breach-incident-responder

# Breach Incident Responder

## Overview

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI. This skill provides the framework for breach determination, risk assessment, notification, and documentation.

## Key Definitions

```
SECURITY INCIDENT (45 CFR § 164.304):
"The attempted or successful unauthorized access, use, disclosure, 
modification, or destruction of information or interference with 
system operations in an information system."

BREACH (45 CFR § 164.402):
"The acquisition, access, use, or disclosure of protected health 
information in a manner not permitted under [the Privacy Rule] 
which compromises the security or privacy of the protected health 
information."
```

**Key Distinction:**
- **Security Incident** = Something happened to systems/data
- **Breach** = PHI was actually or presumptively compromised

## Breach Response Workflow

```
┌─────────────────────────────────────────────────────────────────┐
│                    BREACH RESPONSE PROCESS                      │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  STEP 1         STEP 2         STEP 3         STEP 4           │
│  ────────       ────────       ────────       ────────          │
│  Discover &     Investigate    Risk           Determine         │
│  Contain        & Document     Assessment     Breach/Not        │
│                                                                 │
│       │              │              │              │            │
│       ▼              ▼              ▼              ▼            │
│                                                                 │
│           IF BREACH:                                            │
│                                                                 │
│  STEP 5         STEP 6         STEP 7         STEP 8           │
│  ────────       ────────       ────────       ────────          │
│  Notify         Notify         Notify Media   Document &        │
│  Individuals    HHS            (if 500+)      Remediate         │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘
```

## Step 1: Discovery and Containment

### When Incident Discovered

```
IMMEDIATE ACTIONS:
□ Document date/time of discovery
□ Identify who discovered and how
□ Contain the incident (stop ongoing breach)
□ Preserve evidence (logs, screenshots, affected systems)
□ Notify Privacy/Security Officer
□ Activate incident response team
```

### Containment Measures

| Incident Type | Containment Actions |
|---------------|---------------------|
| Lost/stolen device | Remote wipe (if possible), disable accounts |
| Unauthorized access | Disable compromised accounts, change passwords |
| Misdirected PHI | Contact recipient, request deletion/return |
| Malware/ransomware | Isolate systems, activate backup/recovery |
| Improper disposal | Retrieve if possible, assess exposure |
| Insider breach | Suspend access, secure systems |

### Discovery Documentation

```
INCIDENT DISCOVERY FORM
───────────────────────
Incident ID: {unique_id}
Date/Time Discovered: {datetime}
Discovered By: {name/title}
How Discovered: {description}

INITIAL DESCRIPTION:
{brief_description_of_incident}

SYSTEMS/DATA INVOLVED:
{list_affected_systems}

IMMEDIATE ACTIONS TAKEN:
{containment_actions}

Reported to Privacy Officer: □ Yes  Date/Time: {datetime}
Reported to Security Officer: □ Yes  Date/Time: {datetime}
```

## Step 2: Investigate and Document

### Investigation Checklist

```
INVESTIGATION ELEMENTS:
□ What PHI was involved?
   - Types of identifiers
   - Number of individuals
   - Sensitivity of information

□ Who accessed/received the PHI?
   - Authorized or unauthorized?
   - Internal or external?
   - Known recipient or unknown?

□ How did it happen?
   - Human error
   - System failure
   - Malicious action
   - Process gap

□ What was the intent?
   - Accidental
   - Intentional
   - Unknown

□ What safeguards were in place?
   - Encryption status
   - Access controls
   - Audit logs available
```

### Evidence Collection

| Evidence Type | Collect |
|---------------|---------|
| System logs | Access logs, audit trails, event logs |
| Communications | Emails, faxes, messages involved |
| Device information | Device ID, encryption status, location |
| Witness statements | Who saw what, when |
| Physical evidence | Documents, media, photos |
| Timeline | Sequence of events |

## Step 3: Risk Assessment (4-Factor Test)

### Breach Presumption

```
HIPAA BREACH PRESUMPTION:
An impermissible use or disclosure of PHI is PRESUMED to be a 
breach UNLESS the covered entity demonstrates through a risk 
assessment that there is a LOW PROBABILITY that the PHI has 
been compromised.
```

### Four-Factor Risk Assessment

Evaluate each factor to determine probability of compromise:

#### Factor 1: Nature and Extent of PHI

| PHI Type | Risk Level |
|----------|------------|
| Name + medical condition | Higher |
| Name + dates only | Lower |
| SSN, financial info | Higher |
| Sensitive conditions (HIV, mental health, substance abuse) | Higher |
| Clinical notes with details | Higher |
| Demographic only | Lower |

```
FACTOR 1 ASSESSMENT:
Types of identifiers involved: {list}
Clinical information included: □ Yes □ No
Sensitive diagnoses included: □ Yes □ No
Financial/SSN included: □ Yes □ No
Number of data elements: {count}
RISK LEVEL: □ High □ Medium □ Low
```

#### Factor 2: Unauthorized Person Who Used/Received PHI

| Recipient | Risk Level |
|-----------|------------|
| Unknown recipient | Higher |
| Known but not trustworthy | Higher |
| Another covered entity (healthcare) | Lower |
| Workforce member of same org | Lower |
| Individual with malicious intent | Higher |

```
FACTOR 2 ASSESSMENT:
Recipient identity: □ Known □ Unknown
Recipient type: {description}
Recipient obligation to protect: □ Yes □ No
Evidence of misuse: □ Yes □ No
RISK LEVEL: □ High □ Medium □ Low
```

#### Factor 3: Whether PHI Was Actually Acquired or Viewed

| Evidence | Risk Level |
|----------|------------|
| Confirmed viewing/access | Higher |
| Opportunity existed but no evidence of access | Medium |
| PHI returned without being accessed | Lower |
| Encrypted and key not compromised | Lower |
| Recipient confirms no access/immediate deletion | Lower |

```
FACTOR 3 ASSESSMENT:
Evidence PHI was viewed/accessed: □ Yes □ No □ Unknown
Evidence PHI was acquired/retained: □ Yes □ No □ Unknown
Recipient attestation obtained: □ Yes □ No
Forensic analysis performed: □ Yes □ No
RISK LEVEL: □ High □ Medium □ Low
```

#### Factor 4: Extent to Which Risk Has Been Mitigated

| Mitigation | Risk Reduction |
|------------|----------------|
| PHI retrieved/destroyed (verified) | Significant |
| Recipient signed confidentiality agreement | Some |
| Recipient is healthcare entity with own obligations | Some |
| No evidence of further disclosure | Some |
| Unable to mitigate | None |

```
FACTOR 4 ASSESSMENT:
Mitigation actions taken: {list}
PHI retrieved/destroyed: □ Yes □ No □ N/A
Recipient confidentiality obtained: □ Yes □ No □ N/A
Recipient cooperation: □ Full □ Partial □ None
RISK LEVEL: □ High □ Medium □ Low
```

### Risk Assessment Conclusion

```
RISK ASSESSMENT SUMMARY
───────────────────────
Incident ID: {id}
Date of Assessment: {date}
Assessor: {name/title}

FACTOR ANALYSIS:
Factor 1 (Nature of PHI): {High/Medium/Low}
Factor 2 (Who received): {High/Medium/Low}
Factor 3 (Actual access): {High/Medium/Low}
Factor 4 (Mitigation): {High/Medium/Low}

OVERALL DETERMINATION:
□ LOW probability of compromise → NOT a reportable breach
□ More than LOW probability → REPORTABLE BREACH

RATIONALE:
{detailed_explanation_of_determination}

Approved by: {privacy_officer}
Date: {date}
```

## Step 4: Breach Determination

### Exceptions to Breach Definition

Even if PHI was impermissibly used/disclosed, it is NOT a breach if:

| Exception | Criteria |
|-----------|----------|
| **Unintentional acquisition** | By workforce member acting in good faith within scope of authority, not further used/disclosed |
| **Inadvertent disclosure** | Between authorized persons at same entity/BA, not further used/disclosed |
| **Good faith belief** | Unauthorized recipient could not reasonably retain the PHI |

### Breach Determination Documentation

```
BREACH DETERMINATION FORM
─────────────────────────
Incident ID: {id}
Date of Incident: {date}
Date of Discovery: {date}

PHI INVOLVED:
- Number of individuals: {count}
- Types of PHI: {list}

RISK ASSESSMENT COMPLETED: □ Yes  Date: {date}

EXCEPTION ANALYSIS:
□ Unintentional acquisition exception applies
□ Inadvertent disclosure exception applies
□ Good faith belief exception applies
□ No exception applies

FINAL DETERMINATION:
□ NOT A BREACH (document rationale)
□ BREACH - Notification required

If BREACH:
- Number of individuals affected: {count}
- Notification deadline (individual): {date - 60 days from discovery}
- HHS notification deadline: {date}
- Media notification required: □ Yes (500+ in state) □ No
```

## Step 5: Notify Affected Individuals

### Notification Timeline

```
DEADLINE: Without unreasonable delay, no later than 60 calendar 
days from date of DISCOVERY of the breach
```

### Notification Content Requirements

Individual notification must include:

```
REQUIRED CONTENT:
□ Brief description of what happened
□ Date of breach (if known) and date of discovery
□ Types of PHI involved
□ Steps individuals should take to protect themselves
□ What entity is doing to investigate, mitigate, prevent recurrence
□ Contact information for questions

DELIVERY METHODS:
1. First-class mail to last known address
2. Email (if individual agreed to electronic notice)
3. Substitute notice (if insufficient contact info):
   - <10 individuals: Phone, email, or other
   - 10+ individuals: Posting on website (90 days) + major media
```

### Individual Notification Template

```
[ORGANIZATION LETTERHEAD]

{Date}

{Patient Name}
{Address}

RE: Notice of Data Breach

Dear {Patient Name}:

We are writing to inform you of a security incident that may have 
involved your protected health information.

WHAT HAPPENED
─────────────
On {date}, we discovered that {brief description of incident}. 
We discovered this incident on {discovery_date}.

WHAT INFORMATION WAS INVOLVED
─────────────────────────────
The information that may have been involved includes:
{list types of PHI - name, DOB, medical information, etc.}

WHAT WE ARE DOING
─────────────────
{Description of investigation and remediation steps}

WHAT YOU CAN DO
───────────────
We recommend that you:
• Review statements from your health insurer
• Monitor your accounts for suspicious activity
• Consider placing a fraud alert on your credit file
• {Additional recommendations based on PHI type}

FOR MORE INFORMATION
────────────────────
If you have questions, please contact:
{Contact person/department}
{Phone number}
{Email address}
{Hours available}

We sincerely regret any inconvenience or concern this may cause.

Sincerely,

{Name}
{Title}
```

## Step 6: Notify HHS

### HHS Notification Requirements

| Breach Size | Notification Deadline | Method |
|-------------|----------------------|--------|
| **500+ individuals** | Within 60 days of discovery | HHS breach portal (immediate) |
| **<500 individuals** | Within 60 days of end of calendar year | HHS breach portal (annual log) |

### HHS Breach Report Content

```
HHS BREACH REPORT ELEMENTS:
□ Covered entity name and contact
□ Business associate involved (if any)
□ Date(s) of breach
□ Date of discovery
□ Number of individuals affected
□ Type of breach (theft, loss, unauthorized access, etc.)
□ Location of breach (laptop, paper, network server, etc.)
□ Types of PHI involved
□ Safeguards in place (encryption, etc.)
□ Actions taken in response
□ Whether individual notifications sent
```

### HHS Breach Portal

```
SUBMISSION URL: https://ocrportal.hhs.gov/ocr/breach/
```

## Step 7: Notify Media (If Required)

### Media Notification Trigger

```
REQUIRED IF: Breach affects 500+ residents of a single state/jurisdiction
DEADLINE: Within 60 days of discovery
METHOD: Prominent media outlets in the state/jurisdiction
```

### Media Notice Content

Same content as individual notification, formatted for media distribution.

## Step 8: Document and Remediate

### Documentation Requirements

```
BREACH DOCUMENTATION RETENTION:
- Maintain all breach-related documentation
- Retention period: 6 years
- Include:
  □ Incident reports
  □ Investigation records
  □ Risk assessments
  □ Breach determinations
  □ Notification copies
  □ HHS report confirmations
  □ Remediation records
```

### Remediation Actions

| Area | Potential Actions |
|------|-------------------|
| **Technical** | Patch vulnerabilities, enhance encryption, improve access controls |
| **Administrative** | Update policies, enhance training, revise procedures |
| **Physical** | Improve physical security, device management |
| **Workforce** | Disciplinary action, additional training |
| **Vendors** | Review BA agreements, audit BA security |

### Post-Breach Review

```
POST-BREACH ANALYSIS:
□ Root cause identified
□ Contributing factors documented
□ Policy/procedure gaps identified
□ Training gaps identified
□ Technical vulnerabilities addressed
□ Corrective action plan developed
□ Implementation timeline established
□ Monitoring plan for effectiveness
```

## Quick Reference: Common Scenarios

### Lost/Stolen Device

```
1. Was PHI on device?
   □ No → Document, not a breach
   □ Yes → Continue

2. Was device encrypted?
   □ Yes (NIST compliant) → Not a breach (safe harbor)
   □ No → Presumed breach, conduct risk assessment
```

### Misdirected PHI (Fax/Email/Mail)

```
1. Did wrong recipient receive PHI?
   □ Yes → Continue

2. Who received it?
   □ Another covered entity → Lower risk
   □ Unknown/general public → Higher risk

3. Was PHI retrieved/destroyed?
   □ Yes, confirmed → Lower risk
   □ No → Higher risk

4. Conduct 4-factor risk assessment
```

### Unauthorized Access by Workforce

```
1. Did workforce member access PHI without authorization?
   □ Yes → Continue

2. Was access within scope of job duties?
   □ Yes, unintentional → May qualify for exception
   □ No, snooping → Presumed breach

3. Was PHI further used or disclosed?
   □ No → May qualify for exception
   □ Yes → Presumed breach

4. Conduct 4-factor risk assessment if no exception
```

## Resources

### references/
- **four-factor-assessment-guide.md** — Detailed risk assessment guidance
- **notification-templates.md** — Individual and media notification templates
- **exception-analysis-guide.md** — Breach exception criteria

### scripts/
- **breach-timeline-calculator.py** — Calculates notification deadlines
- **risk-assessment-scorer.py** — Structured risk assessment tool

### assets/
- **individual-notification-template.docx** — Patient notification letter
- **hhs-report-checklist.pdf** — HHS submission checklist
- **breach-log-template.xlsx** — Annual breach tracking log