Incident Analysis

Incident Analysis Process

Analysis of [Incident Name]

[Prepared under direction of General Counsel]

[Attorney Client Privilege]????????????????????????????????????? (when filled in)

Date ?????????????? [?????????????????????? ]

Prepared by ? [?????????????????????? ]

1)??? Executive Summary

[Be brief ? this should be less than a page]

2)??? Timeline of Events

a)????? Discovery

b)???? Determination

c)????? Response

d)???? Internal Notification

e)????? External Support

f)?????? Actions Taken

g)????? Recovery

3)??? Initial Determination

[It is always assumed to be a Reportable Breach, then work backwards to see if it meets an exception or low probability of compromise]

4)??? Evidence Collected

a)????? Evidence 1 Summary & Storage Location

b)???? Evidence 2 Summary & Storage Location

c)????? …

5)??? External Support

[Discuss the external parties you engaged, and if those were engaged under attorney client privilege].

[Also discuss if you used external Counsel to review your documentation and their findings.]

6)??? Analysis

a)????? Does this event meet the definition of a Breach?

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

[Discussion on why this incident meets the definition of a Breach]

b)???? Does this event create a violation of the Privacy Rule?

c)????? Was any unsecured protected information acquired, accessed, used, or disclosed?

d)???? Does this event meet any of the defined exclusions?

e)????? Do the facts of this event demonstrate that there is a low probability that the PHI has been compromised based on the following four factors?

Then have a discussion about each of statements below:

i)? ? ? The nature and extent of the protected information involved, including the types of identifiers and the likelihood of re- identification;

ii)????? The unauthorized person who used the protected information or to whom the disclosure was made;

iii)??? Whether the protected information was actually acquired or viewed; and,

iv)??? The extent to which the risk of the protected information has been mitigated.

f)?????? Recommendation based on the evidence.

7)??? Does State law require additional analysis?

8)??? Determination

Discuss who has the authority to make the final determination.

9)??? Final Decision

[Breach, or No Breach]

[Decision Authority]

[Decision Date]

10)? ? Notification Steps and Timeline (If applicable, but if not, mark N/A)

[Discuss if notification is required, and if so, the legal, regulatory, and contractual timelines.]

[Signature of Decision Authority]?????????????????????????????? [Signature of Counsel]

[Date]????????????????????????????????????????????????????????????????????????? [Date]