Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
The First 60 Days Decide Everything
If a behavioral health provider discovers a PHI breach, the clock that matters is 60 calendar days from the date of discovery, not the date the investigation wraps up. That is the outer limit set by the HIPAA Breach Notification Rule for notifying affected individuals, and for breaches affecting 500 or more individuals, for notifying HHS and prominent media in the affected state. OCR runs the breach portal and investigates every large breach.
The volume here is not theoretical. In 2024, 725 healthcare data breaches of 500 or more records were reported to OCR, exposing more than 275 million records, and behavioral health providers sit inside that statistic with the added weight of 42 CFR Part 2. A breach of unsecured SUD records is now a separate federal exposure with its own report path.
Behavioral health organizations get hit in four directions at once when this happens: forensic IT, outside counsel, OCR reporting, and patient-facing communication. The ones who survive the audit a year later are the ones who treated hour one like a regulator was already watching. Because, effectively, one is.
What Actually Happens in Hour One Through Day Three
The first questions are not about notification. They are about facts. What systems were accessed. Whether PHI was viewed, exported, or modified. How far the compromise reached. AHS opens every engagement the same way: evidence preservation, log review, network activity analysis, and isolation of compromised endpoints. Guesswork at this stage is what blows up the OCR submission later.
While forensics runs, a second team maps the data elements affected. Names. Addresses. Clinical notes. SUD records. Diagnoses. Treatment details. Financial information. That mapping determines the reporting path. OCR’s portal now has one submission path for PHI and a separate path for SUD records, meaning a single incident can require two breach reports.
This is the failure point for organizations without dedicated support. Their leaders try to manage IT remediation, patient notifications, OCR reporting, insurer communication, and legal review simultaneously, with limited documentation and unclear sequencing. AHS coordinators stage the work so attorneys get precise timelines, access details, and confirmation of exposed elements in a format they can actually use to advise the board.
Part 2 Changed the Math for SUD Programs
Behavioral health operators who treat substance use disorders should understand what changed in February 2026. OCR now enforces 42 CFR Part 2, the compliance deadline for the 2024 Final Rule was February 16, 2026, and Part 2 programs must report breaches of unsecured Part 2 records to the Secretary, affected individuals, and in some cases the media. Enforcement used to live with SAMHSA and DOJ and was, in practice, almost never used. That regime is over.
The penalty exposure is now aligned with HIPAA. OCR has stated that Part 2 penalties “align with the penalties available under” the HIPAA Privacy, Security, and Breach Notification Rules, with civil monetary penalties that can reach roughly $2.1 million per violation category per year for repeated offenses. The Federal Register codified the alignment under sections 1176 and 1177 of the Social Security Act.
For a residential SUD program in Florida or an outpatient methadone clinic in Ohio, this means the breach response plan has to explicitly address Part 2 records. The AHS clients we have walked through Part 2 readiness in the last twelve months have all needed three things rebuilt: their EHR audit logging, their breach risk-assessment template, and their notification letter templates. Old HIPAA-only playbooks miss the Part 2 reporting path entirely.
From Crisis to Containment: What Counsel and OCR Want to See
Once the facts are clear, the work shifts to containment, remediation, and operational recovery. AHS coordinates the standard remediation set: securing compromised accounts and devices, resetting authentication, repairing vulnerabilities, restoring clean backups, activating encrypted internal communication channels, and verifying system integrity before returning to normal operations.
Notification documents are the next pressure point. Many covered entities notify HHS, state attorneys general, and the affected individuals but skip the required media notice, which is itself a Breach Notification Rule violation when 500 or more residents of a single state are affected. That same source notes that Presence Health became the first entity to settle a case with OCR solely for a Breach Notification Rule violation, paying $475,000 after taking three months to issue notifications.
The penalties for getting the rest wrong are not abstract either. Solara Medical Supplies paid a $3,000,000 OCR settlement in December 2024 to resolve alleged violations of the Security Rule and Breach Notification Rule, with OCR specifically citing failures in risk analysis, risk management, and delayed notifications to HHS, individuals, and the media. Risk analysis failures remain the single most commonly cited HIPAA violation in OCR enforcement actions.
Months after the immediate work ends, the regulatory follow-up arrives: audits, corrective action plans, documentation requests, and inquiries about security practices before the breach. AHS prepares clients for that second wave by building integrated corrective action plans that pair technical fixes with policy updates, workforce training, and governance reinforcement.
Preparation Is the Only Real Defense
The strongest breach response starts long before the breach. OCR data shows healthcare breaches have plateaued in the 700 to 750 range per year, roughly two large breaches a day, twice the rate seen in 2018, and the OCR Director has publicly committed to expanding the risk analysis enforcement initiative to also cover risk management.
For behavioral health operators specifically, AHS recommends five concrete pre-breach actions: a documented breach response plan that explicitly addresses Part 2 records, an annual risk analysis that is dated and signed, tabletop exercises with IT and clinical leadership, business associate agreement audits with every EHR and billing vendor, and workforce training that is tracked at the individual level. HHS requires entities to retain breach documentation for at least six years.
None of this is about avoiding scrutiny. It is about being able to show, on the day a surveyor or an OCR investigator asks, that the organization understood the risk, mitigated it, and acted within the timelines the regulation requires. That is the work AHS does as the operational anchor when the breach happens, and the planning work we do before it does.
Frequently asked questions
How quickly does a behavioral health provider have to report a PHI breach to OCR?
For breaches affecting 500 or more individuals, the provider must notify affected individuals, HHS OCR, and prominent media in the affected state without unreasonable delay and no later than 60 calendar days from the date of discovery. For breaches affecting fewer than 500 individuals, the provider logs the incident and submits to OCR within 60 days after the end of the calendar year in which the breach was discovered. The countdown starts on the discovery date, not the date the investigation concludes.
Do SUD records require a separate breach report under 42 CFR Part 2?
Yes. Since the 2024 Final Rule, OCR has aligned Part 2 breach notification with HIPAA, and OCR’s breach portal has one submission path for unsecured PHI and a separate submission path for unsecured SUD records. A single incident at a Part 2 program that exposes both PHI and SUD records can require two reports. OCR began actively enforcing Part 2 violations on February 16, 2026, with civil monetary penalty exposure that mirrors the HIPAA tiered schedule.
What are OCR’s most common findings in breach-related enforcement actions?
Risk analysis failures are by far the most commonly cited HIPAA violation in OCR enforcement actions. Other recurring findings include risk management failures, delayed breach notifications to HHS and individuals, missing media notices when 500 or more residents of a state are affected, and inadequate business associate oversight. In 2024, OCR closed 22 investigations with financial penalties totaling roughly $12.8 million.
What documentation must a provider retain after a breach?
HHS requires entities to keep a complete incident file for at least six years, including the risk assessment supporting the breach determination, the discovery date and timeline, copies of all notices sent, OCR portal confirmations, business associate communications, and evidence of workforce training. AHS builds this file in parallel with the investigation so that nothing has to be reconstructed when OCR follows up months later.
References
- HHS OCR: Submitting Notice of a Breach to the Secretary
- HHS: Understanding Confidentiality of SUD Patient Records (42 CFR Part 2)
- HHS Fact Sheet: 42 CFR Part 2 Final Rule
- Federal Register: Confidentiality of SUD Patient Records Final Rule
- eCFR: 42 CFR Part 2
- HIPAA Journal: 2024 Healthcare Data Breach Report
- HIPAA Journal: December 2024 Healthcare Data Breach Report (Solara settlement)
- HIPAA Journal: HIPAA Breach Notification Requirements
- Reed Smith: OCR Part 2 Compliance Enforcement Program