7 Steps to Evaluate & Report HIPAA Breaches

Posted on 9 Jun, 2017 |comments_icon 2|By Jeff G Lawson

The HIPAA Breach Notification rule (§164.400 et seq.) requires you to take specific actions when faced with a breach incident. Sheldon-Dean outlines the following steps you need to take to evaluate and report breaches, as well as to properly document compliance incidents:





Report all breaches promptly to the individual, unless:

  • The disclosure is one of the three exceptions to HHS’ definition of a breach at www.hhs.gov/hipaa; OR
  • The PHI is encrypted using processes meeting the requirements of HHS guidance; OR
  • A risk assessment determines that there is a low probability of protected health information (PHI) disclosure.

Determine whether there is a low probability of disclosure using a HIPAA breach risk assessment that considers four factors:

  • The nature of the information (how detailed, how much identifying information, sensitivity, including the potential for “adverse impact” to the individual?);
  • To whom the information was released (was it another healthcare provider?);
  • Whether the information was accessed, used, or disclosed (was it discarded without reading?); and
  • How you mitigated the incident (are there assurances that the information disclosed cannot be further used, disclosed, or retained?).
  • Report breaches of PHI involving more than 500 individuals to HHS at the same time you report the breach to the affected individuals. If the breach involves fewer than 500 individuals, you must report it to HHS within 60 days of the end of the calendar year in which it occurred.
  • Report breaches of PHI to individuals, HHS, and the public according to the applicable regulation (see www. hhs.gov/hipaa for details).
  • Involve your organization’s counsel and senior management in any breaches that may be reportable under law, to ensure that you follow federal and state laws correctly when providing various notices and reports to agencies. Keep in mind that breaches of an individual’s information may also be subject to the state laws where the individual resides, and not just the state where your organization is located.
  • Document all privacy and security incidents, breaches, and HIPAA breach risk assessments performed to determine whether an incident is a reportable breach. Include documentation of incidents in any compliance evaluation procedures or usage audit and activity review procedures, as appropriate.
  • Develop and preserve information gathered in your investigation of security incidents to the greatest extent possible as potential evidence admissible in court, in case it’s needed in legal proceedings. Whenever possible, identify any individuals or entities that may be liable for harm caused by the incident.

Put These Policies & Procedures in Place

You must have procedures for reporting, processing, and responding to suspected or known information security incidents, Sheldon-Dean stresses. These procedures are essential for investigating, mitigating, and documenting security incidents, so that you can appropriately report and promptly handle security violations and breaches.

According to Sheldon-Dean, your procedures should identify:

  • How to determine what qualifies as an “incident;”
  • How to report incidents (including designating a person to whom incidents and alerts must be reported on 24/7 basis);
  • The steps to take in investigating;
  • The roles and responsibilities of the response team;
  • The steps to take and information to include when documenting incidents;
  • The steps to take to mitigate the effects of incidents (where possible and/or allowed by law);
  • The steps to take to provide business recovery and continuity, including the use of adequate backup procedures;
  • Who may release information about the incident and the procedures for doing so;
  • To which entities incidents involving breaches must be reported;
  • Who is authorized to release a system following an investigation; and
  • How you should perform a follow-up analysis and who should participate.


To learn more about evaluating and reporting breaches—as well plotting out your organization’s security incident response plan—pick up your copy of TCI’s HIPAA Handbook 2017.


Jeff G Lawson

More from this author

View More

2 thoughts on “7 Steps to Evaluate & Report HIPAA Breaches

  1. I have to show some appreciation to the writer for bailing me out of this type of difficulty. Just after scouting throughout the online world and coming across suggestions which were not powerful, I figured my life was done. Existing without the strategies to the problems you have sorted out by way of your main review is a crucial case, and ones which might have in a wrong way affected my entire career if I had not discovered your blog post. Your own capability and kindness in touching all areas was crucial. I am not sure what I would’ve done if I hadn’t encountered such a solution like this. It’s possible to at this moment relish my future. Thank you very much for your specialized and amazing help. I won’t be reluctant to refer your web sites to any individual who should receive guide on this issue.

  2. I precisely had to say thanks all over again. I’m not certain the things I could possibly have worked on in the absence of the actual recommendations documented by you about my subject. It had been a distressing case for me, but being able to see the very specialised manner you handled that took me to jump for fulfillment. Now i am happy for this help as well as trust you recognize what a powerful job you’re undertaking instructing many others through your web site. I’m certain you have never met all of us.

Leave a Reply

Newsletter Signup