HIPAA Breach Notification Decision Tree
A printable, one-page decision tree that guides your team through the 45 CFR §164.402 breach determination: Was PHI involved? Was it unsecured? Does an exception apply? Who must be notified and when?
What is inside
- Walks through the §164.402 definition in plain English: not every incident is a breach, and this tree tells you which ones are
- Covers all four notification obligations: individual notice, media notice, HHS Secretary, and business associate-to-covered entity
- Includes the four-factor risk assessment for applying the low probability of compromise exception
- References exact regulatory citations so your Security Officer can defend every decision
- Print it and pin it in your back office — it is designed to be usable during an active incident
We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just useful material exchanged for an email address.