Breach Notification Policy & Procedures

5. Procedures

1. DISCOVERY AND INITIAL REPORTING

1.1 Any workforce member who suspects or discovers a potential breach of PHI shall immediately report it to the Privacy Officer via [REPORTING METHOD].

1.2 Examples of potential breaches include: lost or stolen device containing unencrypted PHI, misdirected fax or email containing PHI, unauthorized access to patient records (snooping), hacking incident or ransomware attack, improper disposal of records containing PHI, PHI left in a public area, business associate notification of a security incident, and paper records lost, stolen, or improperly disposed of.

1.3 The Privacy Officer shall log the report in the Breach Log within 24 hours.

2. INVESTIGATION

2.1 The Privacy Officer shall initiate an investigation within [NUMBER] business days of receiving a report.

2.2 The investigation shall determine: what PHI was involved and its nature (clinical, financial, demographic, SSN), how the incident occurred, the number of individuals potentially affected, who had unauthorized access to the PHI, whether the PHI was actually acquired or viewed (vs. merely an opportunity for access), and what mitigation actions have been or can be taken.

3. FOUR-FACTOR RISK ASSESSMENT

3.1 Unless an exception applies (see Section 4), the Privacy Officer shall conduct the four-factor risk assessment required by 45 CFR § 164.402:

Factor 1 — Nature and Extent of PHI Involved: What types of identifiers were involved? Does the PHI include clinical diagnoses, SSN, financial information? The more sensitive the information, the higher the risk.

Factor 2 — Unauthorized Person: To whom was the disclosure made or who gained unauthorized access? Was it another covered entity or healthcare provider (lower risk) or an unknown third party (higher risk)? Did the unauthorized person have an obligation to protect the PHI?

Factor 3 — Acquisition or Viewing: Was the PHI actually acquired or viewed by the unauthorized person, or was there merely an opportunity for access? Forensic evidence that data was accessed or exfiltrated increases risk.

Factor 4 — Mitigation: To what extent has the risk been mitigated? Was the PHI recovered? Did the recipient confirm destruction? Were devices remotely wiped?

3.2 If the risk assessment demonstrates a LOW probability that the PHI has been compromised, the incident is not a reportable breach. Document the assessment and retain for six years.

3.3 If the risk assessment does NOT demonstrate a low probability of compromise, or if the practice elects to treat the incident as a breach, proceed to notification.

4. EXCEPTIONS (NON-BREACH EVENTS)

4.1 The following are excluded from the definition of breach per 45 CFR § 164.402(1): - Unintentional acquisition, access, or use by a workforce member acting in good faith within the scope of their authority, if the PHI is not further used or disclosed in an impermissible manner. - Inadvertent disclosure by a person authorized to access PHI to another person authorized to access PHI at the same covered entity or business associate, if the PHI is not further used or disclosed in an impermissible manner. - The covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not reasonably have been able to retain the information.

4.2 If an exception applies, document the basis and retain for six years.

5. NOTIFICATION TO INDIVIDUALS (45 CFR § 164.404)

5.1 [PRACTICE NAME] shall notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach.

5.2 Notification shall be provided without unreasonable delay and no later than 60 calendar days from the date of discovery of the breach.

5.3 The notification shall be in writing and sent by first-class mail to the individual's last known address. If the individual has agreed to receive electronic notice, it may be sent by email.

5.4 The notification shall include: a brief description of what happened, including the date of the breach and the date of discovery, the types of unsecured PHI involved (e.g., name, SSN, diagnosis, treatment information), steps the individual should take to protect themselves (e.g., monitor credit, change passwords), what [PRACTICE NAME] is doing to investigate, mitigate harm, and prevent future breaches, and contact information for the Privacy Officer, including a toll-free number, email, and postal address.

5.5 Substitute Notice: If there is insufficient or out-of-date contact information that precludes written notice to 10 or more individuals, [PRACTICE NAME] shall provide substitute notice in the form of EITHER (a) a conspicuous posting for a period of 90 days on the home page of the practice's website, OR (b) conspicuous notice in major print or broadcast media in the geographic areas where the affected individuals likely reside. The substitute notice shall include a toll-free phone number that remains active for at least 90 days so that an individual can learn whether their unsecured PHI may have been included in the breach. (For fewer than 10 individuals with insufficient or out-of-date contact information, substitute notice may be provided by an alternative written form, telephone, or other means.)

5.6 Urgent situations: If there is imminent misuse of PHI, the practice may provide telephone or other urgent notice in addition to written notice.

6. NOTIFICATION TO HHS (45 CFR § 164.408)

6.1 Breaches affecting 500 or more individuals: Notify HHS contemporaneously with individual notification (within 60 days) via the HHS Breach Reporting Portal at https://ocrportal.hhs.gov.

6.2 Breaches affecting fewer than 500 individuals: Maintain a log and submit notifications to HHS annually, no later than 60 days after the end of the calendar year in which the breaches were discovered.

7. NOTIFICATION TO THE MEDIA (45 CFR § 164.406)

7.1 If a breach of unsecured PHI involves MORE THAN 500 residents of a State or jurisdiction, [PRACTICE NAME] shall, without unreasonable delay and in no case later than 60 calendar days after discovery, notify prominent media outlets serving that State or jurisdiction. (Note: the trigger is more than 500 residents of a single State or jurisdiction — not the aggregate 500-or-more count that triggers contemporaneous HHS notification under Section 6.)

8. BUSINESS ASSOCIATE BREACHES (45 CFR § 164.410)

8.1 Business associates shall notify [PRACTICE NAME] of any breach of unsecured PHI without unreasonable delay and no later than [NUMBER — per BAA, recommended 10-30] days after discovery.

8.2 The Privacy Officer shall coordinate with the business associate to obtain the information needed for risk assessment and individual notification.

9. DOCUMENTATION

9.1 All breach-related documentation shall be maintained for a minimum of six (6) years, including: the Breach Log, investigation findings, four-factor risk assessment, notification letters, HHS submission records, and any corrective actions taken.

10. CORRECTIVE ACTIONS

10.1 Following any breach, the Privacy Officer and Security Officer shall identify the root cause and implement corrective actions to prevent recurrence.

10.2 Corrective actions shall be documented and tracked to completion.

6. Roles & Responsibilities

Privacy Officer ([PRIVACY OFFICER NAME]): Coordinates the breach notification process from detection through completion. Conducts or oversees the four-factor risk assessment. Drafts and sends individual notification letters. Submits HHS breach reports. Maintains the Breach Log. Coordinates with business associates on BA-discovered breaches.

Security Officer ([SECURITY OFFICER NAME]): Supports investigation of security-related breaches. Performs forensic analysis or coordinates with a forensic vendor. Identifies technical corrective actions.

Practice Administrator ([ADMINISTRATOR NAME]): Approves breach notifications before they are sent. Authorizes resources for breach investigation and remediation. Manages media inquiries. Engages legal counsel.

Legal Counsel: Advises on breach determination, notification content, and regulatory obligations. Reviews notification letters. Advises on state breach notification laws.

All Workforce Members: Report suspected breaches immediately. Cooperate with investigations. Do not discuss suspected breaches with unauthorized persons.

7. Review Schedule

This policy shall be reviewed at least annually. The Breach Log shall be reviewed quarterly to ensure all incidents have been properly assessed and resolved. The annual HHS submission for small breaches shall be prepared in [MONTH — January recommended to meet the 60-day post-year-end deadline].

8. Regulatory References

45 CFR § 164.400 — Applicability of breach notification 45 CFR § 164.402 — Definitions (breach, unsecured PHI, discovery) 45 CFR § 164.404 — Notification to individuals 45 CFR § 164.406 — Notification to the media 45 CFR § 164.408 — Notification to the Secretary (HHS) 45 CFR § 164.410 — Notification by a business associate 45 CFR § 164.412 — Law enforcement delay 45 CFR § 164.414 — Administrative requirements and burden of proof 45 CFR § 164.530(j) — Documentation retention (6 years) HHS Breach Reporting Portal: https://ocrportal.hhs.gov