Incident Triage
On an incident's page, the Breach triage panel helps you respond under the Breach Notification Rule. It has two clearly separated halves.
Notification deadlines (computed, exact)
When PHI/ePHI is marked involved, OnlyHIPAA computes the notification deadlines directly from the incident's discovery date and affected count — no AI, no guessing:
- Individual notice — within 60 days of discovery (§164.404).
- HHS notice — within 60 days for breaches affecting 500 or more (§164.408(b)); otherwise via the annual log within 60 days of year-end (§164.408(c)).
- Media notice — required for 500 or more individuals in a state or jurisdiction (§164.406).
These dates come from the rule, not the model.
HHS 4-factor assessment (AI draft)
When AI is enabled, Draft HHS 4-factor assessment asks Sherpa to draft the §164.402 risk assessment — the nature of the PHI, the unauthorized recipient, whether it was actually acquired or viewed, and the extent of mitigation — plus an overall recommendation (likely breach / low probability / insufficient info).
Grounding & safety
- Only the incident's own fields are used; no patient data is sent to the model.
- The 4-factor output is a draft decision aid. The final breach determination is always a human decision — a privacy officer must make it and record it in the incident's timeline notes. When details are thin, Sherpa leans to "insufficient information."