This procedure describes how AI VOX satisfies its obligations under 45 CFR § 164.410 (the HIPAA Breach Notification Rule for Business Associates) and its contractual obligations under any executed Business Associate Agreement.
Detection
Suspected incidents may be detected through automated monitoring (failed-login alerts, unusual query patterns, AWS CloudTrail anomalies, database query-log review), internal observation, a report from a Covered Entity or caller, or a notification from a subprocessor. All channels route to the Security Contact at work@theaivox.com.
Initial Triage — within 1 hour of detection
- Acknowledge the report and create a written incident record with an internal identifier, detection time, channel, and initial description.
- Determine whether the incident potentially involves PHI; if so, identify the affected Covered Entities and begin a privileged investigation.
Containment — within 24 hours of detection
- Stop further unauthorized access (rotate credentials, revoke sessions, isolate affected systems, block offending IPs, or take systems offline if needed).
- Preserve forensic evidence — capture logs, snapshots, and configuration state before remediation.
- Restrict discussion of details to those with a need to know.
Investigation
The Security Contact determines what PHI was involved, who accessed it, whether it was actually viewed, whether it was rendered unusable through encryption, and the extent of mitigation. The four-factor risk assessment at 45 CFR § 164.402(2) is applied to determine whether the incident is a Breach. The conclusion and analysis are documented.
Notification to Covered Entity
AI VOX provides written notification to the Covered Entity's designated privacy contact without unreasonable delay and no later than five (5) business days after Discovery of a Breach. The notification includes, to the extent known: the affected individuals, a description of what happened with dates, the types of PHI involved, steps individuals should take, what AI VOX is doing in response, and contact information for follow-up.
Notification to Other Parties
The Covered Entity is responsible for notification to individuals, the Secretary of HHS, and (where applicable) the media under 45 CFR §§ 164.404, 164.406, and 164.408. AI VOX provides timely cooperation and any assistance reasonably required. Where a subprocessor is the source of a Breach, AI VOX pursues the subprocessor's notification obligations and combines that information with its own notification.
Remediation, Closure & Retention
AI VOX implements corrective actions to address the root cause, verifies their effectiveness, and documents the final analysis. Documentation of all Breaches and reportable Security Incidents is retained for at least six (6) years from closure, per 45 CFR § 164.316(b)(2).