Breach notification: timelines, thresholds, and a clinic playbook

An incident is stressful. OCR expects disciplined documentation.

This guide focuses on operational steps a clinic owner can implement to make breach handling defensible.

What counts as a breach (in practice)

Not every security incident is a reportable breach, but every incident should be documented. Examples that often trigger breach workflows:

• lost or stolen device with possible ePHI exposure
• misdirected email containing patient information
• ransomware affecting systems that store or access ePHI
• vendor compromise involving ePHI

The clinic playbook (step-by-step)

Step 1: Contain and preserve evidence

• isolate affected accounts/systems
• preserve logs, emails, screenshots, and timestamps
• document who took actions and when

Step 2: Investigate scope

• what systems were involved?
• what data types were involved?
• how many individuals could be impacted?
• which vendor(s) were involved?

Step 3: Perform a breach risk assessment

Your documentation should clearly show the factors considered and the rationale for the decision. The output should be a written determination.

Step 4: Decide and prepare notifications

When notification is required, prepare:

• patient notice content (plain language)
• media notice workflow (for large incidents, when applicable)
• regulatory notice workflow (as required)
• internal staff communications and scripted responses

Step 5: Corrective actions and follow-up

• reset credentials, enforce MFA, adjust access
• update policies and training content if the incident revealed gaps
• add remediation items to your risk management plan

What makes breach response “defensible”

If OCR ever reviews your response, the strength is in your records:

• a single incident record (timeline)
• evidence bundle (logs/screenshots/emails)
• risk assessment write-up
• notification letters and proof of sending
• remediation plan and completion proof

Recommended documents to have ready (before an incident)

• incident response policy
• breach notification policy templates
• contact lists (legal counsel, insurer, IT, key vendors)
• a decision tree for incident severity and escalation

Build the workflow now so you’re not inventing it under pressure.