Skip to main content
Playbook library

Twelve playbooks for small clinical practices.

Each playbook is written so the practice owner or administrator can act on the first half without an IT background, then hand the second half to the MSP, IT contractor, or vCISO.

Ransomware in the middle of a clinic day

EHR, scheduling, e-prescribing, eligibility, payment posting — all dark while the waiting room fills up. The first hour is patient safety, then operations, then the HIPAA clock.

Open
Your EHR or practice-management vendor was breached

Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.

Open
A laptop, tablet, phone, or USB with patient data is missing

If the device was encrypted and you can prove it, HIPAA's safe-harbor provision often means no breach notification. If you can't prove encryption, the law presumes a breach.

Open
The front desk's email account was taken over

Once inside, attackers send spoofed records requests, payroll-redirect emails to the practice administrator, and patient-impersonation messages aimed at controlled-substance refills.

Open
Your clearinghouse is down

Claims pipeline stalls, eligibility checks fail, and your downtime billing posture is being tested in real time. A cash-flow event that becomes a regulatory event if it lasts long enough.

Open
A patient's portal account has been taken over

The attacker is using the portal to view PHI, send refill requests (especially for controlled substances), or impersonate the patient in messages. Triage, contain, and figure out whether this is one account or many.

Open
A staff member viewed a chart they had no business viewing

Curiosity is the most common motive, and curiosity is still a HIPAA violation. There is no attacker, the staff member meant no harm, and the patient may never find out unless you tell them — which is exactly the problem.

Open
Your telehealth platform reported a breach

Video, audio, transcripts, chat, and screen-shared documents may have been exposed. Consent, recording, and OCR scope all matter — and patients react more strongly to telehealth breaches because the visit feels personal.

Open
A connected medical device was flagged in a CISA or FDA alert

The device may be vulnerable, exploitable, or already compromised. This is a clinical safety event before it is a security event — and the manufacturer's FDA-cleared status constrains what you can do.

Open
A vendor that handles your PHI had a breach

Billing service, MSP, transcription vendor, answering service, cloud backup, marketing agency, interpreter service. The 60-day clock starts on you, the covered entity, the moment they tell you. Attribution, BAA enforcement, and patient notification are the next 60 days.

Open
Coordinating the carrier IR vendor with the OCR portal filing

The incident is contained. Now sequence the carrier-mandated IR vendor with the OCR portal, the state AG filings, and the patient notifications. Small practices stumble here on sequencing, not on the work itself.

Open
A prescriber's EPCS credentials or hard token were compromised

DEA 21 CFR Part 1311 applies on top of HIPAA. The prescriber's DEA registration is on the line — revocation or suspension is possible in addition to any HIPAA breach implications. The playbook nobody else publishes.

Open