HIPAA Breach Analysis
Under the Final Omnibus Rule
UW-Madison HIPAA Breach Analysis Form
Analysis Number ____________________________
1.
2.
Date Event Occurred
Date Discovered
General Information
__ __ / __ __ / __ __ __ __
3.
Date Reported to Privacy and/or Security
Officers
4.
Reported By
5.
Name(s) of Patient(s)/Subject(s) Involved
6.
Forms of Unsecured Protected Health
Information
__ __ / __ __ / __ __ __ __
__ __ / __ __ / __ __ __ __

Business Associate

UW-Madison Employee

UW Hospital Employee

UW Medical Foundation Employee

Other: ________________
7.
8.
Type and Amount of PHI Involved
Do You Believe the Disclosure Was a Violation of the Privacy Rule?

Electronic ____________

Fax

Paper

Verbal

Other: _______________

First Name








Last Name
Date of Birth
MRN
Address
Services Received
Social Security No.
Yes
No

Substance Abuse Tx.

Mental Health Tx.

________________

________________

________________

________________

________________
9.
Briefly Describe Incident
Page 1 of 5

HIPAA Breach Analysis
Under the Final Omnibus Rule
Analysis
Step One. There is a presumption that an impermissible use or disclosure of PHI is a reportable breach.
Breach means the acquisition, access, use or disclosure of PHI in a manner not permitted under The Privacy Rule, which compromises the security or privacy of the protected health information.
Note: Encrypted data does not meet the definition of a “breach”.
Protected Health Information (“PHI”) means individually identifiable health information that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in another form or medium.
1
Health information is defined as any information, including genetic information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
2
Id.
Individually identifiable health information is defined as information that is a subset of health information, including demographic information that is collected from an individual, and “(1) is created or received by a health care provider, health plan, employer, or health care clearinghouse, and (2) relates to the past, present, or future

Check if presumed to be a breach.

Check if PHI was encrypted.
Please describe: physical or mental health or condition of an individual, the provision of health care to an individual; and (i) that identifies the individual, or (ii) with respect to which there is a reasonable basis the believe that information can be used to identify the individual.” 3 Id.
1 Health Insurance and Portability and Accountability Act, 45 C.F.R. sec. 160.103 (1996)(protected health information does not include employment records held by a cover entity in its role as employer)
2 Id.
3 Id.
Page 2 of 5

Step Two. Does an exception apply?
Breach excludes:
HIPAA Breach Analysis
Under the Final Omnibus Rule
(i) Any unintentional acquisition, access, or use of protected health information by workforce member or person acting under the authority of a covered entity (“CE”) or a business associate (“BA”), if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a CE or B A to another person authorized to access protected health information at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
(iii) A disclosure of protected health information where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Step Three. An impermissible use or disclosure is presumed to be a breach unless the CE, or and BA if applicable, demonstrates a low probability that the
PHI has been compromised based on a risk assessment of at the least the following factors: [A low probability breach would not be reportable.]
Factor 1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
Consider whether the information was of a sensitive nature: a. Financial information - such as a credit card number, SSN, or information that increases the risk of identity theft or financial fraud.
Page 3 of 5

Check if (i) applies. Please describe:

Check if (ii) applies. Please describe:

Check if (iii) applies. Please describe:

Supports not reporting

Supports reporting

Check if financial info included.
Please describe:

HIPAA Breach Analysis
Under the Final Omnibus Rule b. Clinical information - consider the nature of the services, amount of detailed clinical information involved (e.g. treatment plan, diagnoses, medication, medical history information, test results.) Sensitive information includes (but is not necessarily limited to) mental health,
STI's and substance abuse. c. Likelihood that PHI can be identified (if no name attached, then may not be a reportable breach)

Check if detailed or sensitive info.
Please describe:

Check if likely. Please describe:

Supports not reporting

Supports reporting
Factor 2. The unauthorized person who used the PHI or to whom the disclosure was made.
Does the recipient have an obligation to protect the PHI through HIPAA, Privacy Act of
1974, FISMA (Federal Information Security Management Act of 2002), i.e., fax was sent in error to another CE. If so, then there may be a lower probability the PHI has been compromised since the recipient of the information is obliged to protect the privacy and security of the information in a similar matter as the disclosing entity.
The fact that information is only impermissibly used within a CE or BA and the impermissible use does not result in additional disclosure outside the entity is something that may be taken into account and may reduce the possibility that PHI has been compromised.
Factor 3. Whether the PHI was actually acquired or viewed.
Determine if the PHI was actually acquired or viewed or, alternatively if only the opportunity existed for the information be acquired or viewed.
Not reportable if PHI is out of possession and later recovered and we can prove that the
PHI was not actually accessed, viewed, acquired, transferred or otherwise compromised.
In contrast, it is a reportable breach if a CE mailed PHI to the wrong person who opened the envelope and called the CE to say she received it in error. In this case the PHI was viewed and acquired because she opened and read the information to the extent she recognized it was mailed to her in error.
Factor 4. The extent to which the risk to the PHI has been mitigated.
CEs (and BAs, if applicable) should attempt to mitigate the risks to the PHI following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a
Page 4 of 5
Please describe recipient:

Supports not reporting

Supports reporting
Please describe if acquired or viewed:

Supports not reporting
 Supports reporting
Please describe mitigation -
Who provided the attestation:
__________________

Under the Final Omnibus Rule confidentiality agreement or similar means) or will be destroyed, and should consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised.
This factor, when considered in combination with the factor regarding the unauthorized recipient of the information discussed above, may lead to different results in terms of the risk to the PHI. For example, a CE may be able to obtain and rely on the assurances of an employee, affiliated entity, BA, or another CE that the entity or person destroyed information it received in error, while such assurances from certain third parties may not be sufficient.
Factor 5. Other factors may be considered when necessary.
Promptness of notification, Intent, Etc. Describe.
HIPAA Breach Analysis

Written Assurance
 Verbal Assurance
 No Assurance

PHI was returned

PHI was not returned

PHI was not removed
 Supports not reporting
 Supports reporting
 Supports not reporting
 Supports reporting
Name of Person Completing Form and Date
This Section for Use by the HIPAA Privacy Officer
10.
Is this a Reportable Breach?
11.
Involved in Risk Assessment
Privacy Office Follow-Up Notes

Yes

No

HIPAA Privacy and Security Operations Committee

Office of Legal Affairs

UW-Madison Privacy Officer

Applicable Privacy Coordinator

UW-Madison Security Officer

Applicable Security Coordinator

Office of Research Policy

Health Information Management

Other _________________________________
Page 5 of 5


Security and/or Privacy Safeguards:

Policies and Procedures:

Sanctions:
ADDITIONAL NOTES:
HIPAA Breach Analysis
Under the Final Omnibus Rule
Page 6 of 5