Loading...
Templates Inspections SEO page

Run: HIPAA Breach Risk Assessment

Use this HIPAA Breach Risk Assessment template to document the four-factor analysis for a suspected PHI incident and decide whether breach notification is re...

Fill this out, get a PDF emailed to you. No sign-up required. Want to run it with your team and track results? Sign up free →

Incident Overview

Document when the unauthorized use or disclosure occurred or was discovered.
Classify the event as unauthorized use, unauthorized disclosure, loss, theft, misdirected communication, improper access, or other.
Confirm whether the incident involved protected health information.
Provide a concise factual summary of what happened, including systems, documents, or communications involved.
Identify how the incident was discovered.
Enter the internal case, ticket, or incident reference number.

Factor 1: Nature and Extent of PHI

Select the types of identifiers present in the disclosed or accessed information.
Determine whether the PHI involved was limited to the minimum necessary information for the intended purpose.
Rate the sensitivity and potential harm associated with the PHI involved.
Enter the approximate number of records, files, or data subjects affected.
Assess whether the information could reasonably be used to identify the individual if not fully de-identified.
Indicate whether the PHI was secured using an approved encryption or equivalent protection method at the time of the incident.

Factor 2: Unauthorized Person

Identify the unauthorized person or entity that received or accessed the PHI.
Confirm whether the recipient was authorized under policy, contract, or role to receive the PHI.
Describe the recipient's role, contractual relationship, or other relevant connection to the covered entity or business associate.
Determine whether the recipient is bound by confidentiality obligations, privacy agreements, or legal restrictions.
Rate the likelihood that the recipient could further use or disclose the PHI inappropriately.

Factor 3: Actual Acquisition or Viewing

Review logs, email tracking, access records, or other evidence to determine whether the PHI was accessed.
Confirm whether the PHI was actually viewed or acquired by the unauthorized person.
Select the evidence used to support the determination.
Enter the approximate number of hours from discovery to containment or access restriction.
Confirm whether access was terminated, revoked, or otherwise restricted after discovery.

Factor 4: Mitigation and Notification Determination

Select all mitigation actions taken to reduce the risk of compromise.
Rate the remaining risk after mitigation actions were completed.
Document the final determination based on the four-factor assessment.
If notification is required, record the deadline for required notifications.
Confirm whether a corrective action plan, policy update, or retraining plan has been initiated.

Review, Approval, and References

Signature of the privacy officer, compliance officer, or designated reviewer approving the assessment.
Indicate whether legal counsel was consulted for the final determination.
Record the applicable HIPAA breach risk assessment policy, incident response SOP, or legal memo reference.

Get your results

Enter your email — we'll send you a PDF of your filled-out template. We won't sign you up to anything; you can opt in to the trial from the email if you want.

Generated with MangoApps Templates — browse 240+ free
Ask AI Product Advisor

Hi! I'm the MangoApps Product Advisor. I can help you with:

  • Understanding our 40+ workplace apps
  • Finding the right solution for your needs
  • Answering questions about pricing and features
  • Pointing you to free tools you can try right now

What would you like to know?

AI-generated responses may not be 100% accurate