1.5 CE Credit Hour Presentation on Breach Response

HIPAA Security Incidents & Breaches: Investigation, Documentation, and Reporting

Learn from Dr. Tara Sanderson and Liath Dalton as they provide a high-level overview of the most common causes of unauthorized disclosures/HIPAA breaches; the basics of breach response, including investigating, documenting, notification, and reporting; and, ways to prevent the likelihood and lessen the impact of a breach.

 1.5 legal ethical CE credit hour

On Demand Self Study

CE Credit Hours

When, not, if : Breach response for when things go wrong 

HIPAA breaches, or unauthorized disclosures and/or impermissible uses of protected health information (PHI,) occur – and can occur even when the HIPAA covered entity is in compliance with the HIPAA Security Rule standards and they have conducted a ‘thorough and accurate” risk analysis, and implemented the technical, administrative, and physical safeguards that are “reasonable and appropriate” in proportion to the identified risks through the application of their risk mitigation plan. 

Navigating an unauthorized disclosure/HIPAA breach is a stressful and consequential process; the cause, scope, and impact must be determined, impacted individuals must be notified, impact mitigation measures must be put in place if possible, the breach must be reported to the HIPAA regulators, and more. Additional risk analysis and risk mitigation may be necessitated, including updating of policies & procedures, safeguards, and workforce training.

Real feedback from the live event:

“Liath is my favorite presenter – knowledgeable and sharp with clarifying the information with examples. Really enjoyed Dr. Sanderson’s informative style – rock stars!”

“Really appreciated you translating this information with clinical examples – helped me digest the info!”

“I learned a lot and now have a better plan to prepare for, and if needed, respond to a breach. Thank you both!”

Who is this event for?

This course is designed for group practice leaders, and group practice clinical staff members. It is also suitable for practices that consist of 100% in-person, 100% telehealth, or a mixture of in-person and telehealth treatment.

green check mark  In-person Practices

green check mark  Hybrid Practices

green check mark  Teletherapy Only Practices

This introductory-level course for counselors, marriage and family therapists, psychologists, and clinical social workers, will provide a roadmap of the basics of HIPAA breach prevention and response.

 Thank you for the information and for making it so accessible. Somehow you take the driest material and make it fun and immediately relevant. You folks knock it out of the park!

Maegan Carney


Describe the HIPAA Breach Notification Rule

Breach Response

Identify necessary HIPAA Security Policies and Procedures to be in compliance with the HIPAA Security Rule standards related to breach prevention, notification, and response

icon of a home office

Breach Risk Reduction

Recognize common causes of HIPAA Breaches

Training is Step 2 of the PCT Way.

Learn more about the PCT Way here.

Course Details

1.5 CE Credit Hour. Self Study

Title: HIPAA Security Incidents & Breaches: Investigation, Documentation, and Reporting

Authors/Presenters: Tara Sanderson, PsyD, MBA and Liath Dalton
CE Length: 1 CE credit hours, legal-ethical
Legal-Ethical CE Hours: 1 legal-ethical CE hour 

Educational objectives: 

  • Describe the HIPAA Breach Notification Rule
  • Identify necessary HIPAA Security Policies and Procedures to be in compliance with the HIPAA Security Rule standards related to breach prevention, notification, and response
  • Recognize common causes of HIPAA Breaches 



Breach Basics

  • Breaches Happen 
    • Emotional Norming. 
    • Being Proactive, not just reactive when it comes to incident and breach preparedness. 
  • HIPAA Breach Notification Rule
    • Requirements of the Breach Notification Rule
    • Refresher on what constitutes Protected Health Information (PHI) – what must be protected from “impermissible use or disclosure”
    • What makes something a HIPAA breach?
      • From incident to breach
      • Onus of proving an incident was not a breach
    • Was an incident a breach?
      • Incident risk assessment factors that are required to be evaluated in the event of a breach
    • Breach Exceptions
    • Breach Issues Beyond HIPAA
      • State Data Breach Rules
      • Licensing Board Rules
  • Breach Realities
    • Data and recommendations from HHS Office of Civil Rights Annual Report to Congress on Breaches of Unsecured Protected Health Information
      • Breaches Reported
      • Breach Causes
      • Breach Investigation
      • Recommendations/Lessons Learned
  • Incident Investigation, Breach Determination, and Documentation
    • Policies & Procedures that Protect: Your Security Incident Response & Breach Notification Policy
    • Incident Investigation and Documentation Basics
    • Breach Notification & Reporting Timeframes and Requirements
      • Large Breaches (500+ impacted individuals)
      • Small Breaches (fewer than 500 impacted individuals)
    • Breach Reporting
    • Safe Harbor from Breach Notification Rule
    • Strategies for Preventing & Limiting Breaches

Meet Our Presenter

Presented by

Tara Sanderson, PsyD, MBA and Liath Dalton

tara sanderson

Dr. Tara Sanderson, PsyD, MBA runs a successful group practice in Tigard, Oregon. She has been teaching, training and supporting Student Interns and Preliminary Licensed Supervisees for over 15 years. In addition to understanding the Ethical ramifications of supervision, Dr. Sanderson also has her MBA and has studied the business dynamics of supporting a business. She teaches a course on How to Start a Private Practice designed for clinicians getting ready to launch into business for themselves. Her course on How to Have Interns in Your Practice has recently launched. In that course she shares in depth about how to responsibly and ethically have interns in your practice. It also comes with all the forms you need to create the process for managing and monitoring the interns in your practice. She is the author of Too Much, Not Enough: A guide to decreasing anxiety and creating balance through intentional choices. 

On a personal note, Tara enjoys playing table top role playing games with family and friends, motorcycling with her husband and geocaching while she travels.


Consulting Website: www.drtarasanderson.com

Practice Website: www.drsandersonandassociates.com

Book Website: www.toomuchnotenoughbook.com

How to Start a Private Practice: www.howtostartaprivatepractice.com

How to have interns in your practice: www.howtohaveinternsinyourpractice.com

tara sanderson

Liath Dalton is PCT’s director and a co-owner. Liath is especially passionate about helping therapists be resourced and supported in navigating the security compliance process and identifying the solutions and processes that meet the particular needs of their practices. Liath’s consultation area of expertise is focused on selecting the right combination of services and tech that not only meet the legal-ethical needs of mental health practices, but also the functionality, efficiency, and cost-effectiveness needs as well.


Resources & Citations:

●  US Dept. of Health and Human Services. (2006). HIPAA Administrative Simplification . Washington, DC: Author.

●  U.S. Department of Health and Human Services Office for Civil Rights. (n.d.). Annual report to Congress on breaches of unsecured protected health … Retrieved February 23, 2023, from https://www.hhs.gov/sites/default/files/breach-report-to-congress-2021.pdf

●  (OCR), O. for C. R. (2021, June 28). Breach notification guidance. HHS.gov. Retrieved June 2, 2022, from https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html

●  (OCR), O. for C. R. (2021, June 28). Breach notification rule. HHS.gov. Retrieved June 2, 2022, from https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

●  (OCR), O. for C. R. (2021, June 28). Summary of the HIPAA security rule. HHS.gov. Retrieved May 19, 2022, from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

●  US Dept. of Health and Human Services. (2013). HIPAA Omnibus Final Rule . Washington, DC: Author.

●  Huggins, B. R. (2017, April 17). What is HIPAA Breach Notification? Retrieved June 2, 2022, from https://personcenteredtech.com/2017/01/04/hipaa-breach-notification/.


Accuracy, Utility, and Risks Statement:

This program discusses strategies for complying with HIPAA and some other US Federal rules. It may not include information on all applicable state laws. Misapplication of the materials, or errors in the materials, could result in non-compliance with applicable laws or ethics codes.

Conflicts of Interest: None stated.
Commercial Support: none.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss