Coordinating the carrier IR vendor with the OCR portal filing
The incident is contained. Now sequence the carrier-mandated IR vendor with the OCR portal, the state AG filings, and the patient notifications. Small practices stumble here on sequencing, not on the work itself.
The first hour
- 1Confirm carrier notification went through. Most cyber policies require notice within 24–72 hours of becoming aware of a potential incident. The coverage clock starts at notification, not at filing.
- 2Get the assigned breach coach (the carrier's panel attorney) on the phone. They direct the panel forensic firm, the panel notification vendor, and any state-specific counsel. Treat them as the project manager for the regulatory work.
- 3Confirm the engagement letter scope. The panel attorney's engagement is usually under attorney-client privilege, which protects the forensic findings from discovery in subsequent litigation. Route communications through them — files sent direct to your broker can lose the privilege.
- 4Map every regulator who needs notification and the clock for each: HHS OCR, state AG (CA/NY/TX/FL/others on 30–45 days), state medical board, CMS if Medicare-data was involved, HHS media notification if 500+ in one jurisdiction.
- 5Confirm the IR vendor's report scope: attacker access dates, activity dates, data accessed or exfiltrated, root cause, remediation, recommendations. This is the evidence base for the OCR filing and the claim.
- 6Draft the patient notification letter with the panel attorney. Include the data elements, mitigation, what the patient can do, a toll-free number, and (where SSN/financial data is involved) a credit-monitoring offer.
- 7Send the patient notifications by first-class mail (or consented electronic delivery) BEFORE filing the OCR portal — OCR's first question is when patients were notified, and an early portal filing is awkward to explain.
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- Carrier notification email with policy number, discovery date, and case number.
- Engagement letter from the panel attorney establishing privilege scope.
- IR vendor forensic report — attacker timeline, data accessed, root cause, remediation.
- Patient notification letter, mailing log, and any electronic-delivery consent records.
- OCR portal submission confirmation, state AG submission confirmations, and the cyber-insurance claim file. Six-year retention.
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- HHS OCR Breach Portal
- HHS Breach Notification Rule instructions
- State AG breach notification matrix
- State medical-board directory (FSMB)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
Should we use the carrier's panel vendor or our own counsel?+
Almost always the panel. Panel vendors are pre-negotiated rates, they have done this hundreds of times, and the engagement keeps privilege intact. Use your own counsel only if there is a specific reason — and clear it with the carrier first or you risk the claim.
When exactly do we file the OCR portal?+
After the patient notifications are out the door. OCR's first question on any submission is when patients were notified. A portal filing ahead of the patient mailing is awkward to explain, and you are still inside the 60-day federal window either way.
Do we have to offer credit monitoring?+
Not under HIPAA. But for breaches involving SSN or financial data it is the de facto standard, several state laws require it, and the carrier's panel will usually recommend it as the cheapest path to limiting follow-on litigation. The carrier may pay for it.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
Billing service, MSP, transcription vendor, answering service, cloud backup, marketing agency, interpreter service. The 60-day clock starts on you, the covered entity, the moment they tell you. Attribution, BAA enforcement, and patient notification are the next 60 days.
EHR, scheduling, e-prescribing, eligibility, payment posting — all dark while the waiting room fills up. The first hour is patient safety, then operations, then the HIPAA clock.