A potential breach is any situation where PHI may have been accessed, used, or disclosed in a way the law and CareHub's policies don't permit. Common examples that have to be reported even if you're not sure they qualify:
- An email containing PHI sent to the wrong recipient.
- A laptop, phone, or USB drive containing PHI lost or stolen.
- A login or session credential compromised, suspected compromised, or shared.
- A document served to the wrong distribution list.
- A vendor or subprocessor notification that they may have had an incident touching CareHub data.
- A patient who reports seeing information about another patient through CareHub.
You are not the person who decides whether something is a reportable breach under HIPAA. Your job is to report it promptly so the people who do make that determination can.
How to report
- First step: message the on‑call compliance officer in
#compliance-incidentson Slack, or emailcompliance@carehubtherapy.comif Slack is unavailable. Either path opens a ticket and starts the clock. - Include in the report: what happened, when you noticed, who was affected if you know, what you've already done (e.g. recalled the email, locked the device), and whether the situation is ongoing.
- Do not try to clean up evidence, delete logs, or "fix" things in a way that erases what happened. Forensic clarity matters more than tidiness.
- Time matters. HIPAA gives covered entities up to 60 days to notify affected individuals after discovery of a breach, but CareHub's internal SLA is to triage within hours, not days. The clock starts when anyone in the workforce knows — so escalating fast is part of the obligation, not a courtesy.
After you've reported, the compliance team takes it from there: containment, forensic review, formal determination, notifications if required, and any process changes. You will be asked questions; answer them. You will not be punished for surfacing a potential breach in good faith — failing to surface one is the punishable behavior.