Healthcare Incident Response Plan — Template + Tabletop Exercise
11 min read · Last reviewed May 23, 2026
A healthcare incident response plan is the written procedure a HIPAA covered entity uses to identify, respond to, mitigate, and document security incidents involving PHI. The requirement lives at 45 CFR § 164.308(a)(6) — a required, not addressable, administrative safeguard. The plan must cover detection, response, mitigation, documentation, and post-incident review.
What HHS actually requires
The Security Incident Procedures standard at 45 CFR § 164.308(a)(6)(i) is one sentence: Implement policies and procedures to address security incidents. The required implementation specification at (a)(6)(ii) adds: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
Three definitional anchors matter. Security incident at § 164.304 is broader than breach at § 164.402 (the FAQ above breaks this out). The contingency plan at § 164.308(a)(7) is a parallel — but separate — required standard that addresses business continuity rather than incident response.
The federal frameworks that inform what an effective plan looks like: NIST SP 800-61 Rev. 3 (Incident Response Recommendations and Considerations for Cybersecurity Risk Management — April 2024, superseding the withdrawn Rev. 2); NIST SP 800-30 Rev. 1 (Guide for Conducting Risk Assessments); and NIST SP 800-66 Rev. 2, the 2024 update to the HIPAA Security Rule cybersecurity resource guide. Rev. 3 reframes the lifecycle around continuous-improvement risk management activities — Preparation, Detection and Analysis, Containment and Recovery, and Post-Incident Activity — rather than the strictly linear four-phase model of the withdrawn Rev. 2.
The breach notification side lives in a separate subpart: §§ 164.400 through 164.414. OCR's breach reporting portal is the channel for HHS notification.
Template — incident response plan (copy-ready)
The template below maps the NIST SP 800-61 Rev. 3 lifecycle to the § 164.308(a)(6) requirements. We file this version in client binders.
``` HEALTHCARE INCIDENT RESPONSE PLAN [Practice Name] Effective: [DATE] Reviewed annually.
- PURPOSE AND SCOPE
This plan satisfies 45 CFR § 164.308(a)(6) by establishing how this practice identifies, responds to, mitigates, and documents security incidents involving ePHI. It applies to every workforce member, contractor, and business associate.
- DEFINITIONS
Security Incident — per 45 CFR § 164.304: the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
Breach — per 45 CFR § 164.402: the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule, which compromises the security or privacy of the PHI.
- ROLES AND CONTACTS
Security Officer (incident commander): [Name] / [phone] / [email] / [after-hours phone]
Privacy Officer: [Name] / [phone] / [email]
Practice Owner / Executive: [Name] / [phone] / [email]
External IT / MSP: [Vendor] / [contact] / [phone] / [SLA reference]
Breach counsel: [Firm] / [attorney] / [phone] / [retainer status]
Cyber insurance carrier: [Carrier] / [policy #] / [claim hotline]
Forensic / DFIR firm (pre-vetted): [Firm] / [contact] / [phone]
EHR vendor incident contact: [Vendor] / [support tier] / [phone]
External reporting:
- HHS OCR breach portal: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- FBI IC3: https://www.ic3.gov
- State Attorney General: [contact for each applicable state]
- State breach-notification authority: [contact]
- PHASE 1 — PREPARATION
- Maintain the contact list above; verify quarterly.
- Maintain pre-vetted DFIR retainer or carrier-provided panel.
- Confirm cyber insurance policy is current; understand the
notification window required by the carrier (often 24-72 hours).
- Maintain offline backups per the contingency plan
(45 CFR § 164.308(a)(7)); test restore quarterly.
- Run one tabletop exercise per year (see Appendix A).
- PHASE 2 — DETECTION AND ANALYSIS
Detection triggers (non-exhaustive):
- EHR or PM system alert
- User report of suspicious behavior, lockout, or unfamiliar email
- Endpoint protection alert
- Email rule that the user did not create (BEC indicator)
- Lost or stolen device or paper record
- Vendor notification of a breach affecting the practice
- Ransom note or encrypted-file extension change
On detection, the discovering workforce member:
- Does not power off the affected device.
- Disconnects the device from the network (unplug Ethernet,
disable Wi-Fi) but leaves it powered on to preserve memory state.
- Notifies the Security Officer within 1 hour of discovery.
- Logs the discovery time, device, and observed indicators on
the Incident Intake Form (Appendix B).
The Security Officer:
- Confirms the incident is in scope (PHI-bearing system, workforce
member, or facility involved).
- Activates this plan; opens an Incident Record per Appendix B.
- Begins the breach risk assessment timer (60-day discovery clock
starts at the moment of discovery, not at the moment of confirmation).
- Notifies the Privacy Officer, Practice Owner, and IT/MSP within
2 hours.
- Notifies cyber insurance within the carrier's required window.
- PHASE 3 — CONTAINMENT, ERADICATION, AND RECOVERY
Containment (first 24 hours):
- Isolate affected systems from the network.
- Disable affected user accounts; force credential reset for
potentially compromised accounts.
- Preserve volatile state (memory, network state) before any
eradication step that would destroy evidence.
- Engage DFIR if scope exceeds internal capability.
Eradication:
- Remove malicious files, accounts, and persistence mechanisms.
- Patch the entry vector if identified.
- Validate that no additional compromised systems remain.
Recovery:
- Restore from known-good offline backups per the contingency plan.
- Validate restored data integrity before returning to production.
- Monitor restored systems for at least 14 days post-recovery.
- PHASE 4 — POST-INCIDENT ACTIVITY
Within 14 days of recovery:
- Complete the four-factor breach risk assessment
(45 CFR § 164.402): (i) nature and extent of PHI involved; (ii) the unauthorized person; (iii) whether PHI was actually acquired or viewed; (iv) extent to which risk has been mitigated.
- Document the breach determination with rationale.
- If breach determined, notify per §§ 164.404, 164.406, 164.408.
- File an after-action report (Appendix C).
- Update risk analysis (§ 164.308(a)(1)(ii)(A)) with the new
finding.
- Update controls, training, and policies as needed.
- NOTIFICATION DECISION MATRIX
Affected individuals discovered | Notify within (HIPAA) ----------------------------------|----------------------- < 500 individuals | Individuals within 60 days; | HHS via annual log within 60 | days after calendar-year end | (45 CFR § 164.408(c)) ≥ 500 in a single state/jurisdiction| Individuals + media + HHS | within 60 days Business Associate detected first | BA must notify covered entity | within 60 days of discovery | (45 CFR § 164.410)
- TESTING
Run one tabletop exercise per year using a documented scenario. Maintain the after-action report for at least six years. Update the contact list quarterly; verify after every workforce change.
- RETENTION
This plan, every Incident Record, and every after-action report are retained for at least six years per 45 CFR § 164.316(b)(2)(i). ```
Tabletop exercise script (Appendix A)
We use the script below with clients running their first tabletop. Total runtime 30-45 minutes. Documented and filed even if the runtime is shorter.
``` TABLETOP EXERCISE — RANSOMWARE SCENARIO
Attendees: Security Officer, Privacy Officer, Practice Owner, one clinical staff member, one front-desk staff member.
Materials: this plan, contact list, EHR vendor name, cyber insurance policy summary, blank Incident Intake Form (Appendix B).
Inject 1 (0:00): "It is Monday morning at 7:45 AM. The front-desk member arrives, opens the workstation, and sees a full-screen ransom note. The desktop shows files with a .encrypted extension. Phones are working; EHR cloud login times out. Question: who is contacted, in what order, in the first 15 minutes?"
Discuss and document the answer. Compare to the plan's contact list.
Inject 2 (0:10): "The Security Officer arrives at 8:15 AM. Two more workstations are showing the same ransom note. The clinical staff member's laptop is not affected. Patients begin arriving at 8:30 AM. Question: do you see patients today? How do you make that decision, and who makes it?"
Discuss containment vs. operations. Document.
Inject 3 (0:20): "By 9:30 AM forensic triage confirms 12 workstations and the on-site file server are encrypted. Cloud EHR is restored from vendor backup but local document storage is encrypted. The Security Officer discovers an unfamiliar admin account was created 19 days ago. Question: is this a reportable breach? What is the discovery date for the 60-day clock?"
Discuss the breach risk assessment, the discovery date, the four- factor analysis. Document.
Inject 4 (0:30): "Cyber insurance has been notified. DFIR firm is engaged. The question now is patient notification. The forensic firm cannot yet confirm whether PHI was exfiltrated. Question: do you start drafting notification letters now, or wait for forensic confirmation?"
Discuss the documentation burden, the 60-day outer bound, state- level shorter bounds, and the OCR ransomware fact sheet's presumption.
After-action (0:35-0:45):
- Three things that worked.
- Three things that did not work.
- Three remediation items with assigned owner and due date.
File the after-action report in the binder under Incident Response — Tabletop Exercises. ```
State preemption carve-outs
When state breach-notification law is stricter than HIPAA, the stricter law controls under 45 CFR § 160.203. The four high-volume overlays:
| State | Statute | Notable difference vs. HIPAA | | --- | --- | --- | | California | Civ. Code § 1798.82; CMIA Civ. Code § 56.36 | "Most expedient time possible" with attorney-general notice for 500+; CMIA adds 15-business-day patient access | | New York | SHIELD Act, Gen. Bus. Law § 899-bb | Information-security program required; broader definition of personal information | | Texas | Tex. Bus. & Com. Code § 521.053 | Notification "as quickly as possible"; AG notice for 250+ within 30 days | | Florida | F.S. § 501.171 (FIPA) | Notice to affected individuals and AG within 30 days |
The practice's incident response plan should name which state authorities apply to its patient panel and pre-load the notification contacts.
How to deploy
Paste the template into the binder; fill in the contact list; pre-sign a DFIR or carrier-panel retainer so engagement is not the bottleneck during a real incident; run one tabletop in the next 60 days; file the after-action report; add the tabletop date to the annual review calendar.
The single highest-leverage deployment move is the pre-vetted DFIR contact. Practices that find a forensic firm at the moment of an incident lose three to seven days to onboarding before containment can begin. Practices with a current retainer engage in hours.
Common gaps
What we see fail in practice:
- No documented test. The plan exists; the tabletop has never been run; OCR asks for evidence of testing and there is none.
- Stale contact list. The Security Officer named in the plan left two years ago; the cyber insurance policy lapsed; the EHR vendor's incident phone number is wrong.
- Workforce members power off devices on discovery. Memory state is lost; forensic scope shrinks; the breach risk assessment becomes harder to defend.
- Insurance carrier notified late. Most cyber policies require notification within 24-72 hours; late notice voids coverage.
- No log of small incidents. Lost laptops, mis-faxed records, accidental email disclosures — all are security incidents under § 164.304 and need to be logged even when they are not breaches.
Maintenance cadence
Annual tabletop exercise with after-action report. Quarterly contact-list verification. Annual review of the plan against the current version of NIST SP 800-61 Rev. 3 and the most recent OCR guidance. Six-year retention of every incident record, every after-action report, and the plan itself per § 164.316(b)(2)(i).
A plan with a current contact list, a documented annual tabletop, and an incident log is the version that holds up to an OCR data request after a real breach.
How d3rx fits
The d3rx compliance binder generates the incident response plan, the tabletop script, the Incident Intake Form, the after-action template, the breach decision matrix, and the state preemption table, with citations to § 164.308(a)(6), § 164.402, NIST SP 800-61 Rev. 3, and state breach-notification statutes inline. The practice's Security Officer remains responsible for testing, executing, and updating the plan.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Healthcare Incident Response Plan — Template + Tabletop Exercise. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
How do I document a tabletop that took 20 minutes?
A short tabletop is fine as long as it is documented. File a one-page after-action report: date, attendees, scenario summary (2-3 sentences), three things that worked, three things that did not work, three remediation items with assigned owner and due date. OCR's audit protocol asks for evidence the contingency and incident plans are tested — it does not specify duration. A documented 20-minute tabletop with a real remediation list is better than an undocumented two-hour exercise.
Is a security incident the same as a breach?
No. [45 CFR § 164.304](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.304) defines security incident broadly: any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. A breach under [45 CFR § 164.402](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.402) is the narrower subset that involves unsecured PHI and triggers notification obligations under [§§ 164.404, 164.406, 164.408](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.404). Every breach is an incident; not every incident is a breach.
What is the breach notification deadline?
Individual notice within 60 calendar days of discovery ([45 CFR § 164.404(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.404)). Media notice in the same 60 days for breaches affecting more than 500 residents of a state or jurisdiction ([§ 164.406](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.406)). HHS notice via the [OCR breach portal](https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf) within 60 days for breaches of 500+ individuals; smaller breaches reported in the annual log within 60 days of the calendar year end ([§ 164.408](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.408)). State breach notification timelines may be shorter — see the state preemption section below.
Who do I call first when an incident is detected?
The Security Officer per the practice's escalation matrix. Not the EHR vendor first, not the IT contractor first — the Security Officer, who then activates the named contacts in the plan. The reason: incidents that get reported first to a vendor often get characterized by the vendor in ways that constrain the practice's later breach assessment.
Does ransomware automatically count as a breach?
OCR's [ransomware fact sheet](https://www.hhs.gov/hipaa/for-professionals/security/guidance/fact-sheet-ransomware/index.html) takes the position that a successful ransomware attack on PHI is presumed a breach unless the four-factor risk assessment at [45 CFR § 164.402](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.402) demonstrates a low probability of compromise. In practice this means: presume breach, run the risk assessment, document the conclusion, and notify if you cannot demonstrate low probability.
Do we need to call the FBI?
Not required by HIPAA, but recommended for ransomware, large data theft, and business-email-compromise events. The FBI's [IC3](https://www.ic3.gov) is the federal point of intake. Reporting to the FBI does not satisfy the OCR notification obligation, which is separate.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR § 164.308(a)(6)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- § 164.304https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.304
- § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.402
- NIST SP 800-61 Rev. 3https://csrc.nist.gov/pubs/sp/800/61/r3/final
- NIST SP 800-30 Rev. 1https://csrc.nist.gov/pubs/sp/800/30/r1/final
- NIST SP 800-66 Rev. 2https://csrc.nist.gov/pubs/sp/800/66/r2/final
- §§ 164.400 through 164.414https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.400
- breach reporting portalhttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- 45 CFR § 160.203https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-B/section-160.203
- § 164.316(b)(2)(i)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316
- www.ic3.govhttps://www.ic3.gov/
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- ComplianceHIPAA Security Officer: Required Duties + Job Description TemplateRequired duties under 45 CFR 164.308(a)(2), a copy-ready 2026 HIPAA Security Officer job description, and what we see fail in practice.
- SRAChange Healthcare Ransomware: What Small Practices Took AwayThe February 2024 Change Healthcare cyberattack, what HHS and UnitedHealth Group disclosed, and the small-practice lessons about clearinghouse concentration risk, contingency planning, and the Security Rule's information system activity review.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- SRAHIPAA Contingency Plan for a Small PracticeWhat the Security Rule contingency plan standard at 45 CFR 164.308(a)(7) actually requires, including data backup, disaster recovery, emergency mode operation, and testing — for a small practice.
- SRAWhat to Do If You Get an OCR Audit LetterA step-by-step response framework for a small practice that receives an OCR HIPAA audit or investigation letter, drawn from OCR's audit protocol and published Resolution Agreements.
- GlossaryIncident Response PlanThe documented plan describing how a covered entity detects, contains, eradicates, and recovers from a security incident.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.