HIPAA Data Breach Investigation Blueprint
This is intended as a model for adaptation by healthcare organizations or business associates when investigating a possible HIPAA data breach. Following the process outlined below helps determine and document whether a reportable breach occurred. The information in blue provides instruction and definitions, while the information in red is what must be documented and usually reported if a breach is found.
This is not intended to confer legal advice or establish an attorney-client relationship. You should work with legal counsel experienced with data security laws and regulations specific to your jurisdiction, organization, and industry. Specifically, many incidents that are not reportable breaches under federal law must be reported to California government authorities and patients.