HIPAA breach mitigation policy

Organization: Factorial Biomechanics
Effective date: May 7, 2025
Version: 1.0
Applies to: All employees, contractors, systems, and partners with access to Protected Health Information (PHI)

Purpose

The purpose of this policy is to establish a clear procedure for detecting, responding to, mitigating, and documenting security incidents involving Protected Health Information (PHI), in compliance with the HIPAA Security Rule (45 CFR §164.308(a)(6)).

Scope

This policy applies to all data systems, applications, and infrastructure managed or operated by Factorial Biomechanics that store, transmit, or process PHI, including but not limited to:

  • Google Cloud Firestore (session metadata).
  • Firebase Cloud Storage (video data).
  • Firebase Cloud Functions (data logic and signed URL management).
  • Firebase Authentication (access control).

Incident detection

Factorial implements multiple mechanisms to detect unauthorized access or use of PHI:

  • Google Cloud audit logs for all access to Firestore and Storage.
  • Firebase functions logs for monitoring signed URL issuance and invocation.
  • Automated anomaly detection for patterns such as repeated access attempts, use of expired credentials, or unrecognized IPs.
  • Internal error and access logs monitored by engineering personnel.
All logs are retained in accordance with our Data Retention Policy and are reviewed as part of ongoing risk management.

Response and containment

Upon detection of a potential or actual breach involving PHI, Factorial will immediately:

  • Restrict access to the affected data, system, or account.
  • Disable or revoke temporary access mechanisms such as signed URLs, where applicable.
  • Temporarily suspend affected services if needed to prevent further data exposure.
  • Preserve all relevant logs and evidence for investigation.
  • Notify the Security Officer or designated compliance lead without delay.
Containment actions are executed under documented standard operating procedures (SOPs) and reviewed post-incident.

Risk assessment

An internal risk assessment is conducted to determine:

  • The nature and extent of the PHI involved.
  • The unauthorized individuals who accessed or could have accessed the data.
  • Whether the PHI was actually viewed, exfiltrated, or tampered with.
  • The extent to which the incident can be mitigated.
This assessment is documented in an internal breach assessment form and logged for compliance review.

Breach notification

In the event a breach is confirmed under the HIPAA definition, Factorial will comply with the Breach Notification Rule (45 CFR §§164.400–414) as follows:

  • Notify affected individuals without unreasonable delay and within 60 calendar days.
  • Notify the Secretary of the U.S. Department of Health and Human Services (HHS) using the HHS Breach Portal.
  • Notify prominent media outlets, if the breach affects 500 or more individuals in a single jurisdiction.
All notifications will include a description of the breach, the type of PHI involved, recommended protective actions for individuals, and contact information for further inquiries.

Mitigation actions

Following a confirmed or suspected breach, Factorial will take the following steps to mitigate risk and prevent recurrence:

  • Remediate the root cause through permanent adjustments to system configurations, including authentication, authorization, and resource access policies.
  • Conduct a targeted security review of the affected infrastructure, including Firestore, Storage, and Cloud Functions.
  • Purge or secure improperly accessed PHI in compliance with legal and ethical standards.
  • Enhance logging, monitoring, and alerting protocols to detect and respond to future incidents more effectively.
  • Document all mitigation steps and retain for audit readiness.
  • Deliver focused retraining to affected or responsible personnel with updated security procedures and risk awareness.

Documentation

All incidents are documented in an internal Incident response log, which includes:

  • Unique incident ID
  • Date and time of detection
  • System(s) affected
  • Description of the breach
  • PHI types involved
  • Individuals affected (if known)
  • Containment and remediation steps
  • Notification actions taken (if any)
  • Notification actions taken (if any)
    • Outcome and next steps
This documentation is maintained in accordance with HIPAA retention standards and reviewed quarterly.

Review and training

This policy is reviewed annually and updated following any breach or significant system change. All personnel with access to PHI must complete security awareness and incident response training annually and as required after updates to this policy.

Contacts

Security Officer: René Vergara hello@factorialbiomechanics.com