42 CFR Part 2 Breach Portal Required Information

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

42 CFR Part 2 BREACH PORTAL REQUIRED INFORMATION
All information with an asterisk is required.
GENERAL Information Screen
Please supply the required general information for the breach.
* Report Type: What type of breach report are you filing?
•
•

Initial Breach Report
Addendum to Previous Report

If Addendum to Previous Report is selected:
*
Do you have a valid Part 2 Record breach tracking number? If you do not have a
number, please select 'No'.
•
•

Yes
o Part 2 Record Breach Tracking Number: Please supply your breach tracking number.
No

CONTACT Information Screen
Please supply the required contact information for the breach.
•

Are you a Part 2 program who experienced a breach of Part 2 records, and are filing on behalf of
your own organization?

•

Are you a Qualified Service Organization who experienced a breach of Part 2 records, and are
filing on behalf of a Part 2 program?

•

Are you a Part 2 program filing because your Qualified Service Organization experienced a breach
of Part 2 records?

If “Are you a Part 2 Program who experienced a breach of Part 2 records, and are filing on

1

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

behalf of your organization” was selected:

Part 2 Program: Please provide the following information.
*
Name of Part 2 Program: (Name of Program only (not of its representative), no
abbreviations, no acronyms):
* Street Address Line 1:
Street Address Line 2:
* City:
* State: -- Choose State -* ZIP:

Part 2 Program Point of Contact Information
* First Name:
* Last Name:
* Email:
*

Phone Number: (Include area code):

* Usage
•
•

Home/Cell
Work

If “Are you a Qualified Service Organization who experienced a breach of Part 2 records, and
are filing on behalf of a Part 2 Program” was selected
Qualified Service Organization: Completion of this section is required if the breach occurred at
or by a Qualified Service Organization or if you are filing on behalf of a Part 2 Program.
*
Name of Qualified Service Organization: (Name of Qualified Service
Organization only (not of its representative), no abbreviations, no acronyms):
* Street Address Line 1:
Street Address Line 2:
* City:

2

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

* State: -- Choose State --

* ZIP:

Qualified Service Organization Point of Contact Information
* First Name:
* Last Name:
* Email:
* Phone Number: (Include area code):
* Usage
•
•

Home/Cell
Work

Enter the contact information for all Part 2 Programs on whose behalf you are filing.
Part 2 Program 1
*
Name of Part 2 Program: (Name of Part 2 Program only (not of its representative),
no abbreviations, no acronyms):
* Street Address Line 1:
Street Address Line 2:
* City:
* State: -- Choose State -* ZIP:
Point of Contact Information
* First Name:
* Last Name:
* Email:
* Phone Number: (Include area code):
3

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

* Usage
•
•

Home/Cell
Work

If “Are you a Part 2 Program filing because your Qualified Service Organization experienced a
breach of Part 2 records” was selected:
Part 2 Program: Please provide the following information.
*
Name of Part 2 Program: (Name of Program only (not of its representative), no
abbreviations, no acronyms):
* Street Address Line 1:
Street Address Line 2:
* City:
* State: -- Choose State –
* ZIP:

Part 2 Program Point of Contact Information
* First Name:
* Last Name:
* Email:
* Phone Number: (Include area code):
* Usage
•
•

Home/Cell
Work

Qualified Service Organization: Completion of this section is required if the breach occurred at
or by a Qualified Service Organization.
*

Name of Qualified Service Organization: (Name of Qualified Service
Organization only, no abbreviations, no acronyms):
4

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

* Street Address Line 1:
Street Address Line 2:
* City:

* State: -- Choose State -* ZIP:

Qualified Service Organization Point of Contact Information
* First Name:
* Last Name:
* Email:
* Phone Number: (Include area code):
* Usage
• Home/Cell
• Work

BREACH Information Screen
Breach Affecting: How many individuals are affected by the breach? (“Individuals” refers to patients of a
Part 2 program when reporting a breach of such records).
•
•

500 or More Individuals
Fewer Than 500 Individuals

Breach Dates: Please provide the start and end date (if applicable) for the dates the breach
occurred in.
* Breach Start Date:
* Breach End Date:
Discovery Dates: Please provide the start and end date (if applicable) for the dates the breach
was discovered.
* Discovery Start Date:
5

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

* Discovery End Date:

* Approximate Number of Individuals Affected by the Breach:

* Type of Breach (drop-down instructions available in the portal):
□ Hacking/IT Incident Help
□
□
□
□

Improper Disposal Help
Loss Help
Theft Help
Unauthorized Use/Disclosure

* Location of Breach:
□
□
□
□
□
□
□
□

Desktop Computer
Electronic Record
Email
Laptop
Network Server
Other Portable Electronic Device
Paper Records or Films
Other

* Type of Part 2 Record Involved in Breach:
☐ Indicate here if the Part 2 Record described above is also Protected Health Information
□ Clinical
o Diagnosis/Conditions
o Lab Results
o Medications
o Other Treatment Information
□ Demographic
o Address/ZIP
o Date of Birth
o Driver’s License
o Name
o SSN
o Other Identifier
□ Financial
o Claims Information
6

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

o Credit Card/Bank Acct #
o Other Financial Information
□ Other

* Type of Part 2 Record Involved in Breach (Other): [4,000
characters limit]

*

Brief Description of the Breach: [4,000 characters limit]

Do not provide any Part 2 records (i.e., any patient identifying information) with this report.
* Safeguards in Place Prior to Breach (select all that apply):
□
□
□
□

None
Part 2 Security for Records (Policies and Procedures)
Part 2 Disposition of Records by Discontinued Programs
HIPAA Privacy Rule Safeguards (Training, Policies and Procedures, etc.), if applicable, or similar
safeguards
□ HIPAA Security Rule Administrative Safeguards (Risk Analysis, Risk Management, etc.), if
applicable, or similar safeguards
□ HIPAA Security Rule Physical Safeguards (Facility Access Controls, Workstation Security, etc.),
if applicable, or similar safeguards
□ HIPAA Security Rule Technical Safeguards (Access Controls, Transmission Security, etc.), if
applicable, or similar safeguards

NOTICE OF BREACH AND ACTIONS TAKEN Information Screen
Notice of Breach and Actions Taken: Please supply the required information about notices and
actions.
* Individual Notice Provided Start Date:
* Individual Notice Provided Projected/Expected End Date:
Was Substitute Notice Required?
•

•

Yes
o Fewer than 10
o 10 or more
No
7

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

Was Media Notice Required?
•

•

Yes
o Select State(s) and/or Territories in which media notice was provided:
-- Choose State –
No

* Actions Taken in Response to Breach (select all that apply):
□
□
□
□
□
□
□
□
□
□
□
□
□
□
□

Adopted encryption technologies
Changed password/strengthened password requirements
Created a new/updated security management plan
Implemented new technical safeguards
Implemented periodic technical and nontechnical evaluations
Improved physical security
Provided individuals with free credit monitoring
Provided Qualified Service Organizations with additional training on Part 2
Revised Qualified Service Organization agreements
Sanctioned workforce members involved (including termination)
Revised policies and procedures
Performed a new/updated risk analysis for electronic records
Took steps to mitigate harm
Trained or retrained workforce members
Other
o * Describe Other Actions Taken: [4,000 characters limit]

_______________________________________________________________________________
HIPAA BREACH REPORT INFORMATION
Are you a HIPAA Covered Entity or Business Associate and the Part 2 record breach you reported involves
Part 2 records that are protected health information?
• Yes / No
If Yes, have you filed a HIPAA Breach Report for the breach of protected health information?
• Yes / No
If Yes, please provide the HIPAA Breach Tracking Number:

____________________

If you do not recall the HIPAA Breach Tracking Number, please check here: [checkbox]
If No, you must file a separate HIPAA Breach Report for a breach of unsecured protected health
information as required by the HIPAA Breach Notification Rule.
8

FOR EXTERNAL USE: HHS OCR BREACH REPORT; REQUIRED INFORMATION

ATTESTATION Information Screen
Please complete the Attestation form.
Under the Freedom of Information Act (5 U.S.C. §552) and HHS regulations at 45 CFR Part 5, OCR
may be required to release information provided in your breach notification. For breaches affecting
more than 500 individuals, some of the information provided on this form will be made publicly
available by posting on the HHS website pursuant to § 13402(e)(4) of the Health Information
Technology for Economic and Clinical Health (HITECH) Act (Pub. L. 111-5). Additionally, OCR
will use this information, pursuant to § 13402(i) of the HITECH Act, to provide an annual report to
Congress regarding the number and nature of breaches that are reported each year and the actions
taken to respond to such breaches. These provisions apply to Part 2 program reports of breaches of
records protected by 42 U.S.C. 290dd-2 in the same manner as they apply to covered entities for
breaches of unsecured protected health information. OCR will make every effort, as permitted by
law, to protect information that identifies individuals or that, if released, could constitute a clearly
unwarranted invasion of personal privacy.
I attest, to the best of my knowledge, that the above information is accurate.

* Name:

Date: [system generated]

9