Free HIPAA incident / breach
report generator

When a security incident touches PHI, HIPAA expects you to document it and decide whether it is a reportable breach. This generator builds the internal incident report and the four-factor risk assessment set out in 45 CFR §164.402, so you can record what happened and your determination. Preview it as you type, then download it as Word or PDF. Everything runs in your browser, so no data leaves your device.

Report details

Organization & report

The incident

Information involved

Four-factor risk assessment (§164.402)

Containment & mitigation

Determination

Notification (if reportable)

Preview

HIPAA SECURITY INCIDENT AND BREACH ASSESSMENT REPORT

Organization: [Your Organization Name].

Prepared by: [Name and title of preparer].

Report date: [Date].

Incident summary

Incident type: [type of incident].

The incident is believed to have occurred on or around [date of incident], and was discovered on [date of discovery].

Description of what happened: [a plain-language description of the incident]

Protected health information involved

Types of PHI involved: [e.g. names, dates of birth, Social Security numbers, diagnoses].

Approximately [number] individuals are affected.

Encryption status of the affected PHI: [Yes / No / Unknown].

Four-factor risk assessment (45 CFR 164.402)

1. Nature and extent of the PHI: [the types of PHI and identifiers involved and the likelihood of re-identification]

2. Unauthorized recipient: [the unauthorized person who used the PHI or to whom it was disclosed]

3. Whether the PHI was acquired or viewed: [whether the PHI was actually acquired or viewed]

4. Mitigation of the risk: [the extent to which the risk to the PHI has been mitigated]

Determination

[Select a determination in the form to generate the breach determination and next steps for this report.]

Containment and corrective action

Containment actions taken: [the steps taken to contain the incident]

Generated by BlockSurvey

How the incident / breach report generator works

3 steps · runs entirely in your browser

1

Describe the incident

Enter your organization, what happened, the PHI involved, and your four-factor risk assessment in a short guided form.

2

Review the live preview

Watch the internal report and your breach determination assemble in real time, in plain language.

3

Download and file

Export a PDF or an editable Word file to keep with your records. Nothing you enter ever leaves your device.

Free, secure, and HIPAA-standard by default

Working out whether an incident is a breach is hard enough without a paywall or a form that ships your incident details to someone else's server. Every report this tool produces follows the breach definition and four-factor risk assessment of 45 CFR §164.402:

01

100% in-browser

The report is built on your device; nothing is uploaded.

02

No account required

No sign-up, no email wall, no tracking.

03

Free, real download

The complete report as Word or PDF at no cost, not a watermarked sample.

What a HIPAA breach risk assessment must document

To show whether an impermissible use or disclosure is a reportable breach, 45 CFR §164.402 expects your assessment to record:

  1. The four factors: the nature and extent of the PHI involved, the unauthorized person who used or received it, whether it was actually acquired or viewed, and the extent to which the risk has been mitigated.
  2. The protected health information involved, including the types of identifiers and the number of individuals affected.
  3. Your breach determination: a reportable breach, a low probability of compromise, or not a breach at all.
  4. The containment and corrective actions you took in response to the incident.
  5. The notification decision that follows from the determination, including who was notified and when.

Built for every healthcare organization

The moment you discover an incident, the clock starts. This tool helps you document it and run the four-factor test quickly, and it works alongside HIPAA-compliant survey software when you collect health data through forms.

Practices documenting an incident

Record what happened and your response in one place.

Privacy & security officers

Run the four-factor test and write down the reasoning.

Business associates

Report an incident up to the covered entity you serve.

IT & security teams

Capture the facts right after a security event.

Behavioral-health providers

Handle sensitive records with a clear, documented process.

MSPs & IT partners

Document incidents for the healthcare clients you support.

Collecting PHI through forms or surveys?

HIPAA-compliant survey software from BlockSurvey signs a BAA with you, so the tool you use to gather health data is covered too.

More free HIPAA tools

Explore more

Frequently asked questions

What is the difference between a security incident and a breach?

A security incident is any event that may have exposed protected health information, such as a lost laptop, a phishing click, or a misdirected email. A breach is a specific legal conclusion: an incident becomes a reportable breach only if there is more than a low probability that unsecured PHI was compromised, based on the four-factor risk assessment in 45 CFR 164.402. Every breach starts as an incident, but not every incident is a breach. This tool documents the incident and records the four-factor analysis that decides which one you have.

What is the four-factor risk assessment?

When PHI is used or disclosed in a way HIPAA does not permit, 45 CFR 164.402 presumes a breach unless you can show a low probability that the information was compromised. You show that by assessing four factors: the nature and extent of the PHI involved, including identifiers and the chance of re-identification; the unauthorized person who used or received it; whether the PHI was actually acquired or viewed; and the extent to which the risk has been mitigated. This generator gives you a field for each factor and assembles them into a documented assessment you can keep on file.

When do we have to notify patients and HHS?

If the assessment concludes the incident is a reportable breach, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. You must also notify the Secretary of Health and Human Services: breaches affecting 500 or more individuals are reported to HHS and prominent local media within 60 days, while smaller breaches can be logged and reported to HHS annually, within 60 days after the end of the calendar year, under 45 CFR 164.408. If the assessment concludes there is a low probability of compromise, no notification is required, but you should keep this report as your documentation.

Is this the same as the breach notification letter?

No, and it is worth keeping them separate. This tool produces the internal report your organization writes for itself: the incident record plus the four-factor risk assessment and your breach determination. The Breach Notification Letter Generator produces the outward-facing letter you actually mail to affected patients once you have determined a breach occurred. Use this report first to decide whether a breach happened, then use the letter generator to notify individuals if it did.

Do you store the information I enter?

No. The entire report is assembled locally in your browser. The incident details, PHI descriptions, and assessment notes you enter are never sent to or stored on any server, which is why no sign-up is required.

Is this a substitute for legal advice?

No. This tool generates a starting-point internal report aligned with the breach definition and four-factor risk assessment in 45 CFR 164.402, but it is not legal advice and is not guaranteed to be complete or suitable for your specific situation. Breach analysis also depends on state notification laws, your cyber insurance, and the facts of the incident. Have your assessment and determination reviewed by qualified legal counsel and your privacy or security officer before you rely on them.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.