Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA
← All documentation

Incident Triage

On an incident's page, the Breach triage panel helps you respond under the Breach Notification Rule. It has two clearly separated halves.

Notification deadlines (computed, exact)

When PHI/ePHI is marked involved, OnlyHIPAA computes the notification deadlines directly from the incident's discovery date and affected count — no AI, no guessing:

  • Individual notice — within 60 days of discovery (§164.404).
  • HHS notice — within 60 days for breaches affecting 500 or more (§164.408(b)); otherwise via the annual log within 60 days of year-end (§164.408(c)).
  • Media notice — required for 500 or more individuals in a state or jurisdiction (§164.406).

These dates come from the rule, not the model.

HHS 4-factor assessment (AI draft)

When AI is enabled, Draft HHS 4-factor assessment asks Sherpa to draft the §164.402 risk assessment — the nature of the PHI, the unauthorized recipient, whether it was actually acquired or viewed, and the extent of mitigation — plus an overall recommendation (likely breach / low probability / insufficient info).

Grounding & safety

  • Only the incident's own fields are used; no patient data is sent to the model.
  • The 4-factor output is a draft decision aid. The final breach determination is always a human decision — a privacy officer must make it and record it in the incident's timeline notes. When details are thin, Sherpa leans to "insufficient information."
OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.