Eleven attorney-developed templates that take you from the moment of discovery through HHS submission. Pre-drafted notification letters, the four-factor risk assessment worksheet, and a runbook for the first 60 minutes.
Lifeline Compliance
From discovery to HHS submission, in one binder.
Contents11 + Appendix
“You don't write a breach response plan during a breach. You write it now — and follow it when the clock starts.”
Every document you'll need from the moment a breach is suspected through the day you close the file. Pre-drafted, attorney-developed, organized in the order you'll reach for them. Tab 1 is the runbook — the only tab you need to find first.
The runbook. A 9-step sequence that takes you from "something happened" to "investigation underway." Includes the first 60 minutes, who to call, what to write down, and what not to touch.
Read this once, on a calm day. Defines a "breach" under §164.402, the deadlines you're racing, and how the eleven tabs fit together. The map before the territory.
Where the contemporaneous record begins. Date, time, who, what, where, what was done. OCR's first request in any breach investigation is the timeline — this is what produces it.
The legal test that determines whether an incident is a reportable breach. Walks the four required factors with prompts and the documented conclusion OCR expects to see.
Translates the worksheet into a decision: notify patients, notify HHS, notify media. With deadline math from the date of discovery and the threshold rules for under-500 vs. 500-or-more incidents.
Pre-drafted letter with all six required elements: what happened, what was involved, what the patient should do, what you're doing, contact information, and the date. Plus an envelope-tracking record.
For incidents involving a vendor — or for use by a business associate notifying you. Includes the BA-to-CE notification template and the documentation chain that satisfies §164.410's 60-day rule.
Step-by-step instructions for the OCR Breach Portal: under-500 (annual rollup) and 500-or-more (within 60 days). Field-by-field guidance and a printable submission record.
Required only for breaches affecting 500 or more residents of a state or jurisdiction. Pre-drafted holding statement, prominent-media list guidance, and the "what not to say" cautions counsel will appreciate.
The mitigation document OCR expects after every reportable incident. Root cause, remediation steps, training updates, and the policy/procedure changes that prevent recurrence.
A nine-item close-out: every signature, every retention date, every document accounted for. The page Privacy Officers initial before the binder goes back on the shelf.
A nine-step ladder from the moment of discovery. Each step has a deadline, an owner, and a document. Steps 1–5 are the first hour. Steps 6–9 carry you through the 60-day reporting window.
Contain. If a system is involved, isolate it — do not power down. If a document is involved, secure it. Note the time of discovery; the legal clock starts here, not when you "officially" decide it's a breach.
Workforce policy: any suspected incident is reported to the Privacy Officer immediately. Privacy Officer takes operational lead. If unavailable, alternate per Tab 0.
Begin Tab 2 immediately. What was discovered, when, where, how, and by whom. The log is contemporaneous — gaps and reconstructions damage credibility with OCR. Write while it's fresh.
Audit logs, access records, screen captures, paper documents in the condition found. Suspend any auto-deletion. Do not investigate by clicking around the affected system — that is forensics' job.
If PHI is involved and the incident is non-trivial: engage privacy counsel and, if cyber, retain forensics under privilege. The contact list lives at the front of Tab 0 for exactly this reason.
Tab 3. The legal test that determines whether this is a reportable breach under §164.402. Counsel reviews. The conclusion — notify or document non-notify — is signed and dated.
Tab 4 translates the assessment into action: which patients, which regulators, whether media notification triggers. Deadline math is calculated from the date of discovery, not the date of decision.
Patient letters by first-class mail (Tab 5). Business-associate notifications where applicable (Tab 6). HHS via the breach portal (Tab 7). Media if 500+ in any single jurisdiction (Tab 8). Track every envelope.
Tab 9 captures root cause, remediation, training updates, and policy changes. Tab 10 is the close-out checklist. Binder back on the shelf, retention clock starts. Six years from close.
A breach response is governed by deadlines, statutory elements, and contemporaneous documentation. None of those are easier under pressure.
§164.404(c) requires six specific elements in every letter. Missing any of them — description of what happened, what PHI was involved, steps the patient should take, mitigation, contact procedures, and date — turns a breach response into a second deficiency to cite.
§164.402 presumes any acquisition or disclosure of PHI is a breach unless a documented risk assessment demonstrates a low probability of compromise. Without the worksheet, the presumption stands — and notification is mandatory.
Notification deadlines run from the date of discovery, not the date the practice "got around to" responding. Late notification is treated as a separate Breach Notification Rule violation in addition to whatever caused the underlying incident.
OCR's first request in any breach investigation is the incident timeline. Logs created after the fact — or worse, no logs at all — damage credibility and move the matter from the "good faith" penalty tier toward willful neglect.
The Breach Response Kit is one of three modules. It can be used standalone, alongside the Core Documentation System, or as part of the complete Flagship.
The six documents OCR asks for first. The minimum required baseline for any HIPAA program.
For practices needing
Eleven tabs. Discovery to HHS submission. Pre-drafted notification letters and the four-factor risk assessment.
For practices needing
The whole program — risk analysis, policies, the Core, this Kit, training, and BAA tracking. Everything an OCR auditor expects to find.
Adds to this Kit
All three are attorney-developed. All three are one-time purchases. All three are yours forever.
Every document in this Kit was drafted to satisfy the specific Breach Notification Rule provisions a regulator will look for. The four-factor risk assessment walks the §164.402 elements. The patient letter contains all six §164.404(c) required components. The HHS portal walkthrough mirrors the actual submission fields.
Drafted to citation
Every tab carries its 45 CFR section header — printed inside the document, not just on the marketing page.
All required elements present
Patient letters include all six §164.404(c) elements. Worksheet walks all four §164.402(2) factors.
Sequenced for the actual response
Tabs ordered by when you'll reach for them — not by alphabet, not by regulation.
Field-tested on real incidents
Worksheet, runbook, and decision guide refined across actual breach responses we've supported.
Before. Always before. The Kit is designed to be read once on a calm day, kept on the shelf, and reached for in the first 60 minutes after discovery.
If you're already responding to an incident, buy the Kit and engage privacy counsel simultaneously — the Kit will help you organize the response, but counsel handles the matter. This product is preparation, not a substitute for a lawyer mid-breach.
Eleven tabs delivered as fillable Microsoft Word (.docx) files, plus a printable PDF index for the binder cover. Bracketed fields like [PRACTICE NAME], [INCIDENT DATE], and [NUMBER OF INDIVIDUALS] are pre-marked throughout.
Every tab carries its 45 CFR section header printed inside the document, so you have documented authority for the language you're using when OCR asks.
The Core covers patient-facing and workforce documentation — the Notice of Privacy Practices, BAA, Authorization, and so on. Breach Notification Rule documents are a separate set of obligations.
You can absolutely run the Core alone, but if you experience an incident, you will need to produce the artifacts in this Kit. The two are designed to be complementary; the Flagship bundles them together.
No. The Kit is a structured response framework — the runbook, the worksheets, the templates, the deadlines. It is not legal advice and does not substitute for counsel.
For any reportable incident, engage privacy counsel. The Kit makes that engagement faster, cheaper, and better-documented because you arrive with a contemporaneous incident log, a completed risk assessment draft, and the notification scope already determined.
The worksheet walks the four factors in §164.402(2) verbatim and produces a documented, signed conclusion — which is exactly what OCR expects to find when reviewing a "non-notification" determination.
Defensibility depends on the quality of your answers, not the form. The Kit gives you the structure; counsel reviews your conclusions; together they produce something OCR can follow.
It is not a subscription. The Kit is a one-time purchase — yours forever. The 2026 Edition is current.
If we publish a major revised edition in response to a new HIPAA rule or a Breach Notification Rule amendment, it will be released as a separate edition. We may offer existing customers an upgrade path; the 2026 Edition stands on its own.
Because this is a digital product delivered immediately on purchase, all sales are final. We don't offer refunds.
If you have a question we haven't answered, reach out before buying — we'd rather help you choose correctly than process a return.
Question we didn't answer?
Contact us before purchase →Eleven attorney-developed templates, organized in the order you'll reach for them. From the moment of discovery to HHS submission. Read once on a calm day; ready when you need it.
Digital product · all sales final · single-practice license
Compliance Without the Complexity
The documents provided by Lifeline Compliance are attorney-developed templates for general informational and practice use only. They do not constitute legal advice and do not create an attorney-client relationship. Practices should consult qualified legal counsel for jurisdiction-specific compliance guidance, complex regulatory matters, or active government proceedings.
Copyright 2026 Highland Summit Consulting. All rights reserved.
