HIPAA Breach Response Checklist: What to Do in the First 30, 60, and 90 Days

When a HIPAA Breach Hits, the Clock Starts Immediately

A healthcare data breach is not a hypothetical risk. It is a when, not an if, for most covered entities and business associates operating today. When it happens, the difference between a manageable regulatory response and a multimillion-dollar OCR enforcement action often comes down to whether your team knew exactly what to do in the hours, days, and weeks that followed discovery.

This HIPAA breach response checklist is designed for compliance managers and executives who need a structured, defensible action plan. It breaks the response timeline into three phases: the first 30 days, days 31 through 60, and days 61 through 90. Each phase has distinct legal obligations, operational priorities, and documentation requirements that your team must execute correctly.

If you want to understand how these breach response obligations fit into a broader program, our healthcare compliance resources provide additional context on regulatory expectations for covered entities and business associates.

Phase One: The First 30 Days After Discovery

The initial 30 days are the most operationally intense period of any HIPAA breach response. Your primary goals are to stop the bleeding, conduct a preliminary risk assessment, preserve evidence, and begin the notification clock management that the Breach Notification Rule requires.

Immediate Actions (Days 1–5)

• Activate your incident response team. This includes your Privacy Officer, Security Officer, legal counsel, IT leadership, and executive sponsor. If you do not have a documented incident response plan, you are already behind. A well-structured HIPAA incident response plan should define who does what the moment a breach is suspected.
• Contain the incident. Isolate affected systems, revoke compromised credentials, and prevent further unauthorized access or exfiltration. Document every containment action with timestamps.
• Preserve evidence. Do not wipe or reimage systems before forensic preservation. Chain of custody matters for both your internal investigation and any potential OCR inquiry.
• Determine whether this is a breach under HIPAA. Not every security incident is a reportable breach. Apply the four-factor risk assessment under 45 CFR §164.402 to determine whether there is a low probability that PHI was compromised. If you cannot demonstrate low probability, you must treat the incident as a reportable breach.
• Engage outside counsel and forensics if warranted. For incidents involving large volumes of PHI, ransomware, or third-party business associates, retain specialized support immediately.

Days 6–30: Investigation, Risk Assessment, and Notification Preparation

• Conduct a thorough breach investigation. Identify what PHI was involved, how many individuals are affected, what systems were compromised, and how the breach occurred. Your investigation findings must be documented and retained for at least six years.
• Quantify the affected population. The number of affected individuals determines your notification pathway. Breaches affecting 500 or more individuals in a single state require media notification in addition to individual notification and HHS reporting.
• Begin drafting individual notification letters. Under 45 CFR §164.404, covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days from the date of discovery. Start drafting now. The letter must include the nature of the breach, the types of information involved, steps individuals should take to protect themselves, and what you are doing to investigate and mitigate harm.
• Notify business associates if applicable. If the breach occurred at a business associate, they must notify the covered entity without unreasonable delay and within 60 days of discovery. Verify your BAAs contain the required breach notification provisions.
• Review your cyber insurance policy. Notify your insurer per policy requirements. Many policies have short reporting windows that run concurrently with your HIPAA obligations.
• Document everything. OCR expects covered entities to maintain documentation demonstrating that the required analysis was performed, even for incidents that do not rise to the level of a reportable breach.

Phase Two: Days 31 Through 60

By the start of this phase, your investigation should be substantively complete and your notification obligations should be in execution. The 60-day notification deadline is firm. There are no extensions.

Notification Execution Checklist

• Send individual notifications. Notifications must be sent by first-class mail or, if the individual has agreed to electronic notice, by email. If contact information is insufficient for 10 or more individuals, substitute notice is required via your website or major print or broadcast media.
• Issue media notification if required. For breaches affecting 500 or more residents of a state or jurisdiction, you must provide notice to prominent media outlets in that area. This must also occur within 60 days of discovery.
• Submit your HHS breach report for large breaches. Breaches affecting 500 or more individuals must be reported to HHS contemporaneously, meaning within the 60-day window. Use the HHS breach reporting portal. Breaches affecting fewer than 500 individuals may be reported to HHS on an annual basis, no later than 60 days after the end of the calendar year in which the breach occurred.
• Notify state attorneys general if required by state law. Many states have breach notification laws with requirements that run parallel to or are more stringent than HIPAA. Your legal counsel must confirm state-specific obligations.
• Assess whether additional regulatory notifications are required. If your organization also handles federal contract data or operates under other regulated frameworks, additional reporting requirements may apply. Organizations serving both healthcare and defense sectors should evaluate whether their IT compliance obligations under other frameworks were triggered by the same incident.

Remediation Planning

• Develop a formal remediation plan. Identify the root cause of the breach and document a corrective action plan with specific controls, owners, and target completion dates.
• Engage your workforce on interim controls. Until permanent technical controls are in place, implement compensating controls and communicate them to staff.
• Update your risk register. The breach findings should inform a reassessment of your threat and vulnerability landscape. If you do not have a current risk register tied to your HIPAA security risk analysis, this is the moment to build one.

Phase Three: Days 61 Through 90

The final phase of your initial breach response shifts from crisis management to program hardening. OCR investigations frequently focus not just on whether the breach was reported correctly, but on whether the covered entity had reasonable safeguards in place beforehand and whether it took meaningful corrective action afterward.

Post-Breach Program Hardening

• Complete remediation of identified control gaps. Every finding from your breach investigation should map to a specific corrective action. Prioritize high-risk gaps and document completion with evidence.
• Update your policies and procedures. If the breach exposed weaknesses in your written HIPAA policies, revise them. OCR expects your HIPAA policies and procedures to reflect your actual operating environment, not a generic template.
• Conduct targeted workforce retraining. If human error contributed to the breach, deliver targeted training to affected roles. Document attendance and content. Annual training is a floor, not a ceiling.
• Perform or commission an updated HIPAA security risk analysis. A breach is a triggering event that warrants a comprehensive reassessment. If your last risk analysis is more than 12 months old, complete a new one now.
• Test your updated incident response plan. Conduct a tabletop exercise using the breach scenario to evaluate whether your updated procedures would have changed the outcome. Document the exercise and findings.
• Prepare for potential OCR investigation. Large breaches are frequently investigated. Organize your documentation in a format that supports a rapid and complete response to an OCR data request. This includes your risk analysis, breach investigation report, notification evidence, corrective action plan, and training records.

Longer-Term Compliance Strengthening

A breach exposes compliance gaps that existed before the incident. Use the 90-day window to assess whether your overall compliance program structure needs fundamental strengthening. Many organizations discover that their breach response failures were symptoms of a broader problem: an underdeveloped compliance program that lacked the structure, resources, and leadership attention to prevent the incident or contain it effectively.

Organizations facing this situation benefit from working with a compliance partner that can provide ongoing regulatory leadership. Our Regulatory vCISO Services are specifically designed to provide the strategic oversight and program management that covered entities and business associates need to build resilient, audit-ready compliance programs.

For organizations that need to build or rebuild their HIPAA program from the ground up following a breach, our Compliance Program Development service provides a structured engagement that addresses risk analysis, policy development, workforce training, and technical safeguards in a coordinated way.

You may also find our HIPAA Compliance Documentation Toolkit useful for rapidly closing documentation gaps identified during your breach review, and our HIPAA Privacy & Security Compliance guide for healthcare administrators provides practical reference material for your compliance team throughout the remediation process.

For a deeper look at how breach investigations unfold technically, our blog post on the anatomy of a data breach provides useful context for understanding how attackers move through your environment and what forensic evidence your investigators will be looking for.

The Bottom Line on HIPAA Breach Response

A well-executed HIPAA breach response does not eliminate regulatory scrutiny. It demonstrates that your organization takes its obligations seriously, acted in good faith, and has taken meaningful steps to protect patients and prevent recurrence. OCR consistently treats organizations that respond transparently and correct underlying weaknesses more favorably than those that appear to minimize or delay their response.

The 30-60-90 day framework above gives your team a structured path through the most critical period following breach discovery. But the best time to build this capability is before you need it.

If your organization needs help assessing its current HIPAA breach readiness, developing a compliant incident response program, or navigating an active breach response, Cleared Systems is ready to engage. Request a quote today and let us help you build the program that protects your patients, your organization, and your regulatory standing.