This document was created by AuditNet® using advanced Internet search

techniques.

The document is from a site which has not identified restrictions on permitted use
and are sharing this information for the benefit of the audit community.

However, while we have attempted to provide accurate information no representation

is made or warranty given as to the completeness or accuracy of the document.

In particular, you should be aware that the document may be incomplete, may
contain errors, or may have become out of date.

While every reasonable precaution has been taken in the preparation of this
document, neither the author nor AuditNet® assumes responsibility for errors or
omissions, or for damages resulting from the use of the information contained herein.
The information contained in this document is believed to be accurate.

However, no guarantee is provided. Use this information at your own risk.

Audit Program Licensing Terms
1. You accept that this product is intended for your use, and you will not
duplicate in any form or manner, electronic or otherwise, copies of this
product nor distribute this product to anyone else.

2. You recognize that the product and its content are the sole property of
AuditNet® (the Publisher), and that we have copyrighted the product.

3. You agree that the Publisher is not responsible for any interruption of
service or malfunction that is a consequence of the Internet, a service
provider, personal computer, browser or other software or hardware
components. You accept that there is no guarantee that this product is
totally error free. You further understand and accept that the Publisher
intends to provide reliable information but does not guarantee the accuracy
or completeness of any information, and is not responsible for any results
obtained from the use of such information.

4 This license is effective until terminated, when the license or subscription

period ends without renewal, or when you destroy this product and any
related documentation. The Publisher may terminate your license without
notice if you fail to comply with the conditions set forth in this agreement,
and may pursue any other legal recourse.
 FACILITY
HIPAA Incident/Breach Investigation
Name and Title of Individual Completing this
Investigation Document:
# Questions Answers Instructions
Format: PI(facility #)-yy-mmdd
1 Privacy Incident Number (B) (NB) (FW)
Date of Occurrence (date the incident
2 Format: mm/dd/yyyy
actually occurred)

Date of Discovery (date incident was

3 Format: mm/dd/yyyy
discovered by staff, Business Associate, etc.)

4 Date Incident Reported (to RCPO) Format: mm/dd/yyyy

Use drop down menu to select
5 Privacy Incident Type response
Use drop down menu to select
6 Location of Incident response
Use drop down menu to select
7 Scope of Incident response
Type in the exact number of
8 Number of Affected Individuals affected individuals
Use drop down menu to select
9 Secured or Unsecured PHI involved response

10 Details of incident Type in the details of this incident

Use drop down menu to select

11 Business Associate involved? response

12 If "Yes" to Question #11, complete Business Associate information tab

Privacy Rule Safeguards

(training, policies/procedures,
etc.)
Security Rule Administrative
Safeguards (risk analysis, risk
management, etc.)
Security Rule Physical
Safeguards (facility access Place a check mark in the
14 Safeguards in place prior to incident controls, workstation security, applicable box(es)
etc.)
Security Rule Technical
Safeguards (access controls,
transmission security, etc.)

NONE

15 Does the incident meet an exemption?

A. Good faith, unintentional acquisition,

access or use by a workforce member acting This exemption does not apply
under the organization's authority and within
his/her scope of authority, and did not result Exemption applies (describe in
in further use or disclosure of the PHI. #16)

Place a check mark in the

applicable box(es)
 B. Inadvertent disclosure by a person
authorized to access PHI at the same This exemption does not apply
Covered Entity, Business Associate, or OHCA
in which the Covered Entity participates, and
the information was not further used or Exemption applies (describe in #16) Place a check mark in the
disclosed. applicable box(es)

C. A disclosure of PHI where the Covered

Entity or Business Associate has a good faith
belief that the unauthorized individual to
whom the disclosure was made would not
reasonably have been able to retain such
information.
This exemption does not apply
Exemption applies (describe in
#16)

D. Data is limited to a limited data set that This exemption does not apply
does not include dates of birth or zip codes.
Exemption applies (describe in #16)

If an exemption was acknowledged in #15,

Document details to support the
16 provide detailed information to support the exemption
exemption.
Document any additional
17 Comments / Additional Information comments or information
concerning the incident
Was there a HIPAA Privacy or Security Rule Use drop down menu to select
18
violation? response

If "Yes" to Question #18, proceed to Risk Assessment.

If "No" to Question #18, incident documentation is complete.
If documentation Is complete, list the date
19 Format: mm/dd/yyyy
this incident is deemed closed.
 Risk Assessment
0
# Questions Answers Instructions
Nature and Extent of the PHI
What is the nature and extent of Use drop down menu to select
PHI infolved? response
1 Demographic Information
Financial Information Place a check mark in the
Type(s) of data compromised? applicable box(es)
Clinical Information
Other
Name
SSN
Demographic data elements Address/ZIP
compromised?
Drivers License
Other Identifier

Credit Card/Bank Acct #

Financial data elements Place a check mark in the
2 compromised? Claims Information
applicable box(es)
Other Financial Information

Diagnosis/Conditions

Lab Results
Clinical data elements
compromised? Medications

Other Treatment Information

If "Other" was selected as the

response in #1 or #2, above, Document details to support
3 describe the type of data or data selecting "other" in question #1 or
#2
elements involved.

The unauthorized person who used the PHI or to whom the PHI was disclosed

4 Does the person have obligations Use drop down menu to select
to protect privacy and security? response

Does the person have the ability Use drop down menu to select
to re-identify the PHI? response

5 Was PHI actually viewed or Use drop down menu to select

accessed? response

The extent to which the risk to the PHI has been mitigated.

What is the risk to the PHI after Use drop down menu to select
mitigation? response

6
 Can the person who received the
PHI provide satisfactory
6 assurances that the PHI will not Document details.
be further used or disclosed or
that it will be destroyed?

What level of effort has been

expended to prevent future Document details.
related issues and or to lessen
the harm of the actual breach?

Comments or additional Document any additional

7 information concerning the Risk comments or information
Assessment concerning the Risk Assessment

If a breach has occurred, proceed to Breach Notification.

If no breach has occurred, incident documentation is complete.
If documentation is complete, list
8 the date this incident is deemed Format: mm/dd/yyyy
closed.
 Breach Notification
0
# Questions Answers Instructions
Date Individual Notice was
1 Format: mm/dd/yyyy
Provided
Use drop down menu to select
2 Was substitute notice required? response

If "Yes" on #2, describe the Document details to support

completion of substitute notice -or-
3 manner in which substitute notice type "N/A" if substitute notice was
was achieved. not required
Use drop down menu to select
4 Was media notice required? response

If "Yes" on #4, describe the Document details to support media

5 manner in which media was notification -or- type "N/A" if
notified. substitute notice was not required

Use drop down menu to select

6 Was State Notification required? response

Document details to support state

7 If "Yes" on #6, describe the details notification -or- type "N/A" if state
of the State Notification. notification was not required

8 Were 500 or more invidividuals Use drop down menu to select

involved in this breach? response

9 If "Yes" on #8, list the date Format: mm/dd/yyyy or leave blank

HHS/OCR was notified of breach. if #10 applies

10 If "No" on #8, HHS/OCR will be notified of breach at the time of annual notification, by Chief Privacy Officer.

Adopted encryption technologies

Changed password/strengthened
password requirements

Created a new/updated Security Rule Risk

Management Plan

Implemented new technical safeguards

Implemented periodic (non)technical

evaluations

Improved physical security

Performed a new/updated Security

Rule Risk Analysis
Actions taken in response to Place a check mark in the applicable
11
breach. Provided BA with additional training on box(es)
HIPAA requirements

Provided individuals with free credit

monitoring
 Actions taken in response to Place a check mark in the applicable
11
breach. box(es)

Provided individuals with free credit

monitoring

Revised business associate contract(s)

Revised policies and/or procedures

Sanctioned workforce member(s)

involved (including termination)

Took steps to mitigate harm

Trained or retrained workforce member(s)

Other

If "Other" was selected in #11, Document details to support the

12 actions which were taken in
describe actions taken. response to breach

Comments / Additional Document any additional comments

13 or information concerning the
information breach

Conclusion of Breach Documentation

 Affected Individuals
0

Date of Birth
(important to Notification
First Name Last Name Account # identify any minor Address City State Zip Code failed?
patients who have
been affected)