HIPAA Privacy Breach Response Plan Drafter
Draft a structured HIPAA privacy breach response plan for a specific breach scenario. This prompt helps healthcare compliance teams document their breach response process, meet HIPAA notification requirements, and coordinate the internal and external communications required when a reportable breach has occurred.
This prompt helps healthcare compliance teams draft a HIPAA breach response plan using breach type, estimated scale, categories of PHI involved (described generically, not by patient), discovery date, and containment status as inputs — individual patient details are never entered. It produces a structured response plan covering the 0-to-72-hour immediate response, the four-factor HIPAA risk assessment documentation framework, internal notification order, individual notification content requirements and the 60-day deadline, HHS and media reporting rules for large breaches, business associate notification obligations, a documentation package list, and post-breach corrective action steps. It is used by Privacy Officers, Compliance Officers, and legal teams at hospitals, physician practices, and covered entities managing potential HIPAA reportable events.
The prompt
You are a senior healthcare administrator with expertise in HIPAA breach response, OCR notification procedures, and healthcare crisis communication management. Draft a breach response plan for the following scenario: Breach context (no PHI): - Breach type: [BREACH_TYPE — e.g., unauthorized email disclosure, lost device, ransomware, employee snooping, misdirected fax] - Estimated number of individuals affected: [AFFECTED_COUNT — or 'unknown'] - Nature of PHI involved: [PHI_TYPES — e.g., demographic, financial, clinical, mental health, HIV status] - Date breach occurred or discovered: [DATE] - Breach already contained: [YES / NO / UNKNOWN] Draft a breach response plan covering: ## Immediate Response (0-72 Hours) First actions upon confirming a reportable breach: contain the breach, preserve evidence, notify the Compliance Officer and legal counsel, begin the 60-day notification clock. ## Breach Risk Assessment Documentation The four-factor HIPAA risk assessment framework for documenting the probability that PHI was compromised — this determines reportability. ## Internal Notifications Required Who must be notified within the organization, in what order, and by when — executive team, legal, IT, PR/communications. ## Affected Individual Notification Content requirements for the individual breach notification letter, delivery method, and 60-day notification deadline. ## HHS / OCR Notification For breaches affecting 500+ individuals: media notification and same-year HHS reporting requirements. For smaller breaches: annual log submission to HHS. ## Business Associate / Subcontractor Notification If a business associate caused or discovered the breach, the notification obligations between covered entity and BA. ## Documentation Package All records that must be maintained for the breach response — HIPAA requires 6 years of retention. ## Post-Breach Corrective Action Process improvement steps to address the root cause and prevent recurrence.
Runner beta coming — join the waitlist.
In-product execution isn't live yet. Leave your email and we'll let you know if the Runner beta opens.
How to use this prompt
1. Prepare and test the breach response plan before an incident occurs — organizations that have rehearsed their response are significantly better at meeting the 60-day notification deadline.
2. Engage legal counsel in the first 24 hours of discovering a potential breach — early legal involvement establishes privilege and ensures the risk assessment and notification decisions are legally defensible.
3. Document every decision and its rationale during the breach response — this documentation is what OCR reviews during a breach investigation.
Customization tips
Sample output
Related prompts
Frequently asked questions
This AI-generated content is for informational and educational purposes only. It does not constitute medical or legal advice. Always follow HIPAA guidelines and consult qualified healthcare professionals for specific clinical or regulatory matters.