Steps to Take if a HIPAA Breach is Suspected

July, 2025 HIPAA

Discovering a potential HIPAA breach can be a daunting moment for any healthcare provider. Whether it is a lost device, an unauthorized email disclosure, or a suspected cyberattack, how you respond in those first critical hours can significantly impact legal exposure, regulatory consequences, and patient trust. The Health Insurance Portability and Accountability Act (HIPAA) sets strict requirements for breach response. Failing to act promptly can result in steep penalties. These are the steps that an organization should take the moment a HIPAA breach is suspected.

HIPAA Requirements

HIPAA sets standards to safeguard protected health information (PHI), focusing on two key rules:

  • Privacy Rule:
    • Governs the use and disclosure of PHI
    • Requires patient authorization for most disclosures
    • Mandates policies to protect patient privacy
  • Security Rule:
    • Applies specifically to electronic PHI (ePHI)
    • Requires administrative, physical, and technical safeguards
    • Includes encryption, access controls, audit logs, and regular risk assessments

What Is A HIPAA Breach?

A HIPAA breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of that information. If there is an impermissible use or disclosure of PHI, it is presumed to be a breach. The only exception is if the covered entity can demonstrate that there is a low probability the PHI has been compromised.

Physicians are responsible for carefully assessing the seriousness of any improper use or disclosure of PHI. They apply a four-factor test that evaluates whether the incident meets HIPAA’s low probability of compromise standard. Physicians will look at the nature and scope of the PHI involved, including the types of identifiers and the chance of reidentification. The evaluation also looks at who accessed or received the PHI, whether the information was actually obtained or seen, and how much the risk to the PHI has been reduced.

Steps To Take When a Breach Is Suspected

Prompt action is required not only to mitigate further harm but also to comply with HIPAA’s Breach Notification Rule. Here is what covered entities need to do:

Let Privacy and Security Officers Know

If the organization has designated Privacy and Security Officers, as required under HIPAA, they should be notified of the breach immediately. These officers play a key role in managing the situation by coordinating the response, documenting the breach investigation, and assessing any regulatory reporting obligations.

Contain the Breach

Organizations must take immediate steps to contain and limit the damage. This involves stopping unauthorized access by suspending user accounts or terminating access rights. If possible, retrieve misdirected or exposed protected health information. Additionally, lost or stolen devices should be disabled or wiped remotely. Organizations should implement patches or fixes to address any cybersecurity vulnerabilities and preserve evidence for investigation or legal review. 

Maintain Evidence

While it is important to contain the breach quickly, preserving forensic evidence is equally critical. Attempting to fix or reconfigure systems before collecting key data can destroy evidence that may be essential for investigations, legal proceedings, or regulatory reporting. To preserve evidence properly, organizations should export and secure access logs from affected systems, document any system alerts or warnings, and retain email trails and screenshots of relevant activity. Any suspicious files or emails should not be deleted until they have been reviewed.

Document the Breach 

Covered entities must maintain thorough documentation of all breach investigations, even if the incident does not result in a reportable breach. A complete incident file should include a timeline of events, risk assessment findings, legal opinions or memoranda, internal communications, copies of all notifications, and any technical analysis or forensic reports.

Provide Notice of the Breach

When a breach happens, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery. Notices must be sent by first-class mail or by email if the individual has agreed to electronic communication. Each individual notice must include a brief description of the breach, the types of PHI involved, steps individuals should take to protect themselves, what the entity is doing in response, and contact information.

If a breach affects more than 500 residents of a state or jurisdiction, covered entities must also notify prominent media outlets in the affected area. This media notice, typically issued as a press release, must be provided within 60 days of discovering the breach and include the same details required in individual notifications.

In addition, covered entities must notify the Secretary of Health and Human Services. For breaches affecting 500 or more individuals, notice must be submitted within 60 days. Breaches involving fewer than 500 individuals may be reported annually, no later than 60 days after the calendar year ends.

Assist Affected Parties

Organizations should consider setting up a dedicated call center or response team to handle questions and concerns regarding the breach. Providing written FAQs or a breach notice webpage can help deliver consistent information and guidance. In cases involving sensitive data, such as Social Security numbers or financial information, offering identity monitoring or credit protection services can further reassure affected individuals.

Improve HIPAA Policies and Procedures

Once the immediate response has been managed, conduct a thorough post-incident review to identify any gaps and areas for improvement of HIPAA policies and procedures. This review should include updating policies and procedures, enhancing employee training, and upgrading technical safeguards such as encryption, multi-factor authentication (MFA), and conducting a new risk assessment.

Contact an Experienced HIPAA Lawyer 

Actions taken in the first hours and days after discovery of a breach are critical to protecting patients, minimizing liability, and preserving the organization’s reputation. A knowledgeable HIPAA attorney can help assess whether a reportable breach has occurred, guide internal investigations, manage communications with affected individuals and regulators, and mitigate the risk of civil penalties. Consulting an experienced HIPAA attorney promptly ensures the organization has the appropriate response and can implement HIPAA compliance training to prevent future incidents.