Suspect a Breach? Do This First.
If you believe a breach has occurred or is in progress, take these immediate steps before anything else.
Do NOT turn off or destroy any systems or devices involved
Document everything you know about the incident with timestamps
Identify what PHI may have been exposed and how many records
Secure the area or system where the breach occurred
Do NOT communicate about the breach on unsecured channels
Contact your HIPAA compliance team or breach response partner immediately
Our Breach Response Process
A battle-tested four-phase process that minimizes damage and keeps you on the right side of HIPAA requirements.
Containment
Immediate actions to stop the breach, secure affected systems, and prevent further unauthorized access to PHI. We guide your team through critical first steps.
Investigation
Forensic analysis to determine the scope of the breach: what data was exposed, how many individuals are affected, and how the breach occurred.
Notification
Preparation and submission of required notifications to OCR, affected individuals, and media (if 500+ records). We handle the paperwork and ensure regulatory compliance.
Recovery & Remediation
Post-breach remediation to fix the vulnerability, update policies, retrain staff, and implement safeguards to prevent recurrence. Full documentation for OCR records.
Breach Response Timeline
HIPAA sets strict deadlines for breach notification. Here's our response timeline to keep you compliant.
Initial containment steps and breach triage
Full containment confirmed, investigation launched
Scope assessment and preliminary findings report
Complete investigation and remediation plan
OCR breach notification submitted (required deadline)
Post-breach monitoring, policy updates, and staff retraining
OCR Notification Requirements
Individual Notice
Written notification to each affected individual within 60 days of discovering the breach. Must include description of the breach, types of information involved, steps to protect themselves, and what your organization is doing in response.
HHS/OCR Notice
Breaches affecting 500+ individuals must be reported to HHS immediately and to local media. Breaches under 500 can be reported annually. We handle the entire submission process and documentation.
24/7 Breach Response Availability
Breaches don't follow business hours and neither do we. Our San Diego breach response team is available around the clock, 365 days a year. When you call our emergency line, you reach a real HIPAA compliance professional who can begin guiding you through containment immediately.
For clients on our Group Practice or Enterprise plans, 24/7 breach response is included at no additional cost. For other organizations, we offer emergency response on a per-incident basis.