Yundra
← All articlesRisk & Audit

HIPAA Breach Notification: What Solo Therapists Need to Do (and When)

13 min read

A breach doesn't have to involve a hacker or a ransomware attack. For a solo therapist, a breach could be as simple as emailing a progress note to the wrong patient, leaving your laptop unlocked in a coffee shop, or having your phone stolen with patient names visible in your calendar app.

What matters isn't just preventing breaches — it's knowing exactly what to do when one happens. Because "when" is the right word. No practice is immune, and the single biggest factor OCR considers in its response is whether you handled the aftermath correctly.

What Counts as a HIPAA Breach?

A breach is any impermissible use or disclosure of Protected Health Information (PHI) that compromises the security or privacy of that information. In practical terms for a therapy practice:

Definitely a breach:

  • Sending patient records, notes, or identifiable information to the wrong person
  • A stolen or lost device (laptop, phone, tablet) that contains unencrypted patient data
  • A staff member accessing patient records they have no treatment reason to view
  • A ransomware attack or malware that exposes patient data
  • Disposing of patient records (paper or electronic) without proper destruction

Probably a breach (requires the four-factor assessment):

  • Misdirected fax containing patient information
  • An email auto-complete sending a message to the wrong address
  • Leaving a voicemail with clinical details at a wrong number
  • A family member seeing a patient's appointment on a shared calendar

Not a breach:

  • Unintentional access by an authorised person acting in good faith (e.g., your billing assistant sees a note while processing a claim)
  • Disclosures where the recipient would not reasonably be able to retain the information

The Four-Factor Risk Assessment

When a potential breach occurs, HIPAA requires you to conduct a risk assessment considering four factors before determining whether it's reportable:

1. The nature and extent of the PHI involved. What type of information was exposed? Clinical notes are more sensitive than appointment confirmations. Social Security numbers and diagnoses carry higher risk than names alone.

2. Who accessed or received the information. Was it another healthcare provider (lower risk) or a completely unrelated third party (higher risk)?

3. Whether the PHI was actually acquired or viewed. A lost encrypted laptop is different from a lost unencrypted laptop where someone logged in and accessed files.

4. The extent to which the risk has been mitigated. Did you get the information back? Was the recipient willing to delete it? Was the device remotely wiped?

If, after conducting this assessment, you determine there is a "low probability that the PHI has been compromised," it's not a reportable breach. Otherwise, you must proceed with notification.

Important: You must document this risk assessment in writing regardless of the outcome. If OCR ever asks, "Why didn't you report this?" your documented four-factor analysis is your answer.

The 60-Day Notification Rule

If you determine a reportable breach has occurred, the clock starts ticking:

Individual notification — within 60 days

You must notify every individual whose PHI was compromised. The notification must:

  • Be in writing (letter or email if the individual previously agreed to electronic communication)
  • Include a brief description of what happened and the dates
  • Describe the types of information involved
  • Explain what you're doing to investigate and mitigate
  • Explain what the individual can do to protect themselves
  • Include your contact information

For fewer than 10 individuals with outdated contact information, you can use alternative notification methods (phone, for example).

HHS notification

Fewer than 500 individuals affected: Report to HHS within 60 days of the end of the calendar year in which the breach was discovered. You have until March 1 of the following year.

500 or more individuals affected: Report to HHS within 60 days of discovery. Also notify prominent media outlets in the state or jurisdiction.

The breach portal

All reports go through the HHS Breach Portal. Breaches affecting 500+ individuals are posted publicly on the "Wall of Shame" — searchable by anyone.

Common Breach Scenarios for Solo Therapists

Scenario 1: Stolen laptop

Your laptop is stolen from your car. It contains patient session notes in your EHR and locally cached files.

If the laptop was encrypted (full-disk encryption): Not a reportable breach. Encrypted data is excluded from the breach notification rule because the data is unreadable without the encryption key. Document the theft, note the encryption was active, and file this assessment in your records.

If the laptop was not encrypted: Reportable breach. You must notify every patient whose data was on the device and report to HHS.

This single distinction — encryption — is why every HIPAA compliance program insists on full-disk encryption for all devices. It turns a crisis into a documented non-event.

Scenario 2: Email to the wrong patient

You accidentally send Patient A's progress notes to Patient B via email.

This is likely a reportable breach. Patient B is not authorised to receive Patient A's PHI. Your four-factor assessment will consider: what was in the notes (clinical content = high sensitivity), who received it (another patient = not authorised), whether they viewed it (you can ask), and whether you can mitigate (ask Patient B to delete the email).

Even if Patient B deletes the email immediately, the conservative approach is to report. Document everything.

Scenario 3: Ransomware attack

Your computer is infected with ransomware that encrypts your files and demands payment.

HHS has stated that ransomware is presumed to be a breach unless you can demonstrate a low probability of compromise. Even though the attacker encrypted your data (rather than stealing it), the malware had access to the files, which constitutes a potential acquisition.

Notify affected individuals and HHS. Also file a report with the FBI's Internet Crime Complaint Center (IC3).

What NOT to Do After a Breach

Don't wait. The 60-day clock starts when you discover the breach, not when you finish investigating. Delayed notification is itself a HIPAA violation.

Don't hide it. Not reporting a breach that should have been reported is far worse than the breach itself. OCR has imposed its largest penalties on organisations that concealed breaches.

Don't guess at the scope. Investigate thoroughly. Check logs, review access records, determine exactly what data was involved and who was affected.

Don't destroy evidence. Preserve all logs, emails, and records related to the incident. You'll need them for your investigation, the four-factor assessment, and any potential OCR review.

Building Your Breach Response Capability

The best time to prepare for a breach is before one happens. Your Incident Response Plan should include:

  • Contact list (IT support, legal counsel if needed, HHS breach portal URL)
  • Step-by-step response procedures
  • Documentation templates
  • Notification letter templates
  • Breach assessment worksheet (the four factors)

Take the free HIPAA assessment to check whether your practice has the breach preparedness documentation OCR expects — including an incident response plan and the training to use it.

Key Takeaways

  1. Encrypt everything. Full-disk encryption on laptops, phones, and tablets. This single step prevents most breaches from being reportable.
  2. Know the 60-day rule. Individual notification within 60 days of discovery. No exceptions.
  3. Document everything. Even non-breaches need a documented four-factor assessment.
  4. Don't panic, but don't delay. A calm, documented, timely response is what OCR wants to see.
  5. Have a plan before you need one. Your incident response plan should be written, practiced, and accessible.

Take the free HIPAA Risk Assessment →

Would your practice survive an OCR audit?

Find out in 25 minutes. Our free assessment identifies every gap an auditor would flag — and shows you how to fix them.

Free · See your score instantly