Checklist Legal/Compliance HIPAA

HIPAA Breach Notification Checklist

This checklist ensures your organization complies with HIPAA Breach Notification Rule requirements (45 CFR §§ 164.400-414) when a breach of unsecured protected health information (PHI) occurs. Use this checklist to document notification procedures, assess breach scope, and maintain required records throughout the breach response lifecycle.

  • Determine if breach occurred: Assess whether there has been unauthorized acquisition, access, use, or disclosure of PHI that compromises security or privacy (45 CFR §164.400). Document the risk assessment outcome in writing.
  • Conduct risk assessment: Evaluate the nature and extent of PHI involved, who accessed it, whether it was actually acquired, and what safeguards failed (45 CFR §164.404(b)). Maintain documented evidence of this assessment.
  • Identify affected individuals: Create a verified list of all individuals whose unsecured PHI was potentially compromised (45 CFR §164.404). Include name, contact information, and type of PHI affected.
  • Determine notification timeline: Ensure notification occurs without unreasonable delay and without exception in no case later than 60 calendar days after discovery of breach (45 CFR §164.404(a)(2)).
  • Prepare notification content: Include date of breach, date of discovery, description of PHI involved, steps individuals should take, what you are doing to investigate, mitigation measures, and contact information (45 CFR §164.404(b)(1)).
  • Notify affected individuals: Send written notification by first-class mail to last known address, or by email if individual agreed to electronic notification (45 CFR §164.404(a) and (e)).
  • Notify media outlets: For breaches affecting more than 500 residents of a state or jurisdiction, notify prominent media outlets in that area without unreasonable delay (45 CFR §164.404(b)(2)).
  • Notify prominent media: Provide media notice in at least one newspaper of general circulation in the affected area, and one news station or web-based news service (45 CFR §164.404(b)(2)).
  • Notify Secretary of HHS: Submit written notice to the HHS Secretary without unreasonable delay and no later than 60 calendar days after breach discovery (45 CFR §164.404(b)(3)).
  • Document all notifications: Maintain records of each individual notified, date notified, content provided, and method of delivery (45 CFR §164.404(c)).
  • Preserve breach investigation records: Keep written documentation of the breach investigation, risk assessment methodology, and notification decisions for minimum six years (45 CFR §164.414).
  • Implement mitigation measures: Document all steps taken to mitigate harm, such as credit monitoring, identity theft protection services, or security improvements (45 CFR §164.407(b)).
  • Update breach log: If maintaining a breach log, record breach date, discovery date, number affected, brief description, and current status (45 CFR §164.408(b)).
  • Review Business Associate Agreements: Confirm BAAs include required breach notification obligations and timelines for Business Associates to notify covered entity (45 CFR §164.410).
  • Obtain Business Associate notification: Ensure Business Associates notify you without unreasonable delay upon discovery of breach (45 CFR §164.410(a)).
  • Conduct corrective action plan: Develop and document corrective actions addressing the breach cause and preventing future incidents (45 CFR §164.404).