How should a HIPAA entity respond to unauthorized access to protected health information?

by | Feb 5, 2023 | HIPAA News and Advice

A HIPAA entity should respond to unauthorized access to protected health information by promptly conducting a thorough investigation to determine the extent of the breach, mitigate any harm, notify affected individuals and, if necessary, the U.S. Department of Health and Human Services, implement corrective measures to prevent future breaches and maintain documentation of the breach and response actions taken in accordance with the HIPAA Breach Notification Rule. Healthcare entities governed by HIPAA are obligated to respond to such breaches with precision and diligence. A meticulous approach ensures both regulatory compliance and the preservation of patient trust.

Response Steps After an Unauthorized PHI AccessDescription
Initiate InvestigationConduct a thorough and prompt investigation to determine the extent and nature of the unauthorized access breach.
Identify individuals or entities involved in the breach and gather relevant evidence.
Mitigate Potential HarmAssess risks associated with the breach and take immediate actions to minimize further unauthorized access.
Terminate unauthorized access, disable compromised accounts, or implement other security measures as needed.
Notification to Affected IndividualsNotify affected individuals promptly, offering clear and comprehensible information about the breach.
Explain types of compromised information, potential consequences, and provide guidance on steps to protect themselves.
Regulatory Reporting (if applicable)If a breach affects over 500 individuals, report it to the U.S. Department of Health and Human Services (HHS) via the designated portal.
Include important breach details, mitigation efforts, and updates to policies or procedures.
Media Notification (if applicable)If a breach affects a significant number within a jurisdiction, inform prominent media outlets to ensure community transparency.
Internal Assessment and Corrective ActionsConduct a thorough review to identify the root causes of breaches and vulnerabilities in security infrastructure.
Implement corrective actions to address weaknesses and prevent future unauthorized access incidents.
Documentation and RecordkeepingMaintain documentation throughout the response process, including investigation, notifications, and corrective actions.
Develop a record demonstrating regulatory compliance and responsible handling.
Staff Training and AwarenessProvide staff with training on security protocols, access controls, and the importance of safeguarding patient information.
Increase employee awareness about risks of unauthorized access and their role in preventing breaches.
Review and Update PoliciesEvaluate existing policies related to information security and access controls.
Update policies based on lessons learned to enhance security measures.
Communication PlanDevelop a communication plan outlining the roles and responsibilities of personnel during breach incidents.
Ensure employees understand their roles and are prepared to execute them effectively.
Continuous Monitoring and ImprovementEstablish ongoing monitoring of systems and network activity to detect and respond to potential security threats promptly.
Continuously refine security protocols and procedures based on emerging threats and past incidents.
Table: Steps in Response to Unauthorized Access to PHI

When an unauthorized access breach is suspected or detected, the first step is to initiate a swift and thorough investigation. This investigation aims to discern the scope and scale of the breach, the nature of the accessed PHI, the individuals or entities involved, and the potential harm caused. The extent of the breach determines the subsequent steps of the response process. Healthcare entities must engage internal personnel or external experts well-versed in cybersecurity and privacy issues to lead this investigative effort. Mitigation of potential harm is the subsequent step in the response process. The healthcare entity must assess the risks associated with unauthorized access and take necessary actions to minimize these risks. Depending on the nature of the breach, this could involve terminating unauthorized access, containing the breach to prevent further unauthorized access, or disabling compromised accounts. The objective is to prevent any additional unauthorized disclosures while actively working to correct the situation.

Notification is an important component of a HIPAA entity’s response to unauthorized access. The HIPAA Breach Notification Rule requires affected individuals to be promptly informed of the breach. This notification should be clear, concise, and readily understandable by the intended recipients. It should indicate the nature of the breach, the types of compromised information, the potential consequences, and the steps individuals can take to safeguard themselves. If the breach impacts more than 500 individuals within a specific jurisdiction, the healthcare entity is also required to notify prominent media outlets, thereby ensuring transparency in the community. The regulatory aspect of unauthorized access breaches cannot be understated. If the breach affects more than 500 individuals, the healthcare entity is obligated to report the breach to the U.S. Department of Health and Human Services (HHS). The HHS breach reporting portal is the designated platform for this purpose. The report should have important information, including the particulars of the breach, the measures taken to mitigate harm, and the policies and procedures that have been enhanced to prevent future breaches.

Following breach mitigation and notification, an assessment of the circumstances leading to the unauthorized access is necessary. This retrospective evaluation aids in identifying the root causes of the breach, understanding any vulnerabilities in the existing security infrastructure and determining the efficacy of the healthcare entity’s response. The objective is to identify areas for improvement and institute corrective actions to prevent similar incidents in the future. This may involve revisiting access controls, refining security protocols, supporting staff HIPAA training, or even reevaluating the information systems in use. Throughout the response process, careful documentation is a must. Healthcare entities must maintain a detailed record of the breach, the investigative process, the actions taken to mitigate harm, the notifications issued, and the subsequent improvements implemented. This documentation serves as a trail of accountability, showing the entity’s commitment to addressing the breach responsibly. In the event of regulatory audits or legal inquiries, these records stand as proof of the entity’s compliance with HIPAA regulations and its dedication to patient privacy.


Responding to unauthorized access to PHI demands a strategy that is swift, thorough, and carefully executed. From investigation and mitigation to notification and regulatory reporting, each step is undertaken to preserve patient confidentiality and trust. Healthcare entities must take on these steps with precision, leaning on internal expertise or seeking external guidance as needed. Doing so fulfills the regulatory obligations and protects patient information in an increasingly interconnected healthcare ecosystem.

HIPAA Covered Entity Topics

What is the definition of a HIPAA-covered entity?
How does an organization determine if it is a HIPAA-covered entity?
Are all healthcare providers considered HIPAA-covered entities?
What obligations does an entity covered by HIPAA have concerning patient data?
Do insurance companies fall under the category of entities covered by HIPAA?
What is a covered entity under HIPAA?
Who would not be considered a covered entity under HIPAA?
Is an employer a covered entity under HIPAA?
Who should HIPAA complaints be directed to within the covered entity?
What are the penalties for a HIPAA-covered entity that breaches patient confidentiality?
Are health technology companies automatically considered HIPAA-covered entities?
What distinguishes a HIPAA entity from non-covered entities?
Can a HIPAA-covered entity share medical records with another such entity without patient consent?
How often should HIPAA-covered entities review their compliance procedures?
What types of training must employees of an entity covered by HIPAA undergo?
How do entities covered by HIPAA handle data breaches?
What is the role of a privacy officer in a HIPAA-covered entity?
Are dental practices considered HIPAA-covered entities?
Can a patient sue a HIPAA-covered entity for a data breach?
How are HIPAA-covered entities audited for compliance?
What are the reporting obligations of a HIPAA entity in case of data exposure?
How do third-party vendors interact with HIPAA-covered entities?
Can a business associate be considered a HIPAA-covered entity?
How should a HIPAA entity respond to unauthorized access to protected health information?
What security measures must entities covered by HIPAA implement?
Are there exemptions for certain types of entities covered by HIPAA?
How long must a HIPAA-covered entity retain medical records?
What patient rights are recognized by entities covered by HIPAA concerning their personal data?
Are telemedicine platforms typically classified as HIPAA-covered entities?
What distinguishes business associates from HIPAA-covered entities?
How can patients file complaints against a HIPAA entity?
What is the significance of the Notice of Privacy Practices for a HIPAA-covered entity?
How do international medical tourism practices intersect with HIPAA-covered entities?
Are there specific encryption standards that a HIPAA-covered entity must adhere to?
How do federal and state laws regarding patient privacy relate to HIPAA-covered entities?
How do HIPAA-covered entities handle minor patient information?
Are pharmacies and drug stores universally categorized as HIPAA-covered entities?
How can a HIPAA-covered entity ensure compliance when integrating new technologies?
What are the key differences between a HIPAA-covered entity and a HIPAA business associate?
Are research institutions always considered HIPAA-covered entities?
What are the boundaries of marketing activities for an entity covered by HIPAA?
Can cloud service providers be classified as HIPAA-covered entities?
How should a HIPAA entity prepare for an official audit or review?
What documentation is essential for a HIPAA-covered entity’s compliance processes?
How often do regulations impacting HIPAA-covered entities get updated?
Do educational institutions fall under the scope of entities covered by HIPAA?
How do mobile health apps and digital health tools intersect with HIPAA-covered entities?
What is the role of electronic health record systems in a HIPAA-covered entity?
How does the Health Information Exchange (HIE) network impact HIPAA-covered entities?
Are mental health professionals bound by the same rules as other HIPAA-covered entities?
How do mergers and acquisitions impact the status of a HIPAA-covered entity?
Can patients access all their health data held by a HIPAA-covered entity?
Are billing and invoicing data handled differently by entities covered by HIPAA than medical data?
3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy