HIPAA Breach Portal Questions

BREACH PORTAL REQUIRED INFORMATION
All information with an asterisk is required.
GENERAL Information Screen
Please supply the required general information for the breach.
* Report Type: What type of breach report are you filing?
•
•

Initial Breach Report
Addendum to Previous Report

If Addendum to Previous Report is selected:
* Do you have a valid breach tracking number? A breach tracking number would have been
provided by OCR after January 1st, 2015. If you do not have a number please select 'No'.
•
•

Yes
o Breach Tracking Number: Please supply your breach tracking number.
No

CONTACT Information Screen
Please supply the required contact information for the breach.
•
•
•

Are you a Covered Entity who experienced a breach, and are filing on behalf of your
organization?
Are you a Business Associate who experienced a breach, and are filing on behalf of a
Covered Entity?
Are you a Covered Entity filing because your Business Associate experienced a breach?

If “Are you a Covered Entity who experienced a breach, and are filing on behalf of your
organization” was selected:

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

Covered Entity: Please provide the following information.
* Name of Covered Entity: (Name of Entity only (not of its representative), no abbreviations,
no acronyms):
* Type of Covered Entity:
•
•
•

Health Plan
Healthcare Clearing House
Healthcare Provider

* Street Address Line 1:
Street Address Line 2:
* City:
* State: -- Choose State -* ZIP:

Covered Entity Point of Contact Information
* First Name:
* Last Name:
* Email:
* Phone Number: (Include area code):
Usage
•
•

Home/Cell
Work

If “Are you a Business Associate who experienced a breach, and are filing on behalf of a
Covered Entity” was selected
Business Associate: Completion of this section is required if the breach occurred at or by a
Business Associate or if you are filing on behalf of a Covered Entity.

2

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

* Name of Business Associate: (Name of Business Associate only (not of its representative),
no abbreviations, no acronyms):
* Street Address Line 1:
Street Address Line 2:
* City:
* State: -- Choose State -* ZIP:

Business Associate Point of Contact Information
* First Name:
* Last Name:
* Email:
* Phone Number: (Include area code):
* Usage
•
•

Home/Cell
Work

Enter the contact information for all Covered Entities on whose behalf you are filing.
Covered Entity 1
* Name of Covered Entity: (Name of Entity only (not of its representative), no abbreviations,
no acronyms):
* Street Address Line 1:
Street Address Line 2:
* City:
* State: -- Choose State -* ZIP:
3

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

Point of Contact Information
* First Name:
* Last Name:
* Email:
* Phone Number: (Include area code):
* Usage
•
•

Home/Cell
Work

* Type of Covered Entity:
•
•
•

Health Plan
Healthcare Clearing House
Healthcare Provider

If “Are you a Covered Entity filing because your Business Associate experienced a breach” was
selected:
Covered Entity: Please provide the following information.
* Name of Covered Entity: (Name of Entity only (not of its representative), no abbreviations,
no acronyms):
* Type of Covered Entity:
•
•
•

Health Plan
Healthcare Clearing House
Healthcare Provider

* Street Address Line 1:
Street Address Line 2:
* City:
* State: -- Choose State -* ZIP:

4

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

Covered Entity Point of Contact Information
* First Name:
* Last Name:
* Email:
* Phone Number: (Include area code):
Usage
•
•

Home/Cell
Work

Business Associate: Completion of this section is required if the breach occurred at or by a
Business Associate.
* Name of Business Associate: (Name of Business Associate only, no abbreviations, no
acronyms):
* Street Address Line 1:
Street Address Line 2:
* City:
* State: -- Choose State -* ZIP:

Business Associate Point of Contact Information
* First Name:
* Last Name:
* Email:
* Phone Number: (Include area code):
Phone Number
Usage
5

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

•
•

Home/Cell
Work

BREACH Information Screen
Breach Affecting: How many individuals are affected by the breach?
•
•

500 or More Individuals
Fewer Than 500 Individuals

Breach Dates: Please provide the start and end date (if applicable) for the dates the breach
occurred in.
* Breach Start Date:
* Breach End Date:
Discovery Dates: Please provide the start and end date (if applicable) for the dates the breach
was discovered.
* Discovery Start Date:
* Discovery End Date:
* Approximate Number of Individuals Affected by the Breach:

* Type of Breach (drop-down instructions available in the portal):
Hacking/IT Incident Help
Improper Disposal Help
Loss Help
Theft Help
Unauthorized Access/Disclosure Help
* Location of Breach:
Desktop Computer
Electronic Medical Record
Email
Laptop

6

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

Network Server
Other Portable Electronic Device
Paper/Films
Other

* Type of Protected Health Information Involved in Breach:
Clinical
o Diagnosis/Conditions
o Lab Results
o Medications
o Other Treatment Information
Demographic
o Address/ZIP
o Date of Birth
o Driver’s License
o Name
o SSN
o Other Identifier
Financial
o Claims Information
o Credit Card/Bank Acct #
o Other Financial Information
Other
* Type of Protected Health Information Involved in Breach (Other):
[4,000 characters limit]

* Brief Description of the Breach:
[4,000 characters limit]

* Safeguards in Place Prior to Breach:
None
Privacy Rule Safeguards (Training, Policies and Procedures, etc.)
Security Rule Administrative Safeguards (Risk Analysis, Risk Management, etc.)
7

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

Security Rule Physical Safeguards (Facility Access Controls, Workstation Security, etc.)
Security Rule Technical Safeguards (Access Controls, Transmission Security, etc.)

NOTICE OF BREACH AND ACTIONS TAKEN Information Screen
Notice of Breach and Actions Taken: Please supply the required information about notices and
actions.
* Individual Notice Provided Start Date:
* Individual Notice Provided Projected/Expected End Date:
Was Substitute Notice Required?
•

•

Yes
o Fewer than 10
o 10 or more
No

Was Media Notice Required?
•

•

Yes
o Select State(s) and/or Territories in which media notice was provided:
-- Choose State –
No

* Actions Taken in Response to Breach:
Adopted encryption technologies
Changed password/strengthened password requirements
Created a new/updated Security Rule Risk Management Plan
Implemented new technical safeguards
Implemented periodic technical and nontechnical evaluations
Improved physical security
Performed a new/updated Security Rule Risk Analysis
Provided business associate with additional training on HIPAA requirements
Provided individuals with free credit monitoring
Revised business associate contracts
Revised policies and procedures
Sanctioned workforce members involved (including termination)
8

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

Took steps to mitigate harm
Trained or retrained workforce members
Other
o * Describe Other Actions Taken: [4,000 characters limit]

ATTESTATION Information Screen
Please complete the Attestation form.
Under the Freedom of Information Act (5 U.S.C. §552) and HHS regulations at 45 C.F.R. Part 5,
OCR may be required to release information provided in your breach notification. For breaches
affecting more than 500 individuals, some of the information provided on this form will be made
publicly available by posting on the HHS web site pursuant to § 13402(e)(4) of the Health
Information Technology for Economic and Clinical Health (HITECH) Act (Pub. L. 111-5).
Additionally, OCR will use this information, pursuant to § 13402(i) of the HITECH Act, to
provide an annual report to Congress regarding the number and nature of breaches that are
reported each year and the actions taken to respond to such breaches. OCR will make every
effort, as permitted by law, to protect information that identifies individuals or that, if released,
could constitute a clearly unwarranted invasion of personal privacy.
I attest, to the best of my knowledge, that the above information is accurate.

* Name:

Date: [system generated]

9