AI Template Creator - Create Professional Templates with AI

HIPAA Breach Risk Assessment

A four-factor risk assessment template for evaluating unauthorized use or disclosure of PHI and determining whether breach notification is required.

Incident date and time recorded
Document when the unauthorized use or disclosure occurred or was discovered.
Incident type identified
Classify the event as unauthorized use, unauthorized disclosure, loss, theft, misdirected communication, improper access, or other.
PHI involved confirmed
Confirm whether the incident involved protected health information.
Incident summary documented
Provide a concise factual summary of what happened, including systems, documents, or communications involved.
Discovery source identified
Identify how the incident was discovered.
Incident report reference number
Enter the internal case, ticket, or incident reference number.

PHI identifiers included
Select the types of identifiers present in the disclosed or accessed information.
Minimum necessary standard applied
Determine whether the PHI involved was limited to the minimum necessary information for the intended purpose.
Sensitivity of PHI assessed
Rate the sensitivity and potential harm associated with the PHI involved.
Volume of PHI involved
Enter the approximate number of records, files, or data subjects affected.
Likelihood of re-identification evaluated
Assess whether the information could reasonably be used to identify the individual if not fully de-identified.
PHI was encrypted or otherwise secured
Indicate whether the PHI was secured using an approved encryption or equivalent protection method at the time of the incident.

Recipient identity determined
Identify the unauthorized person or entity that received or accessed the PHI.
Recipient had authorization to receive PHI
Confirm whether the recipient was authorized under policy, contract, or role to receive the PHI.
Recipient relationship to covered entity assessed
Describe the recipient's role, contractual relationship, or other relevant connection to the covered entity or business associate.
Recipient confidentiality obligations confirmed
Determine whether the recipient is bound by confidentiality obligations, privacy agreements, or legal restrictions.
Potential for further disclosure assessed
Rate the likelihood that the recipient could further use or disclose the PHI inappropriately.

Evidence of access reviewed
Review logs, email tracking, access records, or other evidence to determine whether the PHI was accessed.
Actual viewing confirmed
Confirm whether the PHI was actually viewed or acquired by the unauthorized person.
Evidence source documented
Select the evidence used to support the determination.
Time to containment documented
Enter the approximate number of hours from discovery to containment or access restriction.
Access successfully terminated or restricted
Confirm whether access was terminated, revoked, or otherwise restricted after discovery.

Mitigation steps completed
Select all mitigation actions taken to reduce the risk of compromise.
Residual risk after mitigation assessed
Rate the remaining risk after mitigation actions were completed.
Breach notification required determination
Document the final determination based on the four-factor assessment.
Notification deadline calculated
If notification is required, record the deadline for required notifications.
Corrective action plan initiated
Confirm whether a corrective action plan, policy update, or retraining plan has been initiated.

Privacy officer or compliance reviewer approval
Signature of the privacy officer, compliance officer, or designated reviewer approving the assessment.
Legal counsel consulted
Indicate whether legal counsel was consulted for the final determination.
Reference document
Record the applicable HIPAA breach risk assessment policy, incident response SOP, or legal memo reference.

Ask AI Template Studio

Let's customize HIPAA Breach Risk Assessment.

Tell me how you'd like to adapt it. For example:

AI-generated responses may not be 100% accurate