Purpose: Provide a governed, end-to-end workflow for privacy/security incidents involving ePHI, from first report through assessment, containment, breach determination, notification, and post-mortem. Unifies legal, security, privacy, HIM, and IT operations on a single timeline with audit-ready evidence.
Workflow (Intake → Closure)
- Intake: Guided form captures reporter, system(s), dates, suspected data categories, patient scope, and initial impact. Auto-create case ID; attach screenshots/logs.
- Triage: Classify (confidentiality/integrity/availability), suspected ePHI exposure, threat type (misdirected, loss/theft, ransomware, misconfig), and current containment status.
- Assessment: Structured questions for HIPAA breach analysis (acquisition, view/use/disclosure; mitigation; unauthorized person; data type sensitivity). Pulls logs from Audit Event Hub for corroboration.
- Decision & Containment: Record “Breach vs. Incident (not a breach)” determination with rationale and counsel sign-off; track containment actions and verifications.
- Notifications: Start federal/state/contract clocks; generate patient/provider/payer templates as applicable; manage returns (undeliverable, deceased, substitute notice).
- Closure & Lessons Learned: Capture root cause, corrective actions, sanctions (if any), and policy updates. Publish post-incident review with assigned owners and due dates.
Regulatory Clocks & Jurisdictions
- Timer automation: Tracks federal HIPAA timelines and a state matrix for stricter notification deadlines; highlights weekends/holidays and approval dependencies.
- Recipients & channels: Patient letters, substitute notice, media notice (if threshold met), HHS/OCR submission, and payer/contractual notifications.
- Proof of notice: Store mail lists, email proofs, and publication links with timestamps.
Evidence Locker
- Immutable vault for logs, screenshots, exports, counsel memos, vendor statements, and remediation artifacts.
- Checksum/signature on packages; chain-of-custody tracking; role-based access.
- One-click Regulatory Binder export (PDF/ZIP) with index and metadata.
Dashboards & Reporting
- Open incidents by severity and SLA; clock status (days remaining/late).
- Trends by cause (phishing, misdirected fax/email, device theft, misconfig), system, and department.
- Remediation tracker with owners, due dates, and verification evidence.
Integration
- Pulls access events from Audit Event Hub & Investigator; correlates affected patients and timeframe.
- Feeds Sanction & Disciplinary Log and Privacy Incident Pattern Analyzer for systemic fixes.
- Optional hooks to ticketing (Jira/ServiceNow), mail merge, and e-signature systems.
Roles & Value
- Security/Privacy: A single source of truth with defensible timelines and evidence.
- Legal/Counsel: Structured breach analysis, approval checkpoints, and ready-to-file packets.
- Operations/IT: Clear containment tasks and verification; fewer ad-hoc emails.
- Executive: Risk posture and cycle time metrics; confirms regulatory diligence.


