Equip Resource Solutions
Equip Resource Solutions
HIPAA Compliance

Breach Notification Policy

Equip Resource Solutions (ERS) · Effective June 1, 2026

If you believe your protected health information has been compromised, contact us immediately at [email protected] or (833) 258-2229.

1. Purpose and Scope

This Breach Notification Policy describes how Equip Resource Solutions (ERS) ("ERS," "we," "us") responds to unauthorized access, use, disclosure, or loss of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and applicable California state law.

This policy applies to all ERS workforce members, contractors, volunteers, and business associates who create, receive, maintain, or transmit PHI on behalf of ERS.

2. What Constitutes a Breach

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI. Examples include but are not limited to:

  • Unauthorized access to electronic records containing PHI
  • Loss or theft of a device containing unencrypted PHI
  • Misdirected email or fax containing PHI to an unintended recipient
  • Unauthorized disclosure of PHI to a third party without a valid authorization
  • Ransomware or malware attack affecting systems that store PHI
  • Insider threat — workforce member accessing PHI without a legitimate need

A breach is presumed to have occurred unless ERS can demonstrate, through a documented four-factor risk assessment, that there is a low probability that the PHI has been compromised.

3. Four-Factor Risk Assessment

Upon discovery of a potential breach, ERS will conduct a documented risk assessment considering the following four factors:

1Nature and Extent of PHI

What types of identifiers were involved and the likelihood of re-identification.

2Unauthorized Person

Who accessed or could have accessed the PHI and whether they are obligated to protect it.

3Whether PHI Was Acquired

Whether the PHI was actually viewed or only accessed without evidence of acquisition.

4Mitigation

The extent to which the risk has been mitigated, including return or destruction of the PHI.

4. Notification Timelines

Individual Notification — Within 60 Days

ERS will notify affected individuals no later than 60 calendar days after discovery of a breach. Notification will be provided by first-class mail to the last known address, or by email if the individual has agreed to electronic notice.

HHS Notification — Within 60 Days (Large Breaches)

For breaches affecting 500 or more individuals, ERS will notify the U.S. Department of Health and Human Services (HHS) simultaneously with individual notification. For breaches affecting fewer than 500 individuals, ERS will maintain a log and submit to HHS annually no later than 60 days after the end of the calendar year.

Media Notification — Within 60 Days (Large Breaches)

For breaches affecting 500 or more residents of a state or jurisdiction, ERS will provide notice to prominent media outlets in that state or jurisdiction.

California — Additional Requirements

Under California Civil Code § 1798.82 and the CMIA, ERS will notify affected California residents of breaches involving personal information or medical information in the most expedient time possible and without unreasonable delay.

5. Content of Individual Notification

Each individual notification will include, to the extent possible:

  • A brief description of what happened, including the date of the breach and the date of discovery
  • A description of the types of PHI involved (e.g., name, date of birth, address, diagnosis)
  • Steps the individual should take to protect themselves from potential harm
  • A brief description of what ERS is doing to investigate, mitigate, and prevent future breaches
  • Contact information for individuals to ask questions or obtain additional information

6. Data Retention Schedule

ERS retains PHI and personally identifiable information (PII) only as long as necessary to fulfill the purpose for which it was collected, or as required by law:

Data TypeRetention PeriodBasis
Support application (PHI)6 years from date of creationHIPAA § 164.530(j)
Volunteer records3 years from last activityOperational / legal
Contact / donor records3 years from last contactOperational
Admin audit logs6 yearsHIPAA / SOC 2
Breach notification records6 years from date of breachHIPAA § 164.414(b)
Website access logs90 daysSecurity monitoring

Upon expiration of the applicable retention period, ERS will securely destroy PHI and PII using methods that render the information unreadable and unrecoverable.

7. Reporting a Suspected Breach

All workforce members, contractors, and business associates must report any known or suspected breach of PHI immediately — and no later than 24 hours after discovery — to the ERS Privacy Officer.

Email (Preferred)

[email protected]

8. Related Policies

HIPAA Notice of Privacy PracticesPrivacy PolicyTerms of UseAccessibility Statement

This policy was last reviewed and updated on June 1, 2026. Equip Resource Solutions (ERS) reserves the right to amend this policy at any time. Material changes will be posted on this page with an updated effective date. Questions regarding this policy should be directed to [email protected].