HIPAA Security Breach Reporting Checklist

Security breaches in the healthcare industry are, unfortunately, all too common.

"Between 2009 and 2019 there have been 3,054 healthcare data breaches involving more than 500 records. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 230,954,151 healthcare records. That equates to more than 69.78% of the population of the United States. In 2019, healthcare data breaches were reported at a rate of 1.4 per day." - HIPAA Journal, Healthcare Data Breach Statistics

With the risk of breach being so high, its imperative that both covered entities and business associates take the appropriate measures to identify and report breaches as early as possible.

Currently, the figures suggest that not enough is being done.

"What’s worse is that it took the breached US organizations an average of 245 days to identify and contain a breach. However, the report tied breach response directly to cost saving. Organizations that detected and contained the breach in less than 200 days spent $1.2 million less on total breach costs." - Jessica Davis, Data Breaches Cost Healthcare $6.5M, or $429 Per Patient Record

This checklist template has been built to help you identify and report data breaches as efficiently as possible.

Our dynamic due dates feature will ensure that you file a notice to the secretary of the HHS within 60 days, while conditional logic will automatically customize the checklist depending on whether you are the covered entity or a business associate, and whether the breach affected more or less than 500 individuals.

Lets get going!

A little info about Process Street

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

First, enter some basic details regarding your organization and the individual responsible for managing IT security.

In the form field below, provide a concise summary of how the breach was initially discovered. 

This should be written by the individual who discovered the breach, or transcribed as it is described verbally. 

Detail the nature and extent of the PHI involved. 

Provide basic details regarding the unauthorized individual who used the PHI or to whom the disclosure was made.

Determine whether the PHI was actually acquired or viewed by the unauthorized person. 

A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. 

If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate.

Breaches affecting 500 or more individuals

If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.

Breaches affecting fewer than 500 individuals

A covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.)

The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident.

Check out this HHS.gob web page for more information on submitting a notice of breach to the secretary

In the form field below, detail the extent to which the risk to the PHI has been mitigated. 

What measures have been taken to minimize damage as a result of the breach?

As a business associate, you have an obligation to notify the covered entity of the breach within 60 days of its discovery. 

Although the responsibility falls onto covered entities to notify affected individuals, they may assign their business associates, where appropriate, to inform the affected individuals. This is based on factors such as which organization deals directly with the individuals and what functions the business associate performs for the covered entity.

The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form.

Link: https://ocrportal.hhs.gov/ocr/breach/breach_form.jsf

Due to the fact that the breach has affected more than 500 individuals, you have 60 days to notify the Secretary.

The covered entity must submit the notice electronically by clicking on the link below and completing all of the required fields of the breach notification form.

Link: https://ocrportal.hhs.gov/ocr/breach/breach_form.jsf

Ensure all of the breach documentation is safely stored. 

This is critical as there may be investigations or legal proceedings in the future, for which the covered entity must be able to present documentation regarding the breach and how it was managed. 

• CloudApper - HIPAA Breach Notification Checklist
• HIPAA Journal - HIPAA Compliance Checklist
• HHS - Submitting Notice of Breach to the Secretary
• HealthITSecurity - How to Comply with the HIPAA Breach Notification Rule
• Centers for Medicare & Medicaid Services - HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules

• HIPAA Compliance Checklist for HR
• HIPAA Omnibus Rule Checklist
• HIPAA Privacy Risk Assessment Checklist
• HIPAA Business Associate Agreement Checklist
• HIPAA Data Backup Plan Checklist
• Patient Intake Checklist for a Medical Clinic
• Patient Intake Checklist for a Dental Clinic
• Patient Satisfaction Survey Checklist
• Hospital Housekeeping Checklist
• Terminal Room Cleaning Checklist
• Hospital Safety Inspection Checklist
• General Infection Control Checklist
• Patient Satisfaction Survey Checklist
• Home Visit Checklist
• Mental Health Risk Assessment Checklist
• WHO Surgical Safety Checklist
• HIPAA Compliance Checklist
• COVID-19 Procedure: Isolation Area Management
• COVID-19 Procedure: Disinfection Procedures for COVID-19 Isolation Ward Area
• COVID-19 Procedure: Lung Transplantation Pre-Transplantation Assessment
• COVID-19 Procedure: Nursing Care During Treatment (ALSS)
• COVID-19 Procedure: Protocol for Donning and Removing PPE
• COVID-19 Procedure: Staff Management (Workflow and Health)
• COVID-19 Procedure: Daily Management and Monitoring of ECMO Audit
• COVID-19 Procedure: Digital Support for Epidemic Prevention and Control
• COVID-19 Procedure: Discharge Standards and Follow-up Plan for COVID-19 Patients
• COVID-19 Procedure: Disinfection of COVID-19 Related Reusable Medical Devices
• COVID-19 Procedure: Disinfection Procedures for Infectious Fabrics of Suspected or Confirmed Patients
• COVID-19 Procedure: Disposal Procedures for COVID-19 Related Medical Waste
• COVID-19 Procedure: Disposal Procedures for Spills of COVID-19 Patient Blood/Fluids
• COVID-19 Procedure: Procedures for Handling Bodies of Deceased Suspected or Confirmed Patients
• COVID-19 Procedure: Procedures for Taking Remedial Actions against Occupational Exposure to COVID-19
• COVID-19 Procedure: Surgical Operations for Suspected or Confirmed Patients