Skip to content

HIPAA Breach Response: Step-by-Step Guide for Therapists

What to do when a HIPAA breach occurs. Immediate response steps, notification requirements, timelines, and documentation templates.

Last updated: January 2026 12 min read
On This Page

Your laptop was stolen. You sent records to the wrong email address. A former employee accessed client files they shouldn't have. Now what?

A breach doesn't have to become a catastrophe—but how you respond in the first hours and days matters enormously. This guide walks you through exactly what to do, when to do it, and how to document your response.

What Qualifies as a Breach?

HIPAA's Definition

A breach is:

"The acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule which compromises the security or privacy of the protected health information."

In plain English: PHI was accessed, used, or disclosed in a way that shouldn't have happened.

Common Breach Scenarios

Scenario Breach?
Laptop with unencrypted client data stolen Yes
Sent email with PHI to wrong recipient Likely yes
Hacker accessed your EHR Yes
Ransomware locked your client files Yes
Staff member looked at records without authorization Yes
Mailed statement to wrong address Likely yes
Left voicemail with PHI at wrong number Potentially yes
Lost phone with EHR app (but encrypted and remote-wiped) Potentially no

When It's NOT a Breach

Not every security incident is a breach requiring notification. Exceptions:

  1. Unintentional access by workforce member — Acting in good faith, within scope of authority, with no further disclosure.
  2. Inadvertent disclosure within organization — Between authorized persons, no further disclosure.
  3. Good faith belief of inability to retain — Recipient couldn't reasonably retain the information.
  4. Encrypted data — If PHI was encrypted and encryption key wasn't compromised, the data is considered unusable and may not be a reportable breach.

The Breach Assessment

Step 1: Conduct Risk Assessment

Before concluding you have a reportable breach, assess whether the incident "compromises the security or privacy" of PHI.

Four factors to consider:

  1. Nature and extent of PHI involved
    • What types of information? (Names, diagnoses, SSN, etc.)
    • How many individuals affected?
    • How sensitive is the information?
  2. Unauthorized person who received PHI
    • Who accessed it?
    • What's the likelihood they'll misuse it?
    • Do they have obligations to protect it?
  3. Whether PHI was actually acquired or viewed
    • Was it just potentially accessible, or actually accessed?
    • Is there evidence of viewing?
  4. Extent to which risk has been mitigated
    • Did you recover the data?
    • Did recipient confirm deletion?
    • Was the device remotely wiped?

If risk assessment shows low probability of compromise: Document your assessment thoroughly—you may determine it's not a reportable breach.

If any doubt: Treat it as a breach and proceed with notification.

Immediate Response: First 24-48 Hours

Contain the Breach

Stop the bleeding first:

  • Disable compromised accounts
  • Change passwords
  • Revoke access for unauthorized users
  • Recover lost devices if possible
  • Preserve evidence (don't delete logs)
  • Disconnect compromised systems if active attack

Document Everything

Start a breach log immediately:

BREACH INCIDENT LOG

Date/time discovered: _______________

Discovered by: _______________

How discovered: _______________

Initial description: _______________

Containment actions taken: _______________

Individuals potentially affected: _______________

Types of PHI involved: _______________

Document:

  • When the breach occurred (if known)
  • When it was discovered
  • What happened
  • What PHI was involved
  • How many individuals affected
  • What containment actions you took
  • Who you've notified internally

Assess Scope

Determine:

  • How many clients are affected?
  • What specific information was exposed?
  • How did the breach occur?
  • Is the breach ongoing or contained?

Notification Requirements

Who Must Be Notified?

  1. Affected Individuals — Required
  2. HHS (Department of Health and Human Services) — Required
  3. Media — Only if 500+ individuals in a state affected
  4. Business Associates — If they caused or discovered the breach

Timeline

Notification Deadline
Individuals Within 60 days of discovery
HHS (500+ affected) Within 60 days of discovery
HHS (fewer than 500) Within 60 days of calendar year end
Media (500+ in a state) Within 60 days of discovery

Discovery date: The first day you knew, or reasonably should have known, about the breach.

Notifying Affected Individuals

Content Requirements

Individual notification must include:

  1. Brief description of what happened, including date of breach and date of discovery
  2. Types of information involved (e.g., names, diagnoses, SSN, dates of service)
  3. Steps individuals should take to protect themselves
  4. What you're doing to investigate, mitigate, and prevent future occurrences
  5. Contact information for questions (phone, email, address)

Method of Notification

First-class mail to last known address.

Email only if individual previously agreed to electronic communication.

Substitute notice if contact information is outdated:

  • Fewer than 10 individuals: Phone, email, or other direct method
  • 10+ individuals: Conspicuous posting on website for 90 days OR major media outlet

Sample Notification Letter

[Practice Name]
[Address]
[Date]

[Client Name]
[Client Address]

Dear [Client Name],

I am writing to inform you of a security incident that may have
affected your protected health information.

WHAT HAPPENED
On [date], [brief description of incident—e.g., "a laptop
containing client records was stolen from my vehicle" or
"an email containing your information was inadvertently sent
to another individual"].

WHAT INFORMATION WAS INVOLVED
The information that may have been exposed includes: [list
specific types—name, date of birth, diagnosis, dates of service,
etc.].

WHAT WE ARE DOING
Upon discovering this incident, we immediately [describe
containment actions]. We have [describe remediation—reported
to law enforcement, enhanced security measures, etc.].

WHAT YOU CAN DO
We recommend you [specific steps—monitor credit reports,
review statements for unusual activity, etc.].

[If SSN or financial info involved:]
You may place a fraud alert on your credit file by contacting:
- Equifax: 1-800-525-6285
- Experian: 1-888-397-3742
- TransUnion: 1-800-680-7289

FOR MORE INFORMATION
If you have questions, please contact me at:
Phone: [number]
Email: [address]

I sincerely apologize for any concern this may cause.

Respectfully,

[Your name]
[Practice name]

Notifying HHS

For Breaches Affecting 500+ Individuals

Notify immediately (within 60 days) via HHS Breach Portal:

https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf

For Breaches Affecting Fewer Than 500

May delay until within 60 days of the calendar year end.

Submit via HHS Breach Portal.

What to Report

  • Name of covered entity
  • Contact information
  • Date(s) of breach
  • Date of discovery
  • Type of breach (theft, unauthorized access, etc.)
  • Location of breach (laptop, paper, email, etc.)
  • Type of PHI involved
  • Number of individuals affected
  • Safeguards in place
  • Actions taken in response

Documentation Requirements

What to Document

Throughout the process:

  • Timeline of events
  • How breach was discovered
  • Risk assessment and reasoning
  • Containment actions taken
  • Scope determination (who, what information)
  • Notifications sent (to whom, when, how)
  • Remediation measures implemented

Retain documentation for 6 years.

Breach Log Template

HIPAA BREACH DOCUMENTATION

INCIDENT INFORMATION
Date of breach: _______________
Date discovered: _______________
Discovered by: _______________
Description: _____________________________________________

RISK ASSESSMENT
Nature of PHI involved: _______________
Number of individuals: _______________
Who received/accessed PHI: _______________
Evidence of actual access: _______________
Mitigation measures: _______________
Conclusion: [ ] Reportable breach  [ ] Not reportable (document why)

CONTAINMENT ACTIONS
Date/time: _______________
Action taken: _______________
Responsible party: _______________

NOTIFICATIONS
Individuals notified: [ ] Yes, date: _______  [ ] Not required
Method: [ ] Mail  [ ] Email  [ ] Substitute notice
HHS notified: [ ] Yes, date: _______  [ ] Pending (annual)
Media notified: [ ] Yes, date: _______  [ ] Not required

REMEDIATION
Measures implemented: _________________________________
Training conducted: _________________________________
Policy changes: _________________________________

ATTESTATION
This documentation accurately reflects the breach incident
and our response.

Signature: _______________ Date: ___________

After the Breach: Remediation

Prevent Recurrence

Based on what caused the breach:

Cause Remediation
Lost/stolen device Encryption, remote wipe, device policies
Wrong recipient email Address verification, encryption, portal use
Unauthorized access Access controls, audit logs, termination procedures
Hacking Security assessment, software updates, 2FA
Staff error Training, policy review, supervision

Update Your Risk Assessment

A breach indicates your risk assessment missed something. Update it:

  • Add the vulnerability that was exploited
  • Document new safeguards implemented
  • Reassess related risks

HIPAA Risk Assessment Guide →

Training

Conduct training on:

  • What went wrong
  • New policies or procedures
  • Breach response procedures
  • Reinforcement of existing safeguards

HIPAA Training Requirements →

Business Associate Breaches

If Your BA Causes a Breach

Your Business Associate (EHR vendor, billing service, etc.) must:

  • Notify you of the breach without unreasonable delay
  • Provide information needed for your risk assessment
  • Assist with notifications if appropriate

You remain responsible for notifying individuals and HHS.

Review Your BAA

Your Business Associate Agreement should specify:

  • BA's breach notification obligations to you
  • Timeline for notification
  • Information BA must provide
  • Cooperation requirements

Business Associate Agreements →

Frequently Asked Questions

How do I know if something is a breach?
Ask: Was PHI accessed, acquired, used, or disclosed in a way that wasn't permitted? If yes, conduct a risk assessment. If assessment shows compromise of privacy/security, it's a reportable breach.
What if I'm not sure how many people are affected?
Estimate based on available information. You can update HHS if numbers change. Don't delay notification because you're still counting.
Can I wait to notify individuals until I know exactly what happened?
You have up to 60 days, but don't delay unnecessarily. Notify when you have sufficient information, even if investigation continues.
What if the breach was caused by my EHR vendor?
They should notify you, and you remain responsible for notifying individuals and HHS. Your BAA should address this scenario.
Will I be fined for reporting a breach?
Not automatically. Fines result from underlying HIPAA violations that led to the breach, not from reporting it. Transparent, prompt response generally results in better outcomes.
Should I contact a lawyer?
Consider it for significant breaches—especially those affecting many individuals, involving sensitive information (HIV status, mental health, substance abuse), or resulting from potential negligence.

A breach is stressful, but it's manageable with prompt, documented response. Contain it, assess it, notify as required, and fix what broke. Most importantly, document everything—your response demonstrates good faith even if the breach itself indicates a vulnerability.

Related Resources