Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

HIPAA Breaches & Incident Management: What You Need to Know

Learn what qualifies as a HIPAA breach, required notification timelines, documentation standards, and what to expect during an OCR investigation.

What Is a HIPAA Breach?

Under the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414), a breach is:

The acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI.

In simple terms:
If PHI is exposed, accessed, or disclosed improperly, it may be a breach.

Common Examples of Breaches

  • Sending PHI to the wrong patient

  • Lost or stolen unencrypted laptops

  • Ransomware attacks

  • Improper employee access to records

  • Posting patient information publicly

  • Unauthorized vendor access

Not every incident automatically qualifies as a reportable breach, but every incident must be evaluated.

Breach Risk Assessment Requirement

When an incident occurs, organizations must conduct and document a risk assessment to determine whether the incident is reportable.

This assessment evaluates:

  1. The nature and extent of the PHI involved

  2. Who accessed or received the PHI

  3. Whether the PHI was actually acquired or viewed

  4. The extent to which risk has been mitigated

If the assessment determines there is a low probability that PHI was compromised, notification may not be required but documentation is still mandatory.

Breach Notification Timelines

If an incident is determined to be a reportable breach, strict timelines apply.

Individual Notification

Covered Entities must notify affected individuals:

  • Without unreasonable delay

  • No later than 60 days after discovery

Notification must include:

  • Description of what happened

  • Types of information involved

  • Steps individuals should take

  • What the organization is doing to mitigate harm

  • Contact information

HHS (OCR) Notification

For breaches involving:

  • 500 or more individuals:
    Must notify the Office for Civil Rights (OCR) within 60 days.

  • Fewer than 500 individuals:
    Must maintain a breach log and report annually to OCR (no later than 60 days after the end of the calendar year).

Media Notification

If a breach affects more than 500 residents of a state or jurisdiction, media notification may also be required.

Incident Documentation Requirements

Even if an incident does not rise to the level of a reportable breach, it must be documented.

Documentation should include:

  • Date discovered

  • Description of incident

  • Individuals involved

  • Risk assessment findings

  • Determination (breach vs. non-breach)

  • Corrective actions taken

  • Mitigation steps

  • Date notifications were sent (if applicable)

OCR frequently cites failure to document incidents (even when organizations handled the incident appropriately.)

If it’s not documented, regulators may assume it was not handled correctly.

Internal Reporting Requirements

Organizations must have documented internal procedures for:

  • Reporting suspected incidents immediately

  • Escalating issues to compliance leadership

  • Investigating and evaluating incidents

  • Maintaining a breach log

  • Applying sanctions when workforce members violate policies

Employees should know:

  • Who to report incidents to

  • How quickly they must report

  • That reporting is mandatory

Failure to implement internal reporting processes is a common enforcement finding.

What Happens During an OCR Investigation?

OCR investigations are often triggered by:

  • Breach reports

  • Patient complaints

  • Media coverage

  • Whistleblower reports

When an investigation begins, OCR may request:

  • Most recent Security Risk Analysis

  • Risk management plan

  • Policies and procedures

  • Workforce training documentation

  • Incident documentation

  • Evidence of safeguards

  • Copies of Business Associate Agreements

Potential Outcomes of an Investigation

Depending on findings, OCR may:

  • Close the case with no action

  • Require a corrective action plan (CAP)

  • Impose civil monetary penalties

  • Mandate multi-year monitoring

  • Refer matters to the Department of Justice

Many enforcement actions cite multiple compliance failures, not just the breach itself.

Key Takeaways

  • Not every incident is a reportable breach, but every incident must be evaluated.

  • Notification deadlines are strict (generally 60 days).

  • Documentation is critical.

  • Internal reporting procedures must be in place.

  • OCR investigations examine your entire compliance program, not just the incident.

Proactive incident management significantly reduces regulatory risk.

Concerned about your breach response procedures?
Ensure your organization has documented processes and current risk assessments in place.

Last reviewed: February 2026