IT Department
Data Security

HIPAA incident response plan

juanhernandez@preyhq.com
Juan H.
Nov 18, 2025
0 minute read
HIPAA incident response plan
Table of Contents
Heading H2
Shield sensitive data across your remote workforce
Share
About the Author
juanhernandez@preyhq.com
Juan H.

JC Hernandez is our Prey's Content Specialist. He researches interesting and relevant information related to cybersecurity, and explains it in a way that everyone can understand it and make use of it.

When a security incident touches electronic protected health information (ePHI), the clock starts. A clear, tested HIPAA incident response plan is how your team moves from “something’s wrong” to “contained, assessed, and notified”—without missing legal deadlines or disrupting patient care.

In this guide (and the downloadable HIPAA incident response plan template), we turn HIPAA’s requirements into a practical, step-by-step playbook: who does what, when the 60-day window begins, how to run the four-factor risk assessment, and exactly which artifacts OCR will expect to see.

Whether you’re a small clinic or a multi-facility system, use this HIPAA incident response plan guide to shorten time-to-containment, make defensible breach determinations, and document every decision—so compliance isn’t a scramble; it’s muscle memory.

TL;DR:

A HIPAA incident response plan tells covered entities and business associates exactly how to identify, contain, assess, document, and notify after a security incident involving ePHI. At minimum, HIPAA requires written security incident procedures (identify, respond, mitigate, and document) under the Security Rule, plus strict Breach Notification Rule steps: run the four-factor risk assessment to decide if there’s a breach, notify affected individuals without unreasonable delay and no later than 60 days from discovery, and—if the incident affects 500+ people—also notify HHS (within 60 days) and a prominent local/state media outlet; for <500 people, keep a log and report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered. Our downloadable HIPAA incident response plan template operationalizes roles, timelines, worksheets, decision logs, and notification scripts so you can execute fast and prove compliance.

What HIPAA specifically requires in incident response

Here’s the crisp version of what HIPAA expects when something goes wrong with ePHI—and what your plan must explicitly cover.

Security Rule — security incident procedures. Your organization needs written policies and procedures that let you do four things every time: identify suspected or known security incidents, respond to them, mitigate harmful effects to the extent practicable, and document both the incident and your outcomes. If your plan doesn’t enable those four actions, it isn’t compliant.

Breach Notification Rule (45 CFR 164.400–414). If your risk assessment determines there’s a reportable breach of unsecured PHI, you must notify on strict timelines and to specific parties:

  • Notify individuals “without unreasonable delay” and no later than 60 calendar days from discovery of the breach. Your plan should define who drafts, reviews, and sends notices so you don’t lose days to internal back-and-forth.
  • Notify HHS (the Secretary):
    • If 500 or more individuals are affected, notify HHS without unreasonable delay and in no case later than 60 days from discovery (through the breach reporting portal).
    • If fewer than 500 individuals are affected, maintain a breach log and submit it no later than 60 days after the end of the calendar year in which the breach was discovered. Build this logging requirement into your plan and trackers.
  • Notify the media when a breach affects 500+ individuals in a single state or jurisdiction. This is in addition to individual and HHS notice, so your plan should include a pre-approved media statement and a clear review path.

Business associates (BAs). BAs must notify the covered entity of a breach after discovery—and “discovery” includes when the BA should have known of the breach with reasonable diligence, not just when someone finally escalates it. Your BA playbook should assume the notification clock may start at BA discovery and spell out how you’ll collect facts, artifacts, and timelines from the BA.

The HIPAA incident response lifecycle

Below is the end-to-end flow your team will follow when something goes wrong with ePHI—each step ties directly to the fields, checklists, and forms in the downloadable HIPAA incident response plan template. The goal is simple: shorten time-to-containment, make defensible decisions, and document every action so you can demonstrate compliance without scrambling.

Phase 1 — Detect & triage

Common triggers your team should treat as “suspected incidents” until proven otherwise

  • EDR/XDR alerts: malware detections, lateral-movement flags, credential-stuffing attempts.
  • Lost or stolen devices: laptops, tablets, phones, or removable media that may store or route ePHI.
  • Anomalous access: atypical logins (impossible travel, out-of-hours EHR pulls), mass file reads, odd API calls from third parties.
  • Ransomware indicators: ransom note artifacts, file extensions/encryption anomalies, service stoppages.
  • Misdirected communications: faxes, emails, or portal messages sent to the wrong recipient.
  • Third-party/BA notices: any report from a business associate or cloud vendor alleging exposure.

What to do in the first 15–60 minutes

  1. Open a ticket immediately and record discovery details (who, when, how). This timestamp may start your breach-notification clock later.
  2. Stabilize patient care first where clinical systems are in scope.
  3. Verify scope quickly: is any system that stores, processes, or transmits ePHI involved? If “unknown,” treat as “potential ePHI” and escalate.
  4. Escalate by severity using the template’s severity matrix (High = confirmed ePHI compromise or active ransomware; Medium = suspected ePHI exposure; Low = no ePHI but security control failure).

Decision tree

  • Q1: Is ePHI possibly involved?
    • No → standard security incident path (document and close with rationale).
    • Yes/Unknown → go to containment immediately and start the four-factor worksheet.
  • Q2: Is the system still exposed or spreading?
    • Yes → isolate now; disable access; snapshot evidence.
    • No → proceed to deeper scoping and forensics light.

Phase 2 — Contain & eradicate

In healthcare, containment must balance speed with continuity of care. Your plan should pre-approve the actions below to avoid delays.

Account, device, and network actions

  • Disable or reset accounts tied to the incident. Enforce immediate MFA reset and session revocation for implicated users.
  • Remote lock or wipe any lost or stolen device that may hold ePHI, and record evidence of the command and outcome.
  • Isolate affected endpoints/segments (VLAN quarantine, EDR network containment). Prefer micro-isolation that preserves essential clinical workflows.
  • Block indicators (hashes, IPs, domains) across email, EDR, firewall, and DNS filtering.
  • Suspend risky integrations (e.g., SFTP feeds to third parties) when they are in the suspected path of exposure.

Vendor/BA coordination and legal hold activation

  • Notify the business associate contact listed in your RACI if a BA system or shared environment is in scope. Request artifacts: logs, timelines, evidence that ePHI was or was not accessed.
  • Activate a legal hold on relevant systems and custodians so evidence isn’t modified or deleted. The template includes a legal-hold notification email and an evidence inventory log.
  • Document every containment step (who performed it, when, and why) in the evidence & decisions log to support later reporting.

Phase 3 — Assess breach likelihood

This phase determines whether the incident is a reportable breach of unsecured PHI. Your template includes a structured worksheet to make the analysis defensible and consistent.

  1. Nature and extent of PHI involved
    • Identify the types of identifiers and the likelihood of re-identification.
    • Note volume (records, data fields) and any financial/clinical sensitivity (diagnosis codes, SSNs).
  2. Unauthorized person who used or to whom the disclosure was made
    • Distinguish internal workforce vs external vs known bad actor.
    • Consider whether the recipient is another HIPAA-regulated entity bound by a duty of confidentiality.
  3. Whether PHI was actually acquired or viewed
    • Use logs, EDR telemetry, DLP, and BA attestations to determine if access was attempted vs. confirmed viewing/exfiltration.
  4. Extent to which the risk has been mitigated
    • Did you retrieve the information, obtain satisfactory assurances (e.g., written recipient attestation of destruction/non-use), or apply remote wipe before viewing occurred?

How to document it

  • Record the facts, assumptions, and supporting evidence for each factor in the worksheet.
  • Conclude with a yes/no determination: breach presumed unless a low probability of compromise is shown based on the four-factor analysis.
  • Have Privacy, Security, and Legal sign off in the template’s approval block.

Phase 4 — Notifications & reporting

If the four-factor test concludes there is a reportable breach, the notification clocks and content rules kick in. Your template bundles timelines, scripts, and checklists to reduce errors.

Who you may need to notify

  • Affected individuals: without unreasonable delay and no later than 60 days from discovery. The kit includes a patient notice letter outline with required elements (brief description, types of PHI, steps patients should take, what you’re doing, and contact information).
  • HHS (the Secretary):
    • 500 or more individuals affected: notify within the same ≤60-day window.
    • Fewer than 500: log the breach and submit that log no later than 60 days after the end of the calendar year in which it was discovered.
  • Prominent media: required when 500+ individuals in a single state or jurisdiction are affected. The kit includes a media statement framework aligned with patient-facing language to ensure consistency.

Operational tips embedded in the template

  • A notification tracker calculates deadlines from the discovery date and assigns owners for drafting, legal review, delivery, and proof of mailing/dispatch.
  • A portal prep checklist captures all fields you’ll need for HHS submission so the form isn’t a last-minute scramble.
  • A contact center FAQ keeps patient responses accurate and consistent.

Phase 5 — Recovery & post-incident

This is where you prove resilience and prevent recurrences. The template includes a post-incident playbook and an after-action report (AAR) structure.

Restore services and data

  • Prioritize clinical systems and dependencies first. Validate EHR integrity, medication and order flows, and interface queues.
  • Recover from clean backups, re-image compromised endpoints, rotate keys/secrets, and re-baseline configurations in MDM/endpoint management.

Patient-care continuity notes

  • Capture any diversions, delays, or manual workarounds you implemented to maintain continuity of care and when you returned to normal operations.

Root cause and corrective actions (CAPA)

  • Identify technical and process root causes (phishing gap, access control misconfiguration, inadequate vendor monitoring).
  • Define corrective actions with owners and due dates: policy updates, control changes, new monitoring, revised BA agreements, or additional training.
  • Log CAPA in the AAR & CAPA tracker so you can demonstrate closure during audits.

Tabletop feedback loop

  • Within 30 days, run a tabletop exercise using the incident scenario: did escalation paths work, were roles clear, did the notification tracker keep the team on schedule?
  • Update the plan, forms, and RACI accordingly, and record the exercise in the testing log. Regular testing not only strengthens your program; it also shows regulators that your plan is living, not shelfware.

How this lifecycle accelerates compliance and reduces risk

  • It front-loads decisions (Is ePHI involved? Is exposure ongoing?) to cut hours off containment.
  • It bakes in the four-factor test so breach determinations are consistent and defensible.
  • It turns deadlines into tasks with owners, so the 60-day window doesn’t slip.
  • It captures evidence as you go, producing a clean narrative for internal leadership and external regulators if needed.

Roles & accountability (small orgs vs systems)

The fastest way to turn requirements into action is to make ownership painfully clear. Your HIPAA incident response plan should define who discovers, who decides, and who notifies—with named backups and time-boxed handoffs. Below is a practical split for smaller clinics versus large health systems, mapped to the RACI included in the template.

Minimum viable team: small clinics (1–5 sites)

Who discovers

  • Front-line staff or IT generalist: opens the intake form the moment an alert, patient complaint, or vendor email arrives. Records the discovery timestamp (this may start the 60-day clock).

Who decides

  • Privacy officer (can be dual-hatted as compliance lead): owns the four-factor assessment and breach determination.
  • Security/IT lead: leads containment (account disable, remote lock/wipe, isolation), supplies evidence for the assessment.

Who notifies

  • Privacy officer: drafts patient letters and coordinates HHS reporting; routes for legal review (outside counsel if needed).
  • Owner/administrator: approves final notices; engages PR only if the 500+ threshold in a state/jurisdiction is reached.

RACI tip for clinics

  • Keep it lean: one Responsible per task, one Accountable approver, named backups for vacations, and no more than two Consulted roles per decision.

Minimum viable team: mature health systems

Who discovers

  • SOC/NOC or clinical IT operations: monitors EDR/XDR, EHR logs, and DLP; files the intake and assigns initial severity.
  • Vendor management: funnels business associate (BA) alerts into the same queue so discovery is timestamped consistently.

Who decides

  • Privacy officer (chair): runs the four-factor huddle; captures the rationale in the worksheet.
  • CISO/security operations: leads containment and forensics-light, confirms whether PHI was viewed/acquired, and documents mitigation.
  • Legal: interprets gray areas (e.g., “recipient bound by confidentiality”) and confirms breach vs. no-breach posture.

Who notifies

  • Privacy + Legal: finalize patient letter content and HHS portal submission.
  • Communications/PR: prepares media notice and spokesperson guidance for ≥500 per state/jurisdiction.
  • Provider relations/patient experience: staffs a call line with an FAQ so responses are consistent.
  • Executive sponsor: signs off on high-visibility communications and briefings.

RACI tip for systems

  • Add Data owner for the affected application and a BA liaison for vendor evidence intake. Use swimlanes for Clinical Ops, IT, Privacy, Legal, PR, and Vendor Mgt. Every task in the tracker has an owner, deadline, and proof of completion.

Escalation clock: when the 60-day window starts

The outside deadline to notify individuals is no later than 60 calendar days from discovery of a breach. Practically, you control this by being precise about “discovery”:

  • Discovery = when your organization knows—or should reasonably have known—there was a breach.
  • If a business associate experiences the incident, your timeline can begin at the BA’s discovery (not when they finally tell you). That’s why the template includes a BA intake path and SLA language.

To stay compliant and still investigate, time-box the phases:

Day 0 (discovery)

  • Open the intake; stamp the time; start the notification countdown in the tracker.
  • Contain active exposure (disable accounts, isolate devices, remote lock/wipe lost hardware).

By Day 2–3

  • Complete scoping and assemble artifacts (logs, EHR access reports, BA attestations).
  • Launch the four-factor assessment with Privacy/Security/Legal.

By Day 7–10

  • Reach a preliminary determination: breach vs. low probability of compromise.
  • If breach is likely for ≥500 in any single state/jurisdiction, alert PR and leadership now so media planning doesn’t compress the timeline.

By Day 14–21

  • Finalize determination and draft patient notices; legal review for accuracy and required content.
  • Prepare HHS submission details in the portal checklist; pre-fill all fields.

No later than Day 60

  • Send individual notices and submit HHS notice for events affecting ≥500.
  • For <500, ensure the event is entered into the annual breach log (due to HHS within 60 days after the end of the calendar year).

Governance guardrails

  • If forensics is ongoing near Day 45 and facts are still evolving, proceed with notification using best-available information and note that supplemental updates may follow. Do not let open forensics push you past the deadline.
  • Use the tracker’s “red zone” formatting to flag items due within 10 days and trigger exec escalation.

Practical staffing patterns that work

  • Clinic model: Privacy Officer (A), IT Lead (R for containment), Admin/Owner (A for notices), Front Desk/MA (reporting path), Outside Counsel (C as needed), PR (I unless ≥500).
  • Regional hospital: SOC (R for discovery), Security Ops (R for containment), Privacy (A for assessment), Legal (A for notices), PR (R for media), App/Data Owner (C), BA Liaison (R for vendor evidence).
  • Enterprise system: Add a Breach Response Manager role responsible for running the war room, maintaining the evidence/decisions log, and keeping the 60-day clock visible to all stakeholders.

What to bake into job descriptions and on-call

  • On-call rotations for Privacy and Security with response SLAs (e.g., triage within 30 minutes, containment actions within 2 hours).
  • Pre-approved authorities: Security can isolate or wipe endpoints without convening a committee; Privacy can convene the assessment huddle on short notice.
  • Backup coverage: list named alternates for every accountable role; test them during tabletops.
  • Training cadence: quarterly refreshers for intake, four-factor reasoning, and how to use the trackers and templates.

Timelines at a glance (compliance cheat-sheet)

Use this single-screen matrix to keep everyone honest about the clock. It assumes your organization follows the plan and tools in the template (intake form, four-factor worksheet, notification tracker, evidence log).

Phase & trigger What happens Primary owner Evidence to capture Deadline / target
Discovery (Day 0) First credible signal of an incident that may involve ePHI: EDR alert, lost/stolen device, anomalous access, BA notice, ransomware indicator, or misdirected communication. Intake owner (front line, SOC, or IT) Incident intake form, discovery timestamp, reporter, systems in scope. Starts the notification clock if later determined to be a breach.
Containment (0–24 hours) Stop the bleeding: account disable/MFA reset, remote lock/wipe for lost devices, endpoint/network isolation, block IOCs, suspend risky integrations. Prioritize continuity of care. Security / IT lead Actions taken (who/when), console screenshots, ticket IDs, wipe confirmation, isolation notes. 0–24 hours from discovery
Scope & evidence (Days 1–3) Gather facts for a defensible assessment: access logs, DLP hits, BA artifacts, EHR reports, user interviews. Security / IT + BA liaison Log exports, attestation emails, evidence indices, chain of custody in the evidence & decisions log. Within 72 hours (internal target)
Four-factor assessment (≤10 days target) Privacy, Security, and Legal complete the worksheet: (1) nature/extent of PHI, (2) unauthorized person, (3) whether PHI was acquired/viewed, (4) mitigation effectiveness. Determination: breach vs. low probability of compromise. Privacy officer (chair) Completed worksheet, rationale, approvals (Privacy/Security/Legal). Target ≤10 days from discovery
Draft notifications (Days 10–21) Prepare patient notice letters (required elements), HHS portal details and—if threshold met—media statement. Pre-stage call-center FAQ. Privacy + Legal (+ PR if needed) Draft letters, portal checklist, media outline, FAQ. Internal target to avoid Day-60 crunch.
Individual notice Send notices “without unreasonable delay” and no later than 60 calendar days from discovery. Choose permitted delivery method (mail, email, substitute). Privacy (with Legal review) Proof of dispatch, copies of notices, recipient list, returned mail handling. ≤60 days from discovery
HHS notice (500+) If ≥500 individuals affected, notify HHS without unreasonable delay and no later than 60 days from discovery. Privacy / Legal HHS submission confirmation ID, submitted details. ≤60 days from discovery
Media notice (500+ in a state/jurisdiction) Prepare and issue a statement to a prominent media outlet if the state/jurisdiction threshold is met. PR (with Legal / Privacy) Media posting/airing proof, statement archive. Align with ≤60-day window
HHS annual log (<500) If <500 individuals affected, add the event to your breach log and submit to HHS no later than 60 days after the end of the calendar year. Privacy / Compliance Breach log entry, annual submission confirmation. ≤60 days after year-end
Recovery & CAPA (post-notice) Restore services, rotate credentials/keys, harden controls, update BA terms if needed, and record corrective/preventive actions with owners and due dates. Security / IT + Compliance After-action report, CAPA tracker, retest evidence. Within 30 days of closure (target)

How to use this in practice

  • Print this matrix as a war-room poster and mirror it in your tracker. The discovery timestamp auto-calculates every downstream deadline so owners see their deliverables go red as Day 60 approaches.
  • Treat forensics as time-boxed. If facts are still developing, proceed with notice using best-available information; you can supplement later. The timeline does not pause for investigation.
  • For multi-state incidents, your tracker should compute media thresholds per state/jurisdiction and flag when any crosses 500 individuals.

Integrating tools that speed compliance (where Prey helps)

Great policies move faster when the tooling does the heavy lifting. Here are the specific capabilities that shrink time-to-containment, strengthen your four-factor rationale, and produce a clean paper trail—mapped to the template you’re using.

Device inventory and chain of custody for ePHI devices

  • Maintain a live inventory of endpoints that may store, process, or route ePHI (laptops, tablets, phones, shared workstations).
  • Tie each asset to an owner, location, encryption status, and last check-in. This lets you answer two breach-critical questions in seconds: “Was the device encrypted?” and “Who had custody?”
  • Your evidence & decisions log should include a direct reference to the asset record (serial, user, configuration baseline) to support factor 1 (nature/extent of PHI) and factor 4 (mitigation).

Remote lock/wipe to mitigate factor #4 and narrow breach scope

  • If a device is lost or stolen, a verifiable remote lock or wipe—with timestamped proof—can materially lower the probability of compromise.
  • Record the command, outcome, and screenshot/ID in the containment checklist. This becomes part of your four-factor worksheet and helps justify a “low probability” conclusion when appropriate.

Breach monitoring and credentials exposure checks to accelerate detection and evidence capture

  • Continuous monitoring for exposed credentials and related signals reduces “dwell time” between compromise and discovery (which matters for your notification clock).
  • When exposure is detected, log the source and scope (e.g., which identities, when first seen) and pair that with MFA reset/session revocation evidence.
  • Feed these artifacts into the incident intake and evidence log so your determination is based on concrete indicators, not assumptions.

FAQs

Is every HIPAA security incident a breach?

No. Start with the four-factor risk assessment. If, after evaluating (1) the nature/extent of PHI, (2) the unauthorized person, (3) whether PHI was actually acquired or viewed, and (4) how effectively you mitigated the risk, you determine there’s a low probability of compromise, you may conclude it is not a reportable breach—documenting your rationale in the worksheet.

When exactly does the 60-day clock start?

At discovery of the breach—meaning when your organization knows, or should reasonably have known, that a breach occurred. If a business associate experiences the incident, the timeline can begin at the BA’s discovery, not when they eventually inform you. Capture the discovery timestamp in the intake form and let your tracker compute deadlines from there.

Do I have to notify the media?

Only if the breach affects 500 or more individuals in a single state or jurisdiction. That’s in addition to notifying affected individuals and the federal regulator. Your tracker should compute state/jurisdiction counts and flag when the threshold is crossed.

How do I report <500-person breaches?

Notify affected individuals as required, log the breach, and submit that log to the federal regulator no later than 60 days after the end of the calendar year in which the breach was discovered. Your breach notification tracker should maintain these entries and surface the annual submission deadline.

What counts as “unsecured” PHI?

PHI is considered “unsecured” if it isn’t protected by a technology or methodology that renders it unusable, unreadable, or indecipherable to unauthorized individuals (for example, strong encryption meeting recognized standards). If PHI is properly encrypted at the time of loss or theft, breach notification may not be triggered—verify the encryption status and keep proof with your case file.

Frequently asked questions

What is the technology strategy framework?

A technology strategy framework is essential for businesses to effectively leverage technology to enhance operational efficiency, customer experience, and foster innovation while managing risks. This framework is often referred to as IT strategy or digital strategy.

What is an IT strategy framework?

An IT strategy framework is essential for aligning technology initiatives with business objectives, providing a clear structure to achieve strategic goals. By implementing this framework, organizations can ensure that their IT investments effectively support their overall business strategy.

Why is aligning IT goals with business objectives important?

Aligning IT goals with business objectives is crucial because it ensures that IT initiatives directly support the overall business strategy, driving growth and efficiency. This alignment facilitates better resource allocation and maximizes the impact of technology on business performance.

How can emerging technologies be leveraged in an IT strategy?

Leveraging emerging technologies in your IT strategy can drive innovation and create competitive advantages through the development of new business models and increased market value. Embracing these technologies ensures your organization stays ahead in a rapidly evolving landscape.

What are some common challenges in IT strategy implementation?

Common challenges in IT strategy implementation include a lack of alignment with organizational goals, resistance to change from stakeholders, and the tendency to adopt new technologies without clear value, often referred to as "shiny object syndrome." Addressing these challenges is crucial for successful execution.

On the same issue

Use remote wipe to securely erase data from any lost device
Use remote wipe to securely erase data from any lost device

Learn what remote wipe is, how it works, and why it’s vital to protect sensitive data on lost or stolen devices with secure wipe software.

Dec 12, 2025
Continue reading
HIPAA incident response plan
HIPAA incident response plan

When a security incident touches electronic protected health information (ePHI), the clock starts

Nov 18, 2025
Continue reading
Symmetric vs asymmetric encryption: when to use each
Symmetric vs asymmetric encryption: when to use each

Understand symmetric vs asymmetric encryption with clear examples. See when AES or RSA fits best, how hybrid encryption works, and practical security tips.

Sep 27, 2025
Continue reading

Discover

Prey's Powerful Features

Protect your devices with Prey's comprehensive security suite.

Learn moreGet started