule expects you to begin the analysis within hours of discovery, not within weeks of being certain. What follows is the operational sequence, hour by hour.

Is It Actually a Breach? The Four-Factor Risk Assessment

Not every impermissible use or disclosure of PHI is a reportable breach. HIPAA requires a four-factor risk assessment first. If the assessment concludes there is a low probability PHI was compromised, the incident is not a reportable breach. If it cannot reach that conclusion, the incident is a breach.

The four factors, drawn from the Breach Notification Rule at 45 CFR 164.402:

1. Nature and extent of PHI involved. Clinical notes differ from name-and-address data; psychiatric records differ from demographics; diagnostic imaging carries different exposure than a billing statement.
2. The unauthorized person. A workforce member with general HIPAA training differs from an external threat actor selling data on a marketplace.
3. Whether PHI was actually acquired or viewed. Accessibility is not acquisition. A lost encrypted laptop recovered with forensic confirmation it never booted differs from data that surfaces on a dark-web dump.
4. Extent to which risk was mitigated. Signed confidentiality agreements, completed remote wipes, recovered devices confirmed unread: mitigation changes the calculus.

Two carve-outs complete the definition: good-faith acquisition by a workforce member acting within authority, with no further disclosure, is not a breach. Neither is a disclosure where the recipient could not reasonably retain the information.

Run this assessment in the first twenty-four hours, in writing. The document becomes part of your audit trail. OCR will want to read it. A verbal conclusion held in someone's head is not a risk assessment.

The 72-Hour Playbook

Hour 0 to 6: Contain and Document

The first six hours are about stopping further exposure and preserving facts, not reaching conclusions.

• Identify scope. What PHI, how many records, which patients, who accessed it, through what system.
• Stop further exposure. Revoke the user's access. Disconnect the affected system from the network if actively compromised. Recover the device if missing and recoverable. Remote-wipe where policy permits.
• Start a timestamped log. Every decision, every contact, every action, with date-time stamps. This becomes the audit trail OCR and forensics will request.
• Preserve evidence. Do not wipe or reimage before a forensic snapshot. Containment does not require destroying the evidence that proves it worked.

Hour 6 to 24: Risk Assessment and Legal Counsel

• Run the four-factor risk assessment in writing. Record reasoning, not just the conclusion.
• Engage HIPAA-experienced legal counsel. This is a real expense, and it is not the step to skip. Counsel shapes how notifications are drafted, how the law-enforcement-delay provision is used if applicable, and whether communications with insurers are privileged.
• Determine reportability. If the incident is a breach, the sixty-day notification clock runs from the date of discovery, not the date of incident.

Hour 24 to 72: Prepare Notifications

• Individual notification: first-class mail to affected patients within sixty days of discovery. Email only if the patient previously agreed to electronic notice.
• HHS notification: breaches under five hundred individuals are reported annually within sixty days of calendar-year end. Breaches of five hundred or more are reported within sixty days of discovery and posted on the HHS public breach portal.
• Media notification: five hundred or more residents of a single state or jurisdiction requires notice to prominent media outlets serving that area, within sixty days of discovery.
• Draft the notification letters now. Content requirements are specified in 45 CFR 164.404. Template language does not substitute for incident-specific detail.

What Extends the 60-Day Window

Three circumstances legitimately extend or delay the notification clock.

Law-enforcement delay. If a law enforcement official states in writing that notification would impede a criminal investigation or cause damage to national security, notification may be delayed for the period specified in writing. Oral requests are honored for up to thirty days unless followed by a written request. This provision is invoked by the investigating agency, not by the practice.

Ongoing forensic investigation. If breach scope cannot be determined within the notification window because forensics are still running, the sixty-day clock does not pause. HHS has accepted staged notification (initial notice with known scope, followed by supplemental notice as scope expands) when documented in good faith.

Complex multi-record scoping. Where affected-individual counts cannot be finalized within the window, preliminary notification based on reasonable best-available data is preferred over waiting. Supplemental notification covers later-identified individuals.

What does not extend the window: the cost of notification, wanting more time to craft a public message, or concern about reputational impact. None of these are recognized under the Rule. The sixty-day clock is a floor regulators enforce, not a ceiling the practice negotiates.

Common Mistakes in Breach Response

The patterns that surface in OCR enforcement actions are not exotic. They repeat.

• Running the risk assessment in someone's head. Undocumented is treated as not done. When OCR requests the written analysis and there is none, the incident is treated as a breach regardless of what the practice concluded privately.
• Patient notification before the law-enforcement-delay request is resolved. Notifying during an active criminal investigation can compromise it and expose the practice to further liability.
• Panic-notifying a non-reportable incident. Premature notification of incidents the assessment would have determined are not breaches creates patient concern and reputational exposure the practice did not legally owe.
• Failing to update training and risk assessment after the incident. OCR enforcement is full of second-breach scenarios where the corrective action plan was documented but never implemented. The repeat incident is what turns a recoverable situation into a settlement.
• Skipping legal counsel to save money. Self-represented response produces documentation that insurers dispute and reasoning that reads like advocacy rather than analysis.
• Treating the business associate as solely responsible. A breach originating at a BA is still the covered entity's breach to notify on. The practice retains the obligation to the patient.

After the 72 Hours

The first seventy-two hours determine the quality of the record OCR will review if they review it, that insurers will price if they price it, and that patients will see if they ever learn it happened. Containment, risk assessment in writing, counsel engaged, notifications drafted: these are the markers of a practice ready to respond rather than improvising under pressure.

This playbook is operational guidance for practice owners, not legal advice. Any active HIPAA breach incident requires HIPAA-experienced legal counsel. The specifics of your situation may require deviations from this general framework. For the pre-incident readiness view of what OCR examines in small-practice audits, see our companion guide on the HIPAA risks small practices actually face. For foundational compliance posture, our HIPAA compliance checklist covers the documentation and training baseline the Rule assumes you already have.

Frequently Asked Questions

How long do I have to report a HIPAA breach?

Sixty days from the date of discovery, not the date of the incident. Individual patients receive first-class mail notification within sixty days. HHS notification is within sixty days of discovery for breaches of five hundred or more, and within sixty days of calendar-year end for smaller breaches. Media notification applies only to breaches affecting five hundred or more residents of a single state or jurisdiction.

Do I have to notify every patient for a small breach?

Yes. There is no size threshold below which individual notification is optional. Every patient whose unsecured PHI was involved in a reportable breach receives first-class mail notification at their last known address. The five-hundred-patient threshold governs whether HHS and media notification obligations attach on the faster sixty-day-from-discovery clock, not whether individual notification applies.

What counts as a HIPAA breach versus a potential breach?

A potential breach is any impermissible use or disclosure of PHI that has not yet been through the four-factor risk assessment. A breach is the subset where the written assessment does not establish a low probability that PHI was compromised. The Breach Notification Rule presumes a breach unless the assessment documents otherwise.

Does my cyber insurance cover HIPAA breach response?

Cyber policies vary. Most name-brand policies cover forensic investigation, notification mailing costs, credit monitoring for affected individuals, and legal counsel fees. Many do not cover regulatory fines or settlements. Read the policy before the incident, and confirm that the panel counsel the policy requires includes HIPAA-experienced attorneys.

Do I still have to notify if my business associate caused the breach?

Yes. The covered entity retains the notification obligation to the patient. The business associate agreement may shift the practical work of drafting, mailing, or funding notifications, but the legal obligation rests with the covered entity unless the BA has independently notified under a compliant BAA. Confirm the exact allocation with counsel.