Back to home

Breach Notification Policy

Last updated: March 24, 2026

60-Day Maximum

CE notification window

24-Hour Target

Internal response time

Written Notice

Documented notification

1. Purpose

This policy establishes procedures for responding to a breach of unsecured Protected Health Information (PHI) in compliance with the HIPAA Breach Notification Rule (45 CFR §§164.400-414) and the HITECH Act. It applies to all personnel, subcontractors, and systems involved in processing PHI on behalf of Covered Entities.

2. Definitions

  • Breach: Acquisition, access, use, or disclosure of PHI in violation of the HIPAA Privacy Rule that compromises the security or privacy of the PHI, unless an exception applies.
  • Unsecured PHI: PHI not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction per HHS guidance.
  • Security Incident: Attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
  • Discovery: The first day the breach is known to any person (other than the person committing the breach) or would have been known through reasonable diligence.
  • Covered Entity (CE): The dental practice that has engaged Synthesis Benefits under a Business Associate Agreement.

3. Incident Response Procedures

3.1 Step 1: Contain

  • Immediately isolate affected systems.
  • Revoke compromised credentials.
  • Preserve evidence for forensic analysis.
  • Assign incident response lead.

3.2 Step 2: Assess

  • Determine the nature and extent of the incident.
  • Identify the types of PHI involved.
  • Determine the number of individuals affected.
  • Assess whether PHI was actually acquired or viewed.

3.3 Step 3: Risk Assessment

Apply the 4-factor risk assessment required by 45 CFR §164.402(2):

  1. Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification.
  2. The unauthorized person who used the PHI or to whom the disclosure was made.
  3. Whether the PHI was actually acquired or viewed.
  4. Extent to which the risk to the PHI has been mitigated.

If the assessment demonstrates a low probability that the PHI has been compromised, the incident is not a reportable breach.

3.4 Step 4: Notify

If the risk assessment determines a breach has occurred, notify the affected Covered Entity within 24 hours of determination. Provide:

  • Identification of individuals affected.
  • Description of the types of information involved.
  • Recommended steps for individuals to protect themselves.
  • Description of what Synthesis Benefits is doing to investigate, mitigate harm, and prevent future breaches.

3.5 Step 5: Remediate

  • Implement corrective measures.
  • Update security controls as needed.
  • Document all actions taken.
  • Conduct post-incident review within 30 days.

4. Covered Entity Notification

Synthesis Benefits will notify the affected Covered Entity in writing without unreasonable delay and in no case later than 60 calendar days after discovery of the breach (or 24 hours as our internal target, whichever is sooner). Notification will include all elements required by 45 CFR §164.410(c).

5. HHS Notification

The Covered Entity is responsible for notifying the Secretary of HHS. Synthesis Benefits will cooperate with the CE and provide all information necessary for the CE to fulfill its notification obligations under 45 CFR §164.408.

6. Covered Entity Obligations

The Covered Entity (dental practice) is responsible for:

  • Notifying affected individuals per 45 CFR §164.404.
  • Notifying HHS per 45 CFR §164.408.
  • Notifying prominent media outlets if the breach affects 500 or more residents of a state per 45 CFR §164.406.

Synthesis Benefits will cooperate fully.

7. Documentation

All breach investigations, risk assessments, notifications, and remediation actions are documented and retained for a minimum of 6 years from the date of creation or last effective date, as required by 45 CFR §164.530(j).

8. Exceptions

A use or disclosure of PHI is NOT a reportable breach if:

  • (a) Unintentional acquisition, access, or use by a workforce member acting in good faith and within scope of authority, and the information is not further used or disclosed improperly.
  • (b) Inadvertent disclosure by an authorized person to another authorized person within the organization, and the information is not further used or disclosed improperly.
  • (c) Disclosure where the recipient would not reasonably be able to retain the information (e.g., a misdirected fax returned immediately).

9. Contact

For questions about this policy or to report a suspected breach, contact:

Synthesis Benefits
Email: contact@synthesisbenefits.com

See also our HIPAA Compliance page and Business Associate Agreement.