HIPAA Breach Notification — Standard Operating Procedure

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI. Exclusions: unintentional access by a workforce member acting in good faith within the scope of authority, inadvertent disclosure between authorized recipients at the same Business Associate, good-faith belief the unauthorized recipient could not have retained the data.

Presumption of breach: any impermissible use or disclosure of unsecured PHI is presumed to be a breach unless we demonstrate a LOW PROBABILITY that PHI has been compromised based on a 4-factor risk assessment (nature/extent of PHI, who accessed it, whether actually viewed or acquired, extent of risk mitigation).

• Any team member who suspects a breach immediately escalates to the Security Officer at security@gasguide.app + on-call lead.
• CONTAIN: revoke compromised credentials, rotate API keys, disable affected accounts, isolate affected systems. Document timestamp of each containment step.
• PRESERVE: snapshot access logs, audit trails, Cloudflare logs, Supabase logs from the relevant time window before any rotation that might affect them. Write to a tamper-evident log.
• CONVENE: Security Officer + engineering lead + legal counsel within 24 hours of discovery.

The 4-factor analysis per 45 CFR §164.402:

1. Nature + extent of PHI involved — types, identifiers, likelihood of re-identification.
2. Unauthorized person who used the PHI or to whom disclosure was made — external attacker vs. workforce mistake vs. partner with own duties.
3. Whether PHI was actually acquired or viewed — log analysis, forensic evidence.
4. Extent to which the risk has been mitigated— recipient's attestation of destruction, isolation of compromised system, etc.

If the 4-factor analysis concludes LOW probability of compromise, the incident is not a breach and no notifications are required; the decision and rationale are documented in the breach log.

• Covered Entity (Enterprise customer): notify without unreasonable delay and in any case within 10 business days of discovery. (BAA-tightened from the regulatory 60-day max.)
• Affected individuals (when Covered Entity directs gasguide.app to assist): no later than 60 calendar days after discovery. Written notice by first-class mail, or email if the individual has agreed to electronic notice.
• HHS Secretary:
  • ≥500 affected: notify HHS contemporaneously with individual notice via the HHS Breach Notification Portal.
  • <500 affected: maintain a log + submit annually within 60 days of year end.
• Media: if breach affects ≥500 residents of a state or jurisdiction, notify prominent media outlets serving that area within 60 days.

Each notification includes, to the extent possible:

• Brief description of what happened, including dates of breach and discovery.
• Description of the types of unsecured PHI involved (e.g., name, date of birth, license number).
• Steps individuals should take to protect themselves from potential harm.
• Brief description of what gasguide.app is doing to investigate, mitigate harm, and prevent recurrence.
• Contact procedures — toll-free number or web form for follow-up questions.

All breach assessments, notifications, and mitigation actions are documented in the breach log and retained for at least 6 years per 45 CFR §164.530(j). The log is available to HHS upon request and to the Covered Entity per the BAA.

The credential_views audit table provides the underlying access-log evidence. Stripe webhook logs, Supabase auth logs, and Cloudflare edge logs are retained per their respective service agreements.

Within 30 days of the close of an incident, the Security Officer conducts a root-cause review and updates this SOP, the BAA template, or technical controls as needed. Lessons learned are shared with subcontractors with PHI access (Supabase, Cloudflare, Resend, AWS) where they implicate shared responsibility.

Security incidents: security@gasguide.app
Legal / BAA: legal@gasguide.app