Loading...
compliance

HIPAA Breach Risk Assessment

Use this HIPAA Breach Risk Assessment template to document the four-factor analysis for a suspected PHI incident and decide whether breach notification is required. It keeps the review defensible, consistent, and ready for privacy officer sign-off.

Fill it now — Free Get Started
Customize with AI → Live preview →

Trusted by frontline teams 15 years of frontline software AI customization in seconds

Built for: Hospitals And Health Systems · Physician Practices · Behavioral Health Clinics · Dental Offices · Home Health And Hospice

Overview

This HIPAA Breach Risk Assessment template documents the four-factor review used after a suspected unauthorized use or disclosure of PHI. It gives privacy, compliance, and legal teams a structured way to record the incident facts, assess the nature of the PHI, evaluate the recipient, confirm whether the information was actually acquired or viewed, and determine whether breach notification is required.

Use it when an incident involves PHI and the organization needs a defensible decision on whether the event rises to a reportable breach. It works well for misdirected emails, paper record exposure, lost devices, unauthorized access, fax errors, and vendor-related disclosures. The template is also useful when facts are still developing, because it separates the incident narrative from the factor-by-factor analysis and the final approval.

Do not use it for routine operational issues that do not involve PHI, or for incidents that are already fully resolved with no privacy impact. It is also not a substitute for legal advice when state breach laws, contractual notice obligations, or business associate responsibilities may apply. The strongest use of this template is as a single record that captures the facts, the mitigation steps, the notification deadline, and the reviewer’s rationale in one place.

Standards & compliance context

  • This template supports HIPAA privacy breach assessment workflows by organizing the facts needed to evaluate whether an unauthorized use or disclosure of PHI is a reportable breach.
  • It aligns with common healthcare privacy governance practices that require documented review, mitigation, and approval before notification decisions are finalized.
  • If your organization follows state breach notification laws, the same record can help support parallel notification analysis and deadline tracking.
  • When business associates are involved, the template helps document recipient status, contractual obligations, and downstream disclosure risk.
  • The structure also supports audit trails expected in formal compliance programs and corrective action systems.

General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.

What's inside this template

Incident Overview

This section captures the core facts of the event so the rest of the assessment is anchored to a clear incident record.

  • Incident date and time recorded (critical · weight 2.0)
    Document when the unauthorized use or disclosure occurred or was discovered.
  • Incident type identified (critical · weight 2.0)
    Classify the event as unauthorized use, unauthorized disclosure, loss, theft, misdirected communication, improper access, or other.
  • PHI involved confirmed (critical · weight 3.0)
    Confirm whether the incident involved protected health information.
  • Incident summary documented (weight 2.0)
    Provide a concise factual summary of what happened, including systems, documents, or communications involved.
  • Discovery source identified (weight 2.0)
    Identify how the incident was discovered.
  • Incident report reference number (weight 1.0)
    Enter the internal case, ticket, or incident reference number.

Factor 1: Nature and Extent of PHI

This section measures how sensitive, identifiable, and extensive the PHI exposure was, which is central to the breach analysis.

  • PHI identifiers included (critical · weight 4.0)
    Select the types of identifiers present in the disclosed or accessed information.
  • Minimum necessary standard applied (weight 3.0)
    Determine whether the PHI involved was limited to the minimum necessary information for the intended purpose.
  • Sensitivity of PHI assessed (critical · weight 4.0)
    Rate the sensitivity and potential harm associated with the PHI involved.
  • Volume of PHI involved (weight 3.0)
    Enter the approximate number of records, files, or data subjects affected.
  • Likelihood of re-identification evaluated (critical · weight 4.0)
    Assess whether the information could reasonably be used to identify the individual if not fully de-identified.
  • PHI was encrypted or otherwise secured (weight 2.0)
    Indicate whether the PHI was secured using an approved encryption or equivalent protection method at the time of the incident.

Factor 2: Unauthorized Person

This section focuses on who received the PHI and whether that person was actually permitted to have it or likely to keep it confidential.

  • Recipient identity determined (critical · weight 4.0)
    Identify the unauthorized person or entity that received or accessed the PHI.
  • Recipient had authorization to receive PHI (critical · weight 4.0)
    Confirm whether the recipient was authorized under policy, contract, or role to receive the PHI.
  • Recipient relationship to covered entity assessed (weight 2.0)
    Describe the recipient's role, contractual relationship, or other relevant connection to the covered entity or business associate.
  • Recipient confidentiality obligations confirmed (weight 2.0)
    Determine whether the recipient is bound by confidentiality obligations, privacy agreements, or legal restrictions.
  • Potential for further disclosure assessed (weight 4.0)
    Rate the likelihood that the recipient could further use or disclose the PHI inappropriately.

Factor 3: Actual Acquisition or Viewing

This section tests whether the PHI was truly accessed or seen, rather than merely exposed in theory.

  • Evidence of access reviewed (critical · weight 4.0)
    Review logs, email tracking, access records, or other evidence to determine whether the PHI was accessed.
  • Actual viewing confirmed (critical · weight 4.0)
    Confirm whether the PHI was actually viewed or acquired by the unauthorized person.
  • Evidence source documented (weight 3.0)
    Select the evidence used to support the determination.
  • Time to containment documented (weight 2.0)
    Enter the approximate number of hours from discovery to containment or access restriction.
  • Access successfully terminated or restricted (weight 2.0)
    Confirm whether access was terminated, revoked, or otherwise restricted after discovery.

Factor 4: Mitigation and Notification Determination

This section records what was done to reduce risk and whether the remaining risk still requires breach notification.

  • Mitigation steps completed (critical · weight 4.0)
    Select all mitigation actions taken to reduce the risk of compromise.
  • Residual risk after mitigation assessed (critical · weight 4.0)
    Rate the remaining risk after mitigation actions were completed.
  • Breach notification required determination (critical · weight 4.0)
    Document the final determination based on the four-factor assessment.
  • Notification deadline calculated (weight 2.0)
    If notification is required, record the deadline for required notifications.
  • Corrective action plan initiated (weight 1.0)
    Confirm whether a corrective action plan, policy update, or retraining plan has been initiated.

Review, Approval, and References

This section closes the loop with accountability, legal review, and source documentation for audit readiness.

  • Privacy officer or compliance reviewer approval (critical · weight 1.0)
    Signature of the privacy officer, compliance officer, or designated reviewer approving the assessment.
  • Legal counsel consulted (weight 1.0)
    Indicate whether legal counsel was consulted for the final determination.
  • Reference document (weight 1.0)
    Record the applicable HIPAA breach risk assessment policy, incident response SOP, or legal memo reference.

How to use this template

  1. 1. Record the incident overview immediately, including date, time, discovery source, incident type, PHI involved, and the internal report reference number.
  2. 2. Complete Factor 1 by listing the PHI identifiers, the volume and sensitivity of the data, whether the minimum necessary standard was met, and whether the PHI was encrypted or otherwise secured.
  3. 3. Complete Factor 2 by identifying the unauthorized recipient, confirming whether they were authorized to receive the PHI, and documenting any confidentiality obligations or disclosure risks.
  4. 4. Complete Factor 3 by reviewing logs, emails, witness statements, or device evidence to determine whether the PHI was actually acquired or viewed and when access was contained.
  5. 5. Complete Factor 4 by documenting mitigation steps, assessing residual risk, calculating any notification deadline, and assigning corrective actions before routing the assessment for approval.
  6. 6. Obtain privacy officer, compliance, and legal review as needed, then attach supporting evidence and finalize the reference record for audit readiness.

Best practices

  • Document the facts as soon as the incident is discovered, before memory fades or logs roll over.
  • Describe the PHI specifically, such as diagnosis, account numbers, or treatment details, rather than writing only "patient information."
  • Use objective evidence for actual viewing or acquisition, including system logs, email headers, access records, or witness statements.
  • Treat encryption status as a key decision point and record whether the data was secured at rest or in transit.
  • Calculate the notification deadline from the date the incident was discovered, not the date it occurred, and record the basis for the calculation.
  • Separate mitigation actions from the breach decision so the reviewer can see what changed the residual risk.
  • Escalate uncertain cases to privacy counsel when the recipient, access evidence, or notification trigger is unclear.

What this template typically catches

Issues teams running this template most often surface in practice:

Misdirected email sent to an unauthorized recipient without confirmation of deletion or non-disclosure.
Lost or stolen device with PHI that was not encrypted or otherwise secured.
Paper records left visible in a public area, break room, or shared workspace.
EHR access by a workforce member who had no treatment, payment, or operations need to view the record.
Fax or scan sent to the wrong number or inbox with no evidence the recipient destroyed the PHI.
Incomplete documentation of who received the PHI and whether they were bound by confidentiality obligations.
Failure to record containment timing, which weakens the actual acquisition or viewing analysis.
Notification deadline not calculated or not tied to the discovery date.

Common use cases

Privacy Officer Review of a Misdirected Email
A privacy officer uses the template to document a patient email sent to the wrong address, confirm what PHI was included, and determine whether the recipient actually viewed the message. The completed assessment supports the notification decision and any follow-up training for staff.
Compliance Lead Review of a Lost Laptop
An incident reviewer documents whether the device was encrypted, what PHI may have been stored locally, and whether remote wipe or access termination reduced the risk. The template helps show why notification was or was not required.
Behavioral Health Clinic Disclosure Review
A clinic team uses the assessment after a paper chart or intake form is exposed in a shared area. The form captures the sensitivity of the PHI and the likelihood of re-identification, which is especially important for mental health records.
Health System Vendor Incident Assessment
A covered entity reviews a business associate disclosure involving PHI sent to the wrong vendor contact or subcontractor. The template documents recipient status, confidentiality obligations, and whether downstream disclosure risk remains after mitigation.

Frequently asked questions

What incidents should this template be used for?

Use it for suspected unauthorized use or disclosure of PHI, including misdirected emails, lost devices, improper access, paper record exposure, or accidental disclosures to the wrong recipient. It is designed for incidents that need a documented breach risk assessment, not routine privacy complaints or general security audits. If the event involves PHI and there is uncertainty about breach status, this template helps you record the facts and decision path.

Does this template determine whether a HIPAA breach occurred?

It supports the breach risk assessment process by organizing the facts needed to make that determination. The template does not replace legal review, but it captures the four factors commonly used to evaluate the likelihood that PHI was compromised. That makes the final decision easier to defend if regulators, patients, or auditors ask how it was reached.

Who should complete the assessment?

A privacy officer, compliance lead, or designated incident reviewer should complete it, with input from IT, security, operations, and legal as needed. The person filling it out should be able to verify the incident timeline, the PHI involved, who received it, and what containment steps were taken. Final approval is typically best handled by the privacy officer or another accountable reviewer.

How often is this template used?

It is used each time a reportable or potentially reportable PHI incident occurs. In practice, that means every suspected breach gets its own completed assessment, even if the outcome is that notification is not required. Reusing the same form across incidents helps create a consistent record for trend review and corrective action.

What regulations or standards does it align with?

The template is aligned to HIPAA privacy and breach assessment workflows and supports documentation expected under healthcare compliance programs. It also fits broader privacy governance practices used in ISO 9001-style corrective action systems and formal incident review processes. If your organization also follows state breach laws, the same record can help support those notification decisions too.

What are the most common mistakes when using it?

The biggest mistake is treating the assessment like a yes/no checklist without documenting the facts behind each factor. Another common issue is failing to record containment timing, which makes the residual-risk analysis weaker. Teams also sometimes skip legal review when notification deadlines may apply, or they leave the PHI description too vague to support the decision.

Can this template be customized for different incident types?

Yes. You can tailor the incident overview and factor prompts for email misdelivery, lost laptops, paper chart exposure, fax errors, portal access issues, or vendor incidents. The four-factor structure should stay intact, but the evidence fields and corrective actions can be adjusted to match your workflow and escalation path.

How does this compare with an ad hoc incident memo?

An ad hoc memo often captures the story of the incident but misses the structured analysis needed for a breach decision. This template forces the reviewer to address the nature of the PHI, the recipient, whether actual access occurred, and what mitigation changed the risk. That makes the result easier to audit, approve, and revisit later if new facts emerge.

What should be attached to the completed assessment?

Attach the incident report, screenshots or logs, email headers, access records, witness statements, mitigation evidence, and any legal or privacy review notes. If notification is required, include the deadline calculation and the final approval record. Those attachments make the assessment more than a summary and help show how the conclusion was reached.

Related templates

Inspections

Clinical Documentation Integrity Review

Review clinical notes for specificity, completeness, and internal consistency so coders can suppo...
Inspections

Critical Lab Value Notification Audit

Audit critical lab value notifications for timeliness, read-back, and provider acknowledgment. Us...
Forms

PHI Authorization to Release Form

PHI Authorization to Release Form template for collecting a patient’s consent to share protected ...
Sop

Specimen Collection (Phlebotomy + Other)

Specimen Collection (Phlebotomy + Other) SOP template for collecting, labeling, and transporting ...
Hr Policy

Texas Workplace Violence Prevention Addendum (HB 915)

Texas Workplace Violence Prevention Addendum (HB 915) is a healthcare-facility addendum for docum...
Workspace

Customer Onboarding

Customer Onboarding workspace template for guiding a new customer from kickoff through launch and...

Ready to use this template?

Get started with MangoApps and use HIPAA Breach Risk Assessment with your team — pricing built for small business.

Get Started Customize with AI
Ask AI Product Advisor

Hi! I'm the MangoApps Product Advisor. I can help you with:

  • Understanding our 40+ workplace apps
  • Finding the right solution for your needs
  • Answering questions about pricing and features
  • Pointing you to free tools you can try right now

What would you like to know?

AI-generated responses may not be 100% accurate