This document is intended to be a template which should be
customized to fit the unique needs of the provider's operations.
Step 2: Privacy and Security Event Analysis – Potential Breach Investigation
WHO REPORTED EVENT AND WHEN / Event ID: / Date of EventName / Facility: / Date of Discovery
Phone / Date Reported:
DETAILS OF EVENT
Format: / Paper / Electronic / Verbal
Type of Event Select all that apply. If selecting “other”, describe in greater detail.
Theft / Hacking / IT incident / Physical Security Breach / Loss or misplacement
Improper Disposal / Virus/other malicious software / Unauthorized Access/Use/Disclosure
Other Unknown
Location of Information Select all that apply. If selecting “other”, describe in greater detail.
Laptop computer / Network Server / Other Portable Electronic Device
Desktop computer / Email / Paper / Electronic Medical Record
Other
DETAILS OF SECURITY OF PHI / Secured PHI is PHI that is rendered unusable, unreadable or indecipherable to unauthorized individuals
State of Data: / At Rest / In Motion / Being cleared, purged or destroyed
Was the electronic PHI encrypted as specified according to HHS guidance (74 CFR 19006)? OR / Yes / No / N/A
Was the PHI rendered unusable, unreadable or indecipherable to unauthorized individuals? / Yes / No
Describe details of security: ______
If this section ends with YES, stop process. Sign report. Maintain documentation per policy.
Type of Protected Health Information Involved Select all that apply. If selecting “other”, describe in greater detail.
Demographic / Financial / Clinical / Other
If applicable, # of residents involved
Name / Credit Card # / Diagnosis/ Conditions
SS# / Bank Account # / Lab results
Address/ Zip / Claims Information / Medications
Drivers License / Other / Other Treatment Info
Date of Birth
Other
Safeguard(s) in Place Prior to EventSelect all that apply. If selecting “other”, describe in greater detail.
Firewalls / Strong Authentication / Physical Security / Anti-virus Software
Secure Browser Sessions / Biometrics / Logical Access Control / Intrusion Detection
Packet filtering (router-based) / Encrypted Wireless
NA
Additional Safeguard(s) in Place Prior to Event Select all that apply.
Encryption / Locked Storage Room(s) / Locked File Cabinet(s)
Shredding Bin(s)
Brief Description of the Unauthorized Event:
Did this event occur at or by a Business Associate: Yes No If yes, describe actions taken by CE:
BA Name: / Contacted BA- BA agreed to correct / Termed agreement w/BA
BA Address: / Contacted BA- BA refused to correct / Other:
BA Contact: / Contact Phone: / Contact email:
Breach Risk Tool
Notifiable breach determined – risk assessment for low probability not completed. (Skip to Breach Notification section below.)
This incident involves a use or disclosure of unsecured Protected Health Information:
The information identifies or could reasonably be expected to identify a person.
The information is about the person’s present, past or future physical or mental health, healthcare received, or payment for care.
The information was unsecured: it was usable, readable, or otherwise decipherable to any individual(i.e. electronic data was NOT encrypted, wiped, or destroyed.)
If ALL boxes are checked proceed to Section 1.
Section 1: Does this incident qualify as one the following exceptions? Answer each question in order.
- Was this an unintentional acquisition, access, or use of PHI?
- By a workforce member or person acting under the authority of the CE or the CE’s BA, made in good faith, within the person’s scope of authority, and did not result in further use/disclosure in a manner not permitted by the Privacy Rule? Y N DK N/A
No, Don’t Know, or N/A: Low Probability fails –Continue
- Was this an inadvertent disclosure of PHI?
- By a person who is authorized to access PHI at a CE, BA, or OHCA, to another person authorized to access/receive PHI at the same CE, BA, or OHCA, and did not result in further use/disclosure in a manner not permitted by the Privacy Rule? Y N DK N/A
- The unauthorized recipient could not reasonably have retained the data: (e.g.,the data was only heard or seen momentarily or in passing) Y N DK N/A
Section 2: Choose all options that apply for each category – total the points for all choices or check “Fail” / Scores
Method of Disclosure: Was the PHI actually acquired or viewed? / No 0pts Verbal 1pt Paper 2pts Electronic 3pts / Fail
Any Two Methods or All 3: Low Probability Fails
Recipient(s): Who was the unauthorized person who acquired or used the PHI? / Another Covered Entity or Federal Agency obligated to comply with Privacy Act of 1974 and FISMA / 1 / Fail
Known Recipient(s) / 3
Unknown Recipient(s): Low Probability Fails
Circumstances of access, use or disclosure / Unintentional access, use or disclosure of PHI / 1 / Fail
All Other Circumstances: Low Probability Fails (includes loss, theft, and any intentional access, use or disclosure w/o authorization)
Disposition: What happened to the info after the acquisition, use, or disclosure? / Returned intact/unopened/complete or Properly destroyed by facility Workforce, BA, another Covered Entity, a Federal Agency or Authorized Patient Family / 1 / Fail
Remained inside facilityand returned (opened) or Electronically deleted (backup status known) / 2
All Other Dispositions: Low Probability Fails (includes not returned, unable to retrieve, unknown disposition, suspicion of or actual re-disclosure)
Type of Information:
Were the identifiers direct or indirect? / No specific names – for example, only MRN, room number, photographs or other identifiers which could be re-identified based upon context / 1 / Fail
Direct Identifiers Used: Low Probability Fails
Impact Risk: What is potential impact of the use or disclosure? / No known or low impact risk: no sensitive clinical, financial, or personal information / 0 / Fail
All Other Potential Impact Risks: Low Probability Fails
Additional Controls for Electronic Devices (Laptops, computers, handheld devices, etc.) / Not applicable / 0 / Fail
Data determined to be Wiped (remote or auto), Destroyed, or Encrypted / 0
Password protected only – not compromised / 1
No Controls: Low Probability Fails
Risk Score: Low: 5 Medium: 6 – 9 High: 10+ 2+ Fails: Auto-Fail – Score Preempted / Total Score:
Fails:
Section 3: Decision Low: Do not notifyMedium: Consider mitigating factorsHigh or 2+ Fails: Notify
Notes / Mitigating Factors:
An evaluation of the above factors does does not demonstrate a low probability that the PHI been compromised.
Decision: Do Not Notify
Notify the Resident and HHS
Action Taken in Response to Event: Select all that apply. If selecting “other”, describe in greater detail.
Security/Privacy Safeguards / Policy/Procedure/Guideline Re-Education / Policy/Procedure/Guideline
Updates
Mitigation / Sanctions/Disciplinary Actions / Other
Complete Following Section if Breach Occurred
BREACH NOTIFICATION:
Law Enforcement: / Was law enforcement notified? / Yes No / Who? ______/ Date ______
Request for Delay Received: / Verbally? Yes No; Date ______/ Written? Yes No; Date Specified: ______
Delivery of Notification to Affected Parties Written notice to be delivered via first class mail to last known address or electronic notice via email if agreed
Date(s) written notice mailed: ______Include example letter with event documents
Does urgency exist because of possible imminent misuse? Yes No ; If YES, How was this addressed: ______
Is there out of date contact information for 10 or more individuals? Yes No; If YES, What substitute notice (CE website or media release) was used? ______(Include example of substitute notice with event documents.)
HHS Notification
Did breach involve more than 500 individuals at one covered entity? / No; IF NO, Document on event log.Sign report. Maintain documentation per policy.
Yes; IF YES, HHS Notification Date ______
Did breach involve more than 500 individuals from a state or jurisdiction? / No; IF NO, Document on event log. Sign report. Maintain documentation per policy.
Yes; IF YES, Date(s) of prominent media outlet notification ______(in no case > 60 calendar days after discovery);
Names of prominent media outlets notified ______
Report Completed by:
Privacy/Security Officer’s Signature : ______/ Date: ______
©2013, The Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers and their health care affiliates for their internal use, in connection with their efforts to comply with relevant legal rules and regulations. All other reproduction, transfer and use is prohibited without the express written consent of the LTCC. Neither the LTCC nor its members make any representation that use of these materials will ensure other legal compliance.
Published 12/2013