Which of the following is NOT typically part of HIPAA breach notification requirements?

HIPAA breach notification focuses on communicating with those affected and, when required, with official authorities, within specific timeframes. When a breach is identified, the typical response includes quickly informing the individuals whose PHI was exposed and, depending on the breach’s size and impact, also notifying the Health and Human Services and, in some cases, the media. There’s also usually an assessment step to understand how widespread the breach is and how severe it is, which helps determine notification scope and timelines. Wiping data from all devices without reporting isn’t part of the notification process. While incident response may involve removing or securing data, HIPAA requires that breaches be reported to the affected individuals and to the appropriate authorities; erasing data to avoid notification would contradict those requirements and could create liability.