Description
Breach Decision Matrix
HIPAA Breach Notification Rule — 45 CFR 164.402 | Editable Word Template
When an incident involving protected health information occurs, the first question compliance teams must answer is whether the incident constitutes a reportable breach. The Breach Decision Matrix provides a structured, step-by-step framework for working through that determination, grounded in the four-factor low probability of compromise analysis required under the HIPAA Breach Notification Rule.
The matrix is built to support real-time incident response and to produce a written record that documents the basis for the determination, whether the conclusion is reportable breach, non-reportable incident, or inconclusive pending further investigation. That documentation is essential for audit defense and for demonstrating good-faith compliance with 45 CFR 164.402 through 164.414.
What Is Included
- Incident classification section for identifying the type and scope of the incident
- Structured four-factor risk assessment aligned to 45 CFR 164.402(2): nature and extent of PHI, identity of unauthorized recipient, whether PHI was actually acquired or viewed, and extent to which risk has been mitigated
- Exclusion analysis section covering the three categories of incidents that do not constitute breaches under 45 CFR 164.402(1)
- Determination field with space for a written rationale and signature
- Cross-reference fields for linking to the Incident Report Form, Breach Investigation Procedures, and Incident Tracking Log
- Instructions for use and regulatory guidance notes
Who This Is For
Privacy officers, compliance officers, security officers, and legal counsel at covered entities and business associates who are responsible for investigating incidents and making breach determination decisions. Also appropriate for organizations building or upgrading a formal breach response program.
Delivered as an editable Microsoft Word (.docx) file. Available immediately after purchase.
