Twelve playbooks for small clinical practices.
Each playbook is written so the practice owner or administrator can act on the first half without an IT background, then hand the second half to the MSP, IT contractor, or vCISO.
EHR, scheduling, e-prescribing, eligibility, payment posting — all dark while the waiting room fills up. The first hour is patient safety, then operations, then the HIPAA clock.
Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.
If the device was encrypted and you can prove it, HIPAA's safe-harbor provision often means no breach notification. If you can't prove encryption, the law presumes a breach.
Once inside, attackers send spoofed records requests, payroll-redirect emails to the practice administrator, and patient-impersonation messages aimed at controlled-substance refills.
Claims pipeline stalls, eligibility checks fail, and your downtime billing posture is being tested in real time. A cash-flow event that becomes a regulatory event if it lasts long enough.
The attacker is using the portal to view PHI, send refill requests (especially for controlled substances), or impersonate the patient in messages. Triage, contain, and figure out whether this is one account or many.
Curiosity is the most common motive, and curiosity is still a HIPAA violation. There is no attacker, the staff member meant no harm, and the patient may never find out unless you tell them — which is exactly the problem.
Video, audio, transcripts, chat, and screen-shared documents may have been exposed. Consent, recording, and OCR scope all matter — and patients react more strongly to telehealth breaches because the visit feels personal.
The device may be vulnerable, exploitable, or already compromised. This is a clinical safety event before it is a security event — and the manufacturer's FDA-cleared status constrains what you can do.
Billing service, MSP, transcription vendor, answering service, cloud backup, marketing agency, interpreter service. The 60-day clock starts on you, the covered entity, the moment they tell you. Attribution, BAA enforcement, and patient notification are the next 60 days.
The incident is contained. Now sequence the carrier-mandated IR vendor with the OCR portal, the state AG filings, and the patient notifications. Small practices stumble here on sequencing, not on the work itself.
DEA 21 CFR Part 1311 applies on top of HIPAA. The prescriber's DEA registration is on the line — revocation or suspension is possible in addition to any HIPAA breach implications. The playbook nobody else publishes.