HIPAA Incident Response Plan: How to Prepare for and Handle a Breach

A HIPAA incident response plan is not the same thing as a breach notification, and confusing the two costs organizations precious time. The HIPAA Security Rule requires every covered entity and business associate to maintain security incident procedures under §164.308(a)(6): a documented way to identify, respond to, mitigate, and record security incidents. Most security incidents are not reportable breaches, but you cannot tell the difference without a plan that triggers a disciplined assessment.

Security incident vs. breach

A security incident is any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations. A breach is the narrower subset involving unsecured PHI that triggers notification obligations. Your plan must handle both: contain every incident, and run the four-factor risk assessment that determines whether an incident rises to a notifiable breach.

The phases of a usable plan

• Prepare: define roles, an incident commander, contact trees, and the systems that hold PHI
• Detect and analyze: monitoring, audit-log review, and a clear path for staff to report suspicious activity
• Contain, eradicate, recover: isolate affected systems, remove the threat, restore from clean backups
• Notify: if it is a breach, the Breach Notification Rule sets a 60-day outer limit to notify affected individuals and HHS
• Post-incident: document everything and feed the lessons back into your safeguards

Documentation is the deliverable

OCR’s first request after any incident is your paperwork: the incident log, the risk assessment, and proof that you responded. The legal duty to identify and respond to incidents flows from your Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A), which should already have mapped where PHI lives and what threatens it — the same map your responders need under pressure. When the worst happens, our what to do after a HIPAA data breach guide walks through the notification steps in order.

A tested plan beats a written one

An untested plan fails when it matters. Run tabletop exercises at least annually, simulating a ransomware hit or a lost laptop, and fix the gaps the exercise exposes. The proposed 2026 Security Rule update — an NPRM HHS published in December 2024, not yet final, with a 240-day compliance window once published — would make incident-response testing and stricter timelines explicit, so practicing now prepares you for both real incidents and the coming rule. Because ransomware is the most common trigger, start with our HIPAA ransomware guidance.

How Medcurity helps

Medcurity helps you build the risk analysis your incident response plan depends on, document your security incident procedures, and keep the evidence trail OCR expects. The platform is $499/year (about $42/month), with quotes available for larger or multi-entity organizations.

Frequently Asked Questions

Is every security incident a reportable breach?

No. Most incidents are contained without exposing PHI. A breach is the subset involving unsecured PHI; the four-factor risk assessment determines whether notification is required.

How long do we have to report a breach?

The Breach Notification Rule requires notice without unreasonable delay and no later than 60 days from discovery. Breaches affecting 500 or more individuals must also be reported to HHS and the media promptly.

Who needs to be on the response team?

At minimum an incident commander, IT or security, your privacy or compliance officer, and a communications or legal contact. Smaller practices can assign multiple roles to one person, but the roles must be named in advance.

How often should we test the plan?

At least annually and after any major system change. Tabletop exercises are the cheapest way to find the gaps before a real incident does.