Despite the risk of experiencing a HIPAA breach exceeding 89%, fewer than half of healthcare organizations have formal incident response plans and procedures. When an actual or suspected breach occurs, it is vital for covered entities and business associates to have a simple, streamlined, and expeditious plan to respond. These breaches can be anything from a lost thumb drive or laptop to a sophisticated cyber-attack, but a good breach response plan will be flexible enough to work in a variety of circumstances. There are standard responses that the Department of Health and Human Services’ (HHS) Office of Civil Rights (the government entity that polices HIPAA compliance) (OCR) expects to see when health data has been compromised. These include protocols for investigation, mitigation, and notification of affected individuals.