HIPAA incident response tabletop
HIPAA incident response tabletop — the AAR your OCR auditor wants.
HIPAA §164.308(a)(7)(ii)(D) requires testing and revision procedures for contingency plans. Annual Tabletop runs a HIPAA-anchored incident response tabletop in 60 minutes and produces an AAR that carries the §164.308 crosswalk — the evidence OCR investigators look for.
What this page covers
A practitioner-level guide, not a keyword page.
- What §164.308(a)(7) actually requires, without the jargon.
- A HIPAA-anchored scenario library (BEC, PHI ransomware, vendor breach).
- An AAR template aligned to what OCR asks for.
- How this plugs into SOC 2 if you're under both.
HIPAA's contingency plan requirements — §164.308(a)(7) — include a testing and revision procedure. OCR's interpretation is consistent: you need a documented, tested IR plan, and you need to be able to show evidence that testing happened.
Annual Tabletop's HIPAA scenarios are built around the threats covered entities and business associates actually face: ePHI ransomware, business email compromise, vendor breaches, insider access misuse. Atlas runs constrained-decision injects that exercise the incident response portion of your contingency plan — the part OCR asks about first.
The AAR is the artifact. Timestamped, signed, and carrying the §164.308(a)(7) crosswalk on the first page. If you're also under SOC 2, the same AAR carries the CC7.4 / CC7.5 crosswalk, so one exercise satisfies both audits.
Recommended scenarios
Start with these.
- Business Email CompromiseIntro
Wire Fraud via BEC — The Auditor's Favorite SMB Scenario
A finance lead authorizes a $187K wire to a 'new vendor' after a CEO email thread that turns out to be a BEC. Run the response your SOC 2 / cyber-insurance underwriter wants documented.
- SOC 2 CC7.4/CC7.5
- HIPAA §164.308
- FFIEC
- PCI 12.10
FAQ
Questions practitioners ask
Is a tabletop enough to satisfy §164.308(a)(7)?
For most covered entities, a tested tabletop plus periodic live drills is the reasonable-and-appropriate standard OCR applies. The rule is scalable — small providers exercise at a different intensity than a large hospital system. The point is that testing happens and is documented.How often should I run this?
HIPAA does not prescribe a frequency. OCR guidance consistently recommends at least annually. Our product name is not an accident.Can I hand the AAR directly to OCR if I'm investigated?
The AAR is formatted as tabletop exercise evidence — timestamp, participants, scenario, decisions, observations. In our experience with OCR investigators, that's the form they expect. We cannot of course promise OCR's reaction; consult your HIPAA counsel.Does this cover business associates too?
Yes. BAs have the same §164.308(a)(7) obligations via contract flowdown. The same scenarios and AAR template apply.