Healthcare Administrators

HIPAA Privacy Breach Response Plan Drafter

Draft a structured HIPAA privacy breach response plan for a specific breach scenario. This prompt helps healthcare compliance teams document their breach response process, meet HIPAA notification requirements, and coordinate the internal and external communications required when a reportable breach has occurred.

This prompt helps healthcare compliance teams draft a HIPAA breach response plan using breach type, estimated scale, categories of PHI involved (described generically, not by patient), discovery date, and containment status as inputs — individual patient details are never entered. It produces a structured response plan covering the 0-to-72-hour immediate response, the four-factor HIPAA risk assessment documentation framework, internal notification order, individual notification content requirements and the 60-day deadline, HHS and media reporting rules for large breaches, business associate notification obligations, a documentation package list, and post-breach corrective action steps. It is used by Privacy Officers, Compliance Officers, and legal teams at hospitals, physician practices, and covered entities managing potential HIPAA reportable events.

Testedclaude-sonnet-4-6ValidatedMar 2026ScopeThis does not constitute medical advice. Follow HIPAA guidel…TierAdvanced
AI Role
You are a senior healthcare administrator with expertise in HIPAA breach respons…
Models
Claude
Confidence
Advanced
Constraints
This does not constitute medical advice. Follow HIPAA guidelines. Recommend consulting qualified healthcare professionals.
Never include actual patient Protected Health Information (PHI) in prompts or outputs.
HIPAA breach notification decisions must be made by legal counsel and the Compliance Officer — AI-generated plans are a framework, not a legal determination of reportability.
State breach notification laws may impose additional or shorter notification deadlines than HIPAA — confirm state law requirements with legal counsel.
Tested Models
claude-sonnet-4-6
Uncertainty
If the breach type or scope is unclear, generate a general breach response framework and note that the specific notification obligations and response steps depend on facts that must be investigated before notification decisions are made.
Scope
PHI-free admin only — use a BAA-compliant AI (e.g. BastionGPT or Azure OpenAI) for PHI.
Last updated
2026-05-28Published

The prompt

1,976 characters
privacy-breach-response-drafter.prompt
You are a senior healthcare administrator with expertise in HIPAA breach response, OCR notification procedures, and healthcare crisis communication management.

Draft a breach response plan for the following scenario:

Breach context (no PHI):
- Breach type: [BREACH_TYPE — e.g., unauthorized email disclosure, lost device, ransomware, employee snooping, misdirected fax]
- Estimated number of individuals affected: [AFFECTED_COUNT — or 'unknown']
- Nature of PHI involved: [PHI_TYPES — e.g., demographic, financial, clinical, mental health, HIV status]
- Date breach occurred or discovered: [DATE]
- Breach already contained: [YES / NO / UNKNOWN]

Draft a breach response plan covering:

## Immediate Response (0-72 Hours)
First actions upon confirming a reportable breach: contain the breach, preserve evidence, notify the Compliance Officer and legal counsel, begin the 60-day notification clock.

## Breach Risk Assessment Documentation
The four-factor HIPAA risk assessment framework for documenting the probability that PHI was compromised — this determines reportability.

## Internal Notifications Required
Who must be notified within the organization, in what order, and by when — executive team, legal, IT, PR/communications.

## Affected Individual Notification
Content requirements for the individual breach notification letter, delivery method, and 60-day notification deadline.

## HHS / OCR Notification
For breaches affecting 500+ individuals: media notification and same-year HHS reporting requirements. For smaller breaches: annual log submission to HHS.

## Business Associate / Subcontractor Notification
If a business associate caused or discovered the breach, the notification obligations between covered entity and BA.

## Documentation Package
All records that must be maintained for the breach response — HIPAA requires 6 years of retention.

## Post-Breach Corrective Action
Process improvement steps to address the root cause and prevent recurrence.
WAITLIST

Runner beta coming — join the waitlist.

In-product execution isn't live yet. Leave your email and we'll let you know if the Runner beta opens.

How to use this prompt

1

1. Prepare and test the breach response plan before an incident occurs — organizations that have rehearsed their response are significantly better at meeting the 60-day notification deadline.

2

2. Engage legal counsel in the first 24 hours of discovering a potential breach — early legal involvement establishes privilege and ensures the risk assessment and notification decisions are legally defensible.

3

3. Document every decision and its rationale during the breach response — this documentation is what OCR reviews during a breach investigation.

Customization tips

Add 'The breach involved mental health, substance use disorder, or HIV-related records — note the additional federal protections (42 CFR Part 2, mental health parity laws) that apply beyond standard HIPAA.'
For large health systems, add 'Include a media communication protocol — breaches affecting 500+ individuals require media notification and likely generate press inquiries.'
Append 'Conduct a tabletop exercise using this plan with the Compliance Officer, Privacy Officer, legal counsel, and IT Security annually — document the exercise as part of the compliance program.'

Sample output

Mar 2026Advanced
Privacy Incident Response Protocol — Preliminary Breach Risk Assessment Incident Reference: [Incident ID] Date Discovered: [Date] Privacy Officer: [Name] Initial Assessment Date: [Date — must begin within 24 hours of discovery] INCIDENT DESCRIPTION: [Brief factual summary of what occurred — who, what information, how disclosed/accessed, when] STEP 1 — FOUR-FACTOR BREACH RISK ASSESSMENT This assessment determines whether the incident constitutes a reportable breach or is subject to a low probability of compromise exception. Factor 1: Nature and Extent of PHI Involved Type of information involved: [ ] Demographics only [ ] Clinical information [ ] Financial information [ ] Sensitive categories (mental health, substance use, HIV status, genetic) Number of individuals affected: [Number or estimated range] Risk score (1-5): ___ Factor 2: Identity of Person Who Accessed/Received PHI Recipient type: [ ] Covered entity or business associate (lower risk) [ ] Third party without legal authority (higher risk) [ ] Unknown (highest risk) Was the information accessed by someone with professional obligations? [ ] Yes [ ] No [ ] Unknown Risk score (1-5): ___ Factor 3: Whether PHI Was Actually Acquired or Viewed Evidence of access: [ ] Confirmed access [ ] Likely accessed [ ] Unlikely accessed (misdirected fax — no confirmation) [ ] Unknown Risk score (1-5): ___ Factor 4: Extent to Which Risk Has Been Mitigated Mitigation completed: [ ] Information retrieved/destroyed [ ] Recipient signed non-use agreement [ ] No mitigation possible Risk score (1-5): ___ OVERALL RISK DETERMINATION: Combined risk score: ___/20 [ ] Low probability of compromise — document rationale, no external notification required at this time [ ] Cannot rule out compromise — presume breach, proceed to notification protocol NEXT STEPS (if breach presumed): Notification to affected individuals within 60 days. Business associate notification if applicable. Regulatory notification if 500+ individuals affected. Risk mitigation action plan.

Related prompts

Frequently asked questions

Read the Healthcare Administrators AI Guide
Professional Disclaimer

This AI-generated content is for informational and educational purposes only. It does not constitute medical or legal advice. Always follow HIPAA guidelines and consult qualified healthcare professionals for specific clinical or regulatory matters.