HIPAA SECURITY/PRIVACY INCIDENT REPORT FORM

INTERNAL INCIDENT DOCUMENTATION

REPORT IDENTIFICATION

Incident Report Number: [________________________________]

Date of Report: [__/__/____]

Time of Report: [____:____] ☐ AM ☐ PM

Reported By: [________________________________]

Reporter's Department: [________________________________]

Reporter's Phone: [________________________________]

Reporter's Email: [________________________________]

SECTION 1: INCIDENT CLASSIFICATION

1.1 Type of Incident

Primary Classification:

☐ Security Incident - Attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations

☐ Privacy Incident - Unauthorized use or disclosure of protected health information (PHI)

☐ Potential Breach - Acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule that compromises the security or privacy of the PHI

☐ Near Miss - Event that could have resulted in an incident but did not

1.2 Incident Category

Select all that apply:

Unauthorized Access/Disclosure:
☐ Unauthorized access to PHI/ePHI
☐ Unauthorized disclosure of PHI/ePHI
☐ Snooping/inappropriate access by workforce member
☐ Improper disposal of PHI/ePHI
☐ Misdirected communication (fax, email, mail)
☐ Lost or stolen device containing ePHI
☐ Lost or stolen paper records
☐ Verbal disclosure in public area

Technical/System Events:
☐ Hacking/IT incident
☐ Malware/ransomware/virus
☐ Phishing attack (successful)
☐ Phishing attack (attempted)
☐ System breach/intrusion
☐ Denial of service attack
☐ Unauthorized system modification
☐ Data integrity issue

Physical Security:
☐ Theft of equipment
☐ Theft of records
☐ Break-in/unauthorized facility access
☐ Improper workstation access
☐ Tailgating/unauthorized entry

Administrative:
☐ Policy violation
☐ Failure to obtain authorization
☐ Failure to provide required notice
☐ Access rights not terminated timely
☐ Business associate incident
☐ Training deficiency

☐ Other: [________________________________]

1.3 Severity Assessment (Initial)

☐ Critical - Confirmed breach affecting 500+ individuals or involving sensitive data
☐ High - Likely breach affecting multiple individuals
☐ Medium - Potential incident requiring investigation
☐ Low - Minor incident, no PHI exposure suspected
☐ Unknown - Severity cannot be determined at this time

SECTION 2: INCIDENT DETAILS

2.1 Incident Discovery

Date Incident Discovered: [__/__/____]

Time Incident Discovered: [____:____] ☐ AM ☐ PM

Date Incident Occurred (if different): [__/__/____]

Time Incident Occurred: [____:____] ☐ AM ☐ PM

How Was the Incident Discovered?

☐ System alert/automated monitoring
☐ Employee report
☐ Patient/member complaint
☐ Audit/review
☐ Business associate notification
☐ Law enforcement notification
☐ Media report
☐ Other: [________________________________]

Discovery Details:

[________________________________]

[________________________________]

[________________________________]

2.2 Incident Description

Provide a detailed description of the incident:

What happened?

[________________________________]

[________________________________]

[________________________________]

[________________________________]

Where did it happen? (Location/System)

[________________________________]

[________________________________]

Who was involved? (Do not include patient information here)

[________________________________]

[________________________________]

2.3 Systems/Locations Involved

Physical Locations:

Systems/Applications Involved:

Devices Involved:

☐ Desktop computer
☐ Laptop computer
☐ Tablet
☐ Smartphone
☐ Server
☐ Medical device
☐ External hard drive/USB
☐ Paper records
☐ Network/infrastructure
☐ Email system
☐ Cloud service
☐ Other: [________________________________]

Device Details (if applicable):

SECTION 3: PROTECTED HEALTH INFORMATION INVOLVED

3.1 PHI Exposure Assessment

Was PHI potentially accessed, acquired, used, or disclosed?

☐ Yes
☐ No
☐ Unknown - Under Investigation

If Yes or Unknown, complete the following:

3.2 Types of PHI Potentially Involved

☐ Names
☐ Dates (DOB, admission, discharge, death)
☐ Telephone numbers
☐ Geographic data (address, zip code)
☐ FAX numbers
☐ Email addresses
☐ Social Security numbers
☐ Medical record numbers
☐ Health plan beneficiary numbers
☐ Account numbers
☐ Certificate/license numbers
☐ Vehicle identifiers/serial numbers
☐ Device identifiers/serial numbers
☐ Web URLs
☐ IP addresses
☐ Biometric identifiers
☐ Full-face photographs
☐ Diagnosis/clinical information
☐ Treatment information
☐ Prescription/medication information
☐ Laboratory results
☐ Financial/billing information
☐ Insurance information
☐ Other: [________________________________]

3.3 Sensitive Information Categories

Did the incident involve any of the following sensitive categories?

☐ HIV/AIDS information
☐ Mental health/psychiatric information
☐ Substance abuse treatment information
☐ Genetic information
☐ Sexual/reproductive health information
☐ Communicable disease information
☐ Minor's records (special protections)
☐ None of the above
☐ Unknown

3.4 Individuals Potentially Affected

Estimated Number of Individuals Affected:

☐ 1
☐ 2-10
☐ 11-50
☐ 51-100
☐ 101-499
☐ 500 or more
☐ Unknown

Specific number (if known): [________________________________]

Affected Population:

☐ Patients
☐ Employees
☐ Health plan members
☐ Research subjects
☐ Deceased individuals
☐ Other: [________________________________]

SECTION 4: PERSONNEL INVOLVED

4.1 Workforce Members Involved in Incident

4.2 Third Parties Involved

Business Associates:

Other Third Parties:

SECTION 5: IMMEDIATE RESPONSE ACTIONS

5.1 Initial Containment Actions Taken

Date/Time of Initial Response: [__/__/____] [____:____] ☐ AM ☐ PM

Actions Taken (check all that apply):

☐ Secured/isolated affected systems
☐ Changed passwords/credentials
☐ Disabled user access
☐ Recovered lost/stolen device
☐ Implemented remote wipe on device
☐ Contacted law enforcement
☐ Preserved evidence/logs
☐ Notified IT/Security team
☐ Notified Privacy Officer
☐ Notified Security Officer
☐ Notified management/leadership
☐ Notified legal counsel
☐ Initiated forensic investigation
☐ Other: [________________________________]

Description of Immediate Actions:

[________________________________]

[________________________________]

[________________________________]

5.2 Evidence Preservation

Evidence Preserved:

☐ System logs
☐ Access logs
☐ Audit trails
☐ Email communications
☐ Screenshots
☐ Physical evidence
☐ Witness statements
☐ Device images/forensic copies
☐ Video/surveillance footage
☐ Other: [________________________________]

Evidence Chain of Custody:

SECTION 6: BREACH RISK ASSESSMENT

6.1 Four-Factor Breach Assessment

Per 45 CFR § 164.402(2), assess the following factors to determine if the incident constitutes a breach:

Factor 1: Nature and Extent of PHI Involved

What types of identifiers and clinical information were involved?

[________________________________]

[________________________________]

Risk Level: ☐ High ☐ Medium ☐ Low

Factor 2: Unauthorized Person Who Used or Received the PHI

Who received or accessed the PHI? What is their role/relationship?

[________________________________]

[________________________________]

Risk Level: ☐ High ☐ Medium ☐ Low

Factor 3: Whether PHI Was Actually Acquired or Viewed

Was the PHI actually acquired or viewed, or is there evidence it was not?

[________________________________]

[________________________________]

Risk Level: ☐ High ☐ Medium ☐ Low

Factor 4: Extent to Which Risk Has Been Mitigated

What steps have been taken to mitigate the risk of harm?

[________________________________]

[________________________________]

Risk Level: ☐ High ☐ Medium ☐ Low

6.2 Breach Determination

Based on the risk assessment above:

☐ Breach - There is more than a low probability that PHI has been compromised

☐ Not a Breach - There is a low probability that PHI has been compromised (document basis)

☐ Pending - Additional investigation required before determination

Rationale for Determination:

[________________________________]

[________________________________]

[________________________________]

Determination Made By: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SECTION 7: NOTIFICATIONS

7.1 Internal Notifications

7.2 External Notifications (if breach confirmed)

SECTION 8: INVESTIGATION AND RESOLUTION

8.1 Investigation Status

Investigation Status:

☐ Not Started
☐ In Progress
☐ Completed
☐ Closed

Lead Investigator: [________________________________]

Investigation Start Date: [__/__/____]

Investigation Completion Date: [__/__/____]

8.2 Investigation Findings

Summary of Findings:

[________________________________]

[________________________________]

[________________________________]

[________________________________]

Root Cause(s) Identified:

☐ Human error
☐ Policy/procedure failure
☐ Technical failure
☐ Physical security failure
☐ Training deficiency
☐ Malicious insider
☐ External attack
☐ Business associate failure
☐ Other: [________________________________]

8.3 Corrective Actions

8.4 Disciplinary Action (if applicable)

☐ No disciplinary action required
☐ Disciplinary action taken (document separately in HR records)
☐ Pending HR review

SECTION 9: APPROVALS AND SIGN-OFF

Incident Report Completion

Report Completed By:

Signature: [________________________________]

Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

Privacy Officer Review:

Signature: [________________________________]

Name: [________________________________]

Date: [__/__/____]

Comments: [________________________________]

Security Officer Review:

Signature: [________________________________]

Name: [________________________________]

Date: [__/__/____]

Comments: [________________________________]

Final Approval:

Signature: [________________________________]

Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

SECTION 10: INCIDENT CLOSURE

Closure Date: [__/__/____]

Closure Status:

☐ Resolved - No breach
☐ Resolved - Breach, notifications completed
☐ Resolved - Corrective actions implemented
☐ Closed - Referred to law enforcement
☐ Closed - Other: [________________________________]

Lessons Learned:

[________________________________]

[________________________________]

[________________________________]

Follow-up Required:

☐ Yes - Date: [__/__/____]
☐ No

DOCUMENT RETENTION

This incident report and all supporting documentation must be retained for a minimum of six (6) years from the date of creation or the date when it was last in effect, whichever is later, in accordance with 45 CFR § 164.530(j) and § 164.316(b)(2)(i).

SOURCES AND REFERENCES

• 45 CFR § 164.308(a)(6) - Security Incident Procedures
• HHS FAQ - Security Incidents Procedures Standard
• 45 CFR § 164.402 - Definitions (Breach)
• HHS Breach Notification Rule