Description
Not every security or privacy incident is a reportable breach under HIPAA. Determining which ones are requires a documented, consistent evaluation process.
The HIPAA Breach Risk Assessment Form gives your organization a structured tool for applying the four-factor low probability of compromise analysis required under the Breach Notification Rule at 45 CFR 164.402. When an incident involves unsecured protected health information, this form walks your team through the analysis in a way that creates a clear, defensible record.
OCR investigators pay close attention to how organizations decided whether a reportable breach occurred. A well-documented risk assessment is evidence that your organization followed the required process. This form makes that process consistent and repeatable across incidents.
What This Template Covers
- Incident description and PHI identification fields
- Four-factor breach risk analysis framework:
- Nature and extent of the PHI involved
- Identity of the person who accessed or could have accessed the PHI
- Whether the PHI was actually acquired or viewed
- Extent to which the risk to the PHI has been mitigated
- Determination fields covering reportable breach versus no breach
- Reviewer attestation, signature blocks, and retention documentation
- Guidance notes aligned to HHS Office for Civil Rights breach assessment guidance
Who This Is For
Privacy officers, security officers, compliance teams, and legal counsel at covered entities and business associates who need a consistent, audit-ready process for incident triage and breach determination.
Delivered as an editable Microsoft Word (.docx) file. Available immediately after purchase.
