Healthcare Compliance Forms and Tools

Breach Risk Assessment

Case #:

Definitions

Definitions

Exclusions

Exclusions

Breach

Breach

Case Name:

Notification

Notification

Time Frame

Time Frame

Exceptions

Exceptions

Is Section Applicable?

Applicable

TRUE

Applicable

TRUE

Content: Nature & Sensitivity of Info

Content

FALSE

Content

FALSE

Person: Who was info disclosed to?

Person

FALSE

Person

FALSE

Access: Was the info acquired or viewed?

Access

FALSE

Access

FALSE

Mitigation: Has risk been mitigated?

Mitigation

FALSE

Mitigation

FALSE

Calculation: Content + Person + Access - Mitigations = Risk Level

SUBMIT REPORT? -2 THROUGH 1: Lowest Risk, No Report 2 THROUGH 5: Low Risk, No Report 6 THROUGH 9: Moderate Risk, Consider Reporting (depending on LoProCo) 10 THROUGH 14: Highest Risk, Consider Reporting (depending on LoProCo)

0

SUBMIT REPORT? -2 THROUGH 1: Lowest Risk, No Report 2 THROUGH 5: Low Risk, No Report 6 THROUGH 9: Moderate Risk, Consider Reporting (depending on LoProCo) 10 THROUGH 14: Highest Risk, Consider Reporting (depending on LoProCo)

0

Description of Exceptions

Not Applicable

Not Applicable

Low Probability of Compromise?

Breach Notification?

Notification Date Calculation

Accounting of Disclosures?

Other Reporting Requirements

Name:

Title:

Date:

Case #:

Case Name:

SUMMARY OF ALLEGATION

Violation Level (per Privacy Violation Guidance tool/HR Policy)

Policy Link

MITIGATING FACTORS

SCORE

NOTES

1. Prompt voluntary reporting of the violation

2. Cooperation with the investigation

3. Role in the violation was small

4. Action was taken based on a good faith reasonable belief that the action was lawful and consistent with Overlake policies and Code of Conduct

5. Emergency circumstances where an individual’s health and safety is at risk

6. Flagged access involves someone the employee has legal medical record authority over (i.e., minor child, DPOA)

7. Medical provider accessing record of family member with illness (should have proxy access)

8. Employee accessed record for perceived business purposes (i.e., birthday list, home address)

9. Honest error made by employee (i.e., sending PHI to wrong address)

Sub-Total: Mitigating Factors

0

AGGRAVATING FACTORS

SCORE

NOTES

1. Deliberately failing to check whether a particular course of action was prohibited

2. Engaging in an improper act after receiving education on appropriate standards

3. Failure to follow a formal HR disciplinary action

4. Attempting to conceal a violation

5. Benefiting from the inappropriate action (self, family, or close friends)

6. Dishonesty during an investigation

7. Pattern of misconduct (multiple patients impacted)

8. Whether the violation caused potential or serious damage to Overlake or to any patient or employee

9. Failure to report a known inappropriate action of other employee

10. Acts which are criminal in nature (beyond HIPAA)

Sub-Total: Aggravating Factors

0

Mitigating & Aggravating Calculation

0

Risk Assessment - Reportable?

FALSE

FALSE

TOTAL SCORE

0

RECOMMENDED DISCIPLINE

Recommended Discipline = Initial: 0 – 2 points; Written: 3 – 5 points; Final Written: 6 – 8 points; Termination: 9+ points

PERSON COMPLETING ASSESSMENT

- Name

- Title

- Date