Incident Response Planning for Medical Practices

In 2024, HHS OCR received reports of 725 healthcare data breaches affecting more than 275 million patient records—the highest single-year total ever recorded. That number represents roughly 81% of the U.S. population. The average healthcare data breach now costs $7.42 million per incident in the United States, and breach lifecycles in healthcare average 279 days—nearly five weeks longer than the cross-industry average. Every extra day an undetected intrusion persists is another day the damage compounds.

For a medical practice or clinic, the gap between a detectable incident and a regulatory nightmare is almost always a missing or untested incident response plan. This is not a gap most practices intend to have. It is a gap that forms gradually, as compliance priorities get deferred and the plan gets pushed to next quarter. Until a breach forces the issue.

What Does HIPAA Require for Incident Response?

The HIPAA Security Rule’s Administrative Safeguards contain two overlapping but distinct requirements that together define your incident response obligations.

The first is §164.308(a)(6) – Security Incident Procedures. This standard requires covered entities to implement policies and procedures to address security incidents. The single required implementation specification—Response and Reporting at §164.308(a)(6)(ii)—mandates that you identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents; and document security incidents and their outcomes. This is not aspirational language. It is a compliance floor, and OCR uses it as an enforcement baseline when investigating breaches.

The second is §164.308(a)(7) – Contingency Plan, which requires documented procedures for maintaining operations and protecting ePHI during an emergency—including a cyberattack. These two requirements work together: your incident response plan addresses how you detect, contain, and investigate an incident; your contingency plan addresses how you keep operating while you do so.

The proposed HIPAA Security Rule update published by HHS in December 2024—expected to be finalized in May 2026—significantly strengthens both requirements. The updated rule would require: written incident response plans with defined procedures for reporting suspected incidents; regular documented reviews of those plans; testing and exercises (tabletop drills are strongly encouraged); and system restoration within 72 hours of a security incident. Perhaps most significantly, the proposed rule would eliminate the distinction between required and addressable specifications, making all implementation specifications mandatory. If your incident response plan is currently listed as addressable on your compliance checklist, that flexibility is going away.

What Triggers HIPAA’s Breach Notification Rule?

Your incident response plan must connect directly to HIPAA’s Breach Notification Rule—45 CFR §§164.400–414—because failing to notify on time is itself a HIPAA violation, independent of the underlying breach.

Under the Breach Notification Rule, a breach is the acquisition, access, use, or disclosure of unsecured protected health information in a manner not permitted by HIPAA. When a breach occurs, your notification obligations are:

• Notify affected individuals without unreasonable delay and no later than 60 calendar days from the date of discovery. Notice must be sent by first-class mail (or email if the individual has consented), include a plain-language description of what happened, what information was involved, and steps the individual can take to protect themselves.
• Notify HHS OCR via its online breach portal. For breaches affecting 500 or more individuals, notification must be submitted simultaneously with individual notices—within 60 days of discovery. For breaches affecting fewer than 500 individuals, covered entities may submit a log within 60 days after the end of the calendar year.
• Notify prominent media outlets serving the affected state or jurisdiction if the breach affects 500 or more individuals in that state—also within 60 days of discovery. This requirement catches many practices by surprise.
• Business associates must notify the covered entity within 60 days of their own discovery of a breach, per §164.314(a)(2)(i). Under the proposed 2025 rule, this would tighten to 24 hours for contingency plan activations.

Note that these timelines start from the date of discovery—not the date the breach occurred. Healthcare breach lifecycles average 279 days, meaning attackers are typically inside a network for months before detection. Every day your security controls fail to flag anomalous activity extends the window of exposure and creates additional documentation obligations.

How Is OCR Enforcing Incident Response Requirements?

OCR’s enforcement posture has intensified significantly. To date, OCR has settled or imposed civil money penalties in 152 HIPAA enforcement cases totaling more than $144.8 million. The most common enforcement targets are general hospitals and private practices—the organizations most likely to have informal, undocumented, or untested security programs.

In 2025, OCR launched its Risk Analysis Initiative, completing at least 16 resolution agreements in the first eight months of the year alone before additional settlements in early 2026. The Initiative specifically targets organizations that experienced a breach but could not demonstrate they had conducted an adequate risk analysis and implemented appropriate incident response procedures beforehand. OCR Director Paula M. Stannard stated directly: “In a time where healthcare providers and other HIPAA regulated entities are facing unprecedented cybersecurity threats, compliance with the HIPAA Risk Analysis provision is more essential than ever.”

Representative enforcement actions illustrate the financial stakes:

• Sentara Hospitals paid $2.175 million for breach notification failures and deficient business associate agreements affecting 577 individuals.
• University of Rochester Medical Center paid $3 million for loss of a flash drive and laptop, failure to encrypt, and inadequate risk analysis and device controls affecting 43 individuals.
• Cottage Health paid $3 million for risk analysis and risk management failures covering 62,500 individuals.
• In March 2026, OCR settled with MMG Fusion—a software company serving oral healthcare practices—for impermissibly disclosing PHI, failing to conduct a risk analysis, and failing to notify affected covered entities of a breach in a timely manner.

Private practices and physician offices consistently appear in OCR’s enforcement data. The agency investigates complaints against small provider offices with the same rigor it applies to hospital systems.

One meaningful mitigation: the HITECH Act requires OCR to consider whether an organization has implemented recognized security practices—such as HHS’s 405(d) Health Industry Cybersecurity Practices (HICP)—when assessing fines or determining audit scope. Practices that can demonstrate at least 12 months of consistent alignment with HICP may see reduced penalties and shorter audit periods. This creates a direct financial incentive to build a documented security program before a breach, not after.

What Should a Medical Practice Incident Response Plan Include?

An effective incident response plan for a medical practice has six core phases, each requiring documented procedures and assigned roles:

• Preparation: Define roles and responsibilities before anything happens. Who is the designated incident response lead? Who contacts legal counsel? Who engages your managed security provider or MSSP? Assign specific names and backup contacts, not just job titles. Maintain offline contact lists. Ensure your team has completed security awareness training so they recognize and report suspicious activity. Your security awareness program is the first line of detection—see our guide on building a HIPAA-compliant IT stack for outpatient clinics for infrastructure foundations that support early detection.
• Detection and Identification: Define what constitutes a reportable security incident and how staff should report it. Specify your detection tools—endpoint detection and response (EDR), SIEM, email security—and establish thresholds for escalation. Staff need to know that reporting a suspicious email or unusual system behavior is not a problem; missing it is. Under §164.308(a)(6)(ii), all suspected incidents must be documented, even those that do not ultimately constitute a breach.
• Containment: Define immediate containment steps—network isolation procedures, disabling compromised accounts, revoking remote access credentials. Containment must balance speed with forensic preservation: isolating a system without preserving its state can destroy evidence you will need for OCR’s investigation. Document your containment playbooks for the most common scenarios: ransomware, phishing-initiated account compromise, and unauthorized insider access.
• Eradication and Recovery: After containment, remove the threat and restore from verified, clean backups. Under the proposed HIPAA Security Rule update, covered entities should target 72-hour restoration for critical systems. Coordinate recovery with your continuity plan—see our guide on business continuity planning for healthcare organizations for backup architecture specifics. Do not reconnect restored systems to the network until eradication is confirmed.
• Notification and Reporting: This phase begins simultaneously with containment, not after recovery. Within the first 24–72 hours, make a preliminary determination of whether a breach of unsecured PHI has occurred. If yes, the 60-day notification clock has started. Engage legal counsel immediately—notification letters must be legally reviewed, and privilege protections for your investigation depend on proper engagement. Document every decision and its timestamp. OCR will ask for this documentation.
• Post-Incident Review: Within 30 days of closing an incident, conduct a documented post-mortem. What was the root cause? What controls failed? What did your team do well? What needs to change? Update your risk analysis and your incident response plan accordingly. The proposed HIPAA updates would require annual incident response plan reviews regardless of whether an incident occurred.

What Does the Change Healthcare Breach Teach Medical Practices About Incident Response?

The Change Healthcare ransomware attack—carried out by the ALPHV/BlackCat group in February 2024—offers medical practices a detailed case study in cascading incident response failures.

The initial access vector was a stolen credential used on a Citrix remote access portal that lacked multi-factor authentication. Attackers spent nine days inside the network before deploying ransomware—exfiltrating approximately 4 TB of data in the process. By the time the ransomware triggered, the breach was already complete. Change Healthcare paid approximately $22 million in Bitcoin ransom. The payment failed: ALPHV leadership executed an exit scam, stealing the ransom from their own affiliate, who then took the stolen data to RansomHub and demanded a second ransom. Patient data appeared on dark web leak sites despite the payment. The final victim count: 190 million individuals.

For medical practices, the direct lessons are:

• Multi-factor authentication on every remote access point is non-negotiable. This single control—absent in Change Healthcare’s case—would have made the stolen credential useless.
• Ransomware payments do not guarantee data deletion. Your incident response plan should assume that any data exfiltrated before encryption is permanently compromised, regardless of payment. Plan accordingly for notification obligations.
• Third-party vendor incidents trigger your obligations. When Change Healthcare went offline, practices had HIPAA-related decisions to make about their own business associate relationships and notification obligations—even though the breach did not originate on their systems.
• Early detection saves money and patients. IBM research shows that organizations using AI-driven security and automation reduce breach costs by an average of $1.76 million and shorten breach lifecycles by 108 days. Detection controls that catch intrusions in hours—not months—are the highest-ROI investment in incident response.

How Often Should Medical Practices Test Their Incident Response Plans?

A plan that has never been tested is not a plan—it is a document. The difference between a practiced team and an unpracticed one is measured in days of downtime, six figures of recovery cost, and—in healthcare—patient outcomes.

At minimum, medical practices should:

• Conduct a tabletop exercise at least annually, simulating a ransomware attack or phishing-initiated account compromise. Walk every key stakeholder through their role from detection through notification.
• Test backup restoration quarterly—not just that backups completed, but that clinical systems can be recovered from them within your defined RTO window.
• Review and update the incident response plan whenever there is a significant change to your IT environment, your vendor relationships, or the threat landscape.
• Document all testing with timestamps, participant names, findings, and corrective actions. OCR will request this documentation in an investigation.

The proposed HIPAA Security Rule update explicitly requires annual reviews of incident response plans and testing of their effectiveness. Starting that habit now positions your practice ahead of the compliance curve and—more importantly—ahead of the next breach.

For context on how incident response fits into your broader HIPAA compliance program, see our article on what HIPAA IT compliance actually requires from healthcare organizations and our guide to how often a medical practice should perform a HIPAA risk assessment.

What Should Medical Practices Do to Build an Incident Response Plan Today?

The cost of not having an incident response plan is not abstract. It is measured in OCR penalties starting at $145 per violation (up to $2.19 million per violation category per year), in breach costs averaging $7.42 million per incident, and in the loss of patient trust that is extraordinarily difficult to rebuild. The practices that recover quickly from incidents—and avoid regulatory action—are the ones that treated incident response as a core operational function, not an afterthought.

Start with the basics: document your roles, define your escalation paths, establish your notification decision tree, and run one tabletop exercise before the year is out. Then layer in detection controls, tested backups, and vendor accountability through your Business Associate Agreements. The proposed 2025 HIPAA Security Rule changes are coming regardless—building your program now means you are compliant on day one, not scrambling after a breach.

NorthStar Technology Group works with medical practices, clinics, and healthcare organizations to build HIPAA-compliant incident response programs from the ground up—including plan documentation, tabletop facilitation, detection architecture, and OCR-ready documentation frameworks. If your practice does not have a written, tested incident response plan, we can help you build one. Visit our Healthcare IT & Cybersecurity Services page or reach out at northstartechnologygroup.com to schedule a consultation.