Free HIPAA incident / breach
report generator
When a security incident touches PHI, HIPAA expects you to document it and decide whether it is a reportable breach. This generator builds the internal incident report and the four-factor risk assessment set out in 45 CFR §164.402, so you can record what happened and your determination. Preview it as you type, then download it as Word or PDF. Everything runs in your browser, so no data leaves your device.
Report details
Organization & report
The incident
Information involved
Four-factor risk assessment (§164.402)
Containment & mitigation
Determination
Notification (if reportable)
HIPAA SECURITY INCIDENT AND BREACH ASSESSMENT REPORT
Organization: [Your Organization Name].
Prepared by: [Name and title of preparer].
Report date: [Date].
Incident summary
Incident type: [type of incident].
The incident is believed to have occurred on or around [date of incident], and was discovered on [date of discovery].
Description of what happened: [a plain-language description of the incident]
Protected health information involved
Types of PHI involved: [e.g. names, dates of birth, Social Security numbers, diagnoses].
Approximately [number] individuals are affected.
Encryption status of the affected PHI: [Yes / No / Unknown].
Four-factor risk assessment (45 CFR 164.402)
1. Nature and extent of the PHI: [the types of PHI and identifiers involved and the likelihood of re-identification]
2. Unauthorized recipient: [the unauthorized person who used the PHI or to whom it was disclosed]
3. Whether the PHI was acquired or viewed: [whether the PHI was actually acquired or viewed]
4. Mitigation of the risk: [the extent to which the risk to the PHI has been mitigated]
Determination
[Select a determination in the form to generate the breach determination and next steps for this report.]
Containment and corrective action
Containment actions taken: [the steps taken to contain the incident]
Generated by BlockSurvey
How the incident / breach report generator works
3 steps · runs entirely in your browser
Describe the incident
Enter your organization, what happened, the PHI involved, and your four-factor risk assessment in a short guided form.
Review the live preview
Watch the internal report and your breach determination assemble in real time, in plain language.
Download and file
Export a PDF or an editable Word file to keep with your records. Nothing you enter ever leaves your device.
Free, secure, and HIPAA-standard by default
Working out whether an incident is a breach is hard enough without a paywall or a form that ships your incident details to someone else's server. Every report this tool produces follows the breach definition and four-factor risk assessment of 45 CFR §164.402:
100% in-browser
The report is built on your device; nothing is uploaded.
No account required
No sign-up, no email wall, no tracking.
Free, real download
The complete report as Word or PDF at no cost, not a watermarked sample.
What a HIPAA breach risk assessment must document
To show whether an impermissible use or disclosure is a reportable breach, 45 CFR §164.402 expects your assessment to record:
- The four factors: the nature and extent of the PHI involved, the unauthorized person who used or received it, whether it was actually acquired or viewed, and the extent to which the risk has been mitigated.
- The protected health information involved, including the types of identifiers and the number of individuals affected.
- Your breach determination: a reportable breach, a low probability of compromise, or not a breach at all.
- The containment and corrective actions you took in response to the incident.
- The notification decision that follows from the determination, including who was notified and when.
Built for every healthcare organization
The moment you discover an incident, the clock starts. This tool helps you document it and run the four-factor test quickly, and it works alongside HIPAA-compliant survey software when you collect health data through forms.
Practices documenting an incident
Record what happened and your response in one place.
Privacy & security officers
Run the four-factor test and write down the reasoning.
Business associates
Report an incident up to the covered entity you serve.
IT & security teams
Capture the facts right after a security event.
Behavioral-health providers
Handle sensitive records with a clear, documented process.
MSPs & IT partners
Document incidents for the healthcare clients you support.
Collecting PHI through forms or surveys?
HIPAA-compliant survey software from BlockSurvey signs a BAA with you, so the tool you use to gather health data is covered too.