HIPAA Breach Risk Assessment
Part I: Investigation Information
Name of staff reporting information:
Date of suspected breach:
Date of discovery:
Date disclosure reporting form completed:
Number of individuals affected:
Individual affected by the disclosure:
Complete a separate form for each individual. If breach involves more than 5 individuals, contact the Compliance Officer for instructions.
First Name: / MI: / Last Name:Street Address:
City, State: / Postal Code:
1. Type of disclosure (select all that apply). If “other” is selected, describe.
Improper Disclosure Loss Unauthorized Access
Theft Improper Disposal Hacking/IT Incident
Unknown Other:
2.Disclosure mode (select all that apply). If “other” is selected, describe.
Email Fax Face-to-face
Mail Telephone IT Incident
Unknown Other:
3.Location of breached information (select all that apply). If “other” is selected, describe.
Laptop Desktop Computer Network Server
Handheld Device Email Electronic Storage media
Electronic Medical Record Paper Unknown
Other:
4.Type of PHI involved in the breach (select all that apply). If “other” is selected, describe.
Demographic information - includes names, elements of addresses, dates of birth, phone or fax numbers, email addresses, medical record numbers, helath plan numbers, etc.
Financial information - includes social security numbers, account numbers such as credit cards or checking, etc.
Clinical information - includes treatment notes, diagnoses, dates of services, medical record documentation, lab & radiology reports, EOBs, claim forms, itemized statements, etc.
Other information - ______.
5.Brief description of what happened – DO NOT LIST ACTUAL PHI:
6.Initial actions taken with recipient (select all that apply). If other is selected, describe.
Recipient will destroy PHI Recipient will return PHI None
Other:
Please list recipient’s name/title, name of recipient’s entity, and known contact information for recipient.
Part II: Initial Risk Assessment
Note: There must have been a violation of the HIPAA Rules for a breach to occur. Only complete this form if a disclosure, use or access to PHI occurred in violation of the HIPAA Rules.
Breach Exclusions:- Was it an unintentional acquisition, access or use made in good faith by a workforce member acting within his/her scope of authority and the disclosure will not result in further use or disclosure in violation of the HIPAA rules?
- Was the inadvertent disclosure by a person who is authorized to access the PHI to another person authorized to access PHI at the same covered entity or business associate and the disclosure will not result in further use or disclosure in violation of the HIPAA rules?
- Was a disclosure of PHI made, but there is a good faith belief than the unauthorized recipient would not have reasonably been able to retain it (Ex. EOBs were mistakenly sent to wrong individuals and were returned by the post office, unopened, as undeliverable)?
Yes – STOP, breach exclusion, no breach
Yes – STOP, breach exclusion, no breach / No
No
No / N/A
N/A
N/A
The nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification:
- Does the disclosure pose a significant risk of financial, reputational, or other harm?
- Did the disclosure include the name and type of specialized services (such as a substance abuse facility)?
- Did the disclosure increase the risk of ID Theft (such as SS#, account#, mother's maiden name)?
- Was the information limited to a Limited Data Set?
Yes – high risk
Yes – high risk
Yes – low risk / No
No
No
No / N/A
N/A
N/A
N/A
The unauthorized person who used the PHI or to whom the disclosure was made:
- Was the recipient of the disclosure a covered entity or a business associate?
Whether the PHI was actually acquired or viewed:
- Was the impermissible use/disclosure unsecured PHI (e.g.. not rendered unusable, unreadable, indecipherable to unauthorized individuals?
- Was the PHI that was disclosed returned prior to being accessed for an improper purpose (e.g. stolen laptop returned without turning it on, envelope returned to post office without being opened)?
Yes – low risk / No STOP, no breach
No / N/A
N/A
The extent to which the risk to the PHI has been mitigated:
- Did the person who received the disclosed information report the disclosure promptly?
- Were immediate steps taken to mitigate the disclosure (e.g. shredding)?
Yes – low risk / No
No / N/A
N/A
Is a breach substantiated based upon risk assessment findings? Summarize results. ______
1