bmad-plus 0.7.4 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +450 -407
- package/LICENSE +21 -0
- package/README.md +555 -446
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
- package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +62 -57
- package/readme-international/README.de.md +576 -426
- package/readme-international/README.es.md +578 -518
- package/readme-international/README.fr.md +576 -516
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
- package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
- package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
- package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
- package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
- package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
- package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
- package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
- package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
- package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
- package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
- package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
- package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
- package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
- package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
- package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
- package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
- package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
- package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/module.yaml +283 -280
- package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
- package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
- package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
- package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
- package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
- package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
- package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
- package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
- package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
- package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
- package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
- package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
- package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
- package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
- package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
- package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
- package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
- package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
- package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
- package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
- package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
- package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/commands/autoconfig.js +498 -489
- package/tools/cli/commands/doctor.js +222 -175
- package/tools/cli/commands/install.js +739 -739
- package/tools/cli/commands/memory.js +194 -194
- package/tools/cli/commands/scan.js +360 -350
- package/tools/cli/commands/uninstall.js +96 -96
- package/tools/cli/commands/update.js +174 -174
- package/tools/cli/i18n.js +763 -763
|
@@ -1,293 +1,293 @@
|
|
|
1
|
-
# HIPAA Breach Notification Rule Reference
|
|
2
|
-
## 45 CFR Part 164, Subpart D (HITECH / 2009)
|
|
3
|
-
|
|
4
|
-
---
|
|
5
|
-
|
|
6
|
-
## Table of Contents
|
|
7
|
-
1. [What is a Breach?](#1-what-is-a-breach)
|
|
8
|
-
2. [Breach Risk Assessment (4-Factor Test)](#2-breach-risk-assessment-4-factor-test)
|
|
9
|
-
3. [Notification to Individuals](#3-notification-to-individuals)
|
|
10
|
-
4. [Notification to HHS](#4-notification-to-hhs)
|
|
11
|
-
5. [Notification to Media](#5-notification-to-media)
|
|
12
|
-
6. [Business Associate Obligations](#6-business-associate-obligations)
|
|
13
|
-
7. [Documentation Requirements](#7-documentation-requirements)
|
|
14
|
-
8. [Penalties & Enforcement](#8-penalties--enforcement)
|
|
15
|
-
9. [Breach Response Workflow](#9-breach-response-workflow)
|
|
16
|
-
10. [Common Breach Scenarios](#10-common-breach-scenarios)
|
|
17
|
-
|
|
18
|
-
---
|
|
19
|
-
|
|
20
|
-
## 1. What is a Breach?
|
|
21
|
-
|
|
22
|
-
### Definition (§164.402):
|
|
23
|
-
A **breach** is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.
|
|
24
|
-
|
|
25
|
-
### Three Exceptions — These Are NOT Breaches:
|
|
26
|
-
1. **Unintentional access** by workforce member acting in good faith within scope of authority — if no further use/disclosure
|
|
27
|
-
2. **Inadvertent disclosure** between authorized persons at the CE/BA — if no further use/disclosure
|
|
28
|
-
3. **Good faith belief** that unauthorized person who received PHI could not have retained it (e.g., misdirected fax that was immediately returned/destroyed)
|
|
29
|
-
|
|
30
|
-
### Presumption:
|
|
31
|
-
**Assume it's a breach unless the CE/BA demonstrates low probability that PHI has been compromised** using the 4-Factor Risk Assessment.
|
|
32
|
-
|
|
33
|
-
---
|
|
34
|
-
|
|
35
|
-
## 2. Breach Risk Assessment (4-Factor Test)
|
|
36
|
-
### §164.402(2)
|
|
37
|
-
|
|
38
|
-
To rebut the presumption of a breach, document a risk assessment considering:
|
|
39
|
-
|
|
40
|
-
### Factor 1: Nature and Extent of PHI Involved
|
|
41
|
-
- What types of identifiers were included?
|
|
42
|
-
- Was financial information involved (SSN, credit card, bank account)?
|
|
43
|
-
- Was clinical information included (diagnosis, treatment, medication)?
|
|
44
|
-
- Higher sensitivity = higher likelihood of compromise
|
|
45
|
-
|
|
46
|
-
### Factor 2: Who Unauthorized Person Was
|
|
47
|
-
- Was it another CE or BA (who would understand privacy obligations)?
|
|
48
|
-
- Was it a member of the public?
|
|
49
|
-
- Was it a malicious actor vs. inadvertent recipient?
|
|
50
|
-
- Known or unknown recipient?
|
|
51
|
-
|
|
52
|
-
### Factor 3: Whether PHI Was Actually Acquired or Viewed
|
|
53
|
-
- Did the unauthorized person actually access the information?
|
|
54
|
-
- Was the email read? Was the USB drive opened?
|
|
55
|
-
- Technical evidence (email delivery receipts, server logs)?
|
|
56
|
-
- Attestation from recipient that they did not view/retain?
|
|
57
|
-
|
|
58
|
-
### Factor 4: Extent to Which Risk Has Been Mitigated
|
|
59
|
-
- Was the PHI retrieved/destroyed?
|
|
60
|
-
- Did recipient sign a confidentiality agreement?
|
|
61
|
-
- Did recipient provide credible assurance of destruction?
|
|
62
|
-
|
|
63
|
-
### Assessment Outcome:
|
|
64
|
-
- **Low probability of compromise** → Not a reportable breach (document your reasoning thoroughly)
|
|
65
|
-
- **Cannot demonstrate low probability** → Treat as reportable breach
|
|
66
|
-
|
|
67
|
-
> **Important**: HHS scrutinizes risk assessments. Document contemporaneously, thoroughly, and honestly. A weak or post-hoc justification is worse than treating the incident as a breach.
|
|
68
|
-
|
|
69
|
-
### Safe Harbor — Encryption:
|
|
70
|
-
If PHI was **encrypted** using NIST-approved methods AND the encryption key was not also compromised → **Not a reportable breach** (§164.402(2) exception).
|
|
71
|
-
- Acceptable: AES-128+, NIST FIPS 140-2 validated
|
|
72
|
-
- Must maintain documentation of encryption
|
|
73
|
-
|
|
74
|
-
---
|
|
75
|
-
|
|
76
|
-
## 3. Notification to Individuals
|
|
77
|
-
### §164.404
|
|
78
|
-
|
|
79
|
-
### Timeline:
|
|
80
|
-
**Without unreasonable delay AND within 60 calendar days** of discovery of the breach.
|
|
81
|
-
|
|
82
|
-
Discovery = when CE/BA knew or should have known of the breach (not when investigation concludes).
|
|
83
|
-
|
|
84
|
-
### Method:
|
|
85
|
-
- **First choice**: Written notice by **first-class mail** to last known address
|
|
86
|
-
- **If email on file and individual agreed to electronic notice**: Email acceptable
|
|
87
|
-
- **If contact info insufficient or out-of-date** (10+ individuals): Substitute notice:
|
|
88
|
-
- Prominent posting on website homepage for 90 days + toll-free number, OR
|
|
89
|
-
- Major print/broadcast media in affected area
|
|
90
|
-
- **Urgent situations** (imminent misuse risk): Phone or other means in addition to written notice
|
|
91
|
-
|
|
92
|
-
### Required Content of Individual Notice (§164.404(c)):
|
|
93
|
-
1. Brief description of what happened (date of breach, date of discovery if known)
|
|
94
|
-
2. Description of types of PHI involved
|
|
95
|
-
3. Steps individuals should take to protect themselves
|
|
96
|
-
4. Brief description of what CE is doing to investigate, mitigate, and prevent recurrence
|
|
97
|
-
5. Contact info (toll-free number, email, website, or postal address)
|
|
98
|
-
|
|
99
|
-
---
|
|
100
|
-
|
|
101
|
-
## 4. Notification to HHS
|
|
102
|
-
### §164.408
|
|
103
|
-
|
|
104
|
-
### Timeline Depends on Breach Size:
|
|
105
|
-
|
|
106
|
-
| Affected Individuals | HHS Notification Deadline |
|
|
107
|
-
|---------------------|--------------------------|
|
|
108
|
-
| **500 or more** in a state/jurisdiction | **Simultaneously with individual notice** (within 60 days of discovery) |
|
|
109
|
-
| **Fewer than 500** | **Annual log** — submit within 60 days after end of calendar year |
|
|
110
|
-
|
|
111
|
-
### How to Submit:
|
|
112
|
-
- HHS Breach Reporting Portal: www.hhs.gov/hipaa/for-professionals/breach-notification/
|
|
113
|
-
- Breaches of 500+ are posted on HHS "Wall of Shame" (public)
|
|
114
|
-
|
|
115
|
-
### Required Information for HHS Report:
|
|
116
|
-
- Name of CE
|
|
117
|
-
- Contact information
|
|
118
|
-
- Type of breach (theft, loss, unauthorized access/disclosure, hacking, improper disposal, other)
|
|
119
|
-
- Location of breached information (laptop, paper, EHR, email, other)
|
|
120
|
-
- Number of individuals affected
|
|
121
|
-
- Date of breach
|
|
122
|
-
- Date of discovery
|
|
123
|
-
- Description of PHI types involved
|
|
124
|
-
- Description of safeguards in place
|
|
125
|
-
- Actions taken in response
|
|
126
|
-
|
|
127
|
-
---
|
|
128
|
-
|
|
129
|
-
## 5. Notification to Media
|
|
130
|
-
### §164.406
|
|
131
|
-
|
|
132
|
-
### Required When:
|
|
133
|
-
Breach affects **500 or more residents** of a **state or jurisdiction**.
|
|
134
|
-
|
|
135
|
-
### Timeline:
|
|
136
|
-
Without unreasonable delay and within **60 calendar days** of discovery.
|
|
137
|
-
|
|
138
|
-
### Method:
|
|
139
|
-
Notify prominent media outlets serving the affected state/jurisdiction (e.g., major newspaper, TV station).
|
|
140
|
-
|
|
141
|
-
### Content:
|
|
142
|
-
Same as individual notification content.
|
|
143
|
-
|
|
144
|
-
> Note: Media notification is IN ADDITION to individual and HHS notification — not a substitute.
|
|
145
|
-
|
|
146
|
-
---
|
|
147
|
-
|
|
148
|
-
## 6. Business Associate Obligations
|
|
149
|
-
### §164.410
|
|
150
|
-
|
|
151
|
-
### BA Must Notify CE:
|
|
152
|
-
- **Without unreasonable delay** and within **60 calendar days** of discovery
|
|
153
|
-
- BA discovery = when any employee, officer, or agent of BA knows (or should know)
|
|
154
|
-
|
|
155
|
-
### What BA Must Provide to CE:
|
|
156
|
-
- Identity of each individual affected (if known)
|
|
157
|
-
- All information needed for CE to provide required notifications
|
|
158
|
-
|
|
159
|
-
### CE Remains Responsible:
|
|
160
|
-
- The CE must send notifications to individuals, HHS, and media
|
|
161
|
-
- CE's 60-day clock runs from CE's discovery OR BA's notification (whichever is earlier)
|
|
162
|
-
- CE and BA should establish clear breach notification obligations in BAA
|
|
163
|
-
|
|
164
|
-
### BA-to-Subcontractor:
|
|
165
|
-
- Subcontractors of BAs must notify the BA (same timeline)
|
|
166
|
-
- Chain of notification flows up: Subcontractor → BA → CE
|
|
167
|
-
|
|
168
|
-
---
|
|
169
|
-
|
|
170
|
-
## 7. Documentation Requirements
|
|
171
|
-
### §164.414
|
|
172
|
-
|
|
173
|
-
### Must Maintain Documentation of:
|
|
174
|
-
- Risk assessments for incidents (justifying breach vs. non-breach determination)
|
|
175
|
-
- All notifications sent (copies)
|
|
176
|
-
- Dates notifications were sent
|
|
177
|
-
- Substitute notice postings
|
|
178
|
-
- HHS reports submitted
|
|
179
|
-
- Media notifications
|
|
180
|
-
|
|
181
|
-
### Retention: 6 years from creation or last effective date
|
|
182
|
-
|
|
183
|
-
### Best Practice — Incident Log:
|
|
184
|
-
Maintain a running log of all security incidents (whether or not they rise to reportable breach level). Useful for:
|
|
185
|
-
- Demonstrating Security Rule compliance (§164.308(a)(6))
|
|
186
|
-
- Pattern identification
|
|
187
|
-
- HHS investigations
|
|
188
|
-
- Annual HHS small breach reporting
|
|
189
|
-
|
|
190
|
-
---
|
|
191
|
-
|
|
192
|
-
## 8. Penalties & Enforcement
|
|
193
|
-
### HITECH / §160.404
|
|
194
|
-
|
|
195
|
-
### Civil Money Penalties (CMPs):
|
|
196
|
-
|
|
197
|
-
| Violation Category | Per Violation | Calendar Year Cap |
|
|
198
|
-
|-------------------|--------------|-------------------|
|
|
199
|
-
| Did not know (reasonable diligence) | $137 – $68,928 | $2,067,813 |
|
|
200
|
-
| Reasonable cause (not willful neglect) | $1,379 – $68,928 | $2,067,813 |
|
|
201
|
-
| Willful neglect — corrected | $13,785 – $68,928 | $2,067,813 |
|
|
202
|
-
| Willful neglect — not corrected | $68,928 – $2,067,813 | $2,067,813 |
|
|
203
|
-
|
|
204
|
-
> Note: Penalty amounts are adjusted annually for inflation (figures above are approximate 2024 levels).
|
|
205
|
-
|
|
206
|
-
### Criminal Penalties (§1320d-6):
|
|
207
|
-
- Knowingly obtaining/disclosing PHI: Up to $50,000 + 1 year imprisonment
|
|
208
|
-
- Under false pretenses: Up to $100,000 + 5 years
|
|
209
|
-
- With intent to sell/transfer/use for commercial advantage: Up to $250,000 + 10 years
|
|
210
|
-
|
|
211
|
-
### State Attorneys General:
|
|
212
|
-
- May bring civil actions for HIPAA violations on behalf of state residents
|
|
213
|
-
- May obtain $100/violation, up to $25,000/year per violation category (pre-inflation)
|
|
214
|
-
|
|
215
|
-
### HHS Enforcement Priorities (Historical):
|
|
216
|
-
- Risk analysis failures (most common)
|
|
217
|
-
- Access control deficiencies
|
|
218
|
-
- Insufficient encryption (not implementing addressable standard)
|
|
219
|
-
- Business Associate Agreement failures
|
|
220
|
-
- Insufficient audit logging
|
|
221
|
-
- Failure to timely notify of breaches
|
|
222
|
-
|
|
223
|
-
---
|
|
224
|
-
|
|
225
|
-
## 9. Breach Response Workflow
|
|
226
|
-
|
|
227
|
-
```
|
|
228
|
-
INCIDENT DETECTED
|
|
229
|
-
│
|
|
230
|
-
▼
|
|
231
|
-
STEP 1: CONTAINMENT (Immediate)
|
|
232
|
-
- Isolate affected systems
|
|
233
|
-
- Preserve evidence (logs, screenshots)
|
|
234
|
-
- Prevent further unauthorized access
|
|
235
|
-
- Assign incident response team
|
|
236
|
-
│
|
|
237
|
-
▼
|
|
238
|
-
STEP 2: INVESTIGATION (Days 1-14)
|
|
239
|
-
- What PHI was involved? (types, quantity)
|
|
240
|
-
- When did breach occur? When discovered?
|
|
241
|
-
- Who was affected (individuals)?
|
|
242
|
-
- How did breach occur?
|
|
243
|
-
- Was encryption in place?
|
|
244
|
-
│
|
|
245
|
-
▼
|
|
246
|
-
STEP 3: RISK ASSESSMENT (Days 1-30)
|
|
247
|
-
- Apply 4-Factor Test (see Section 2)
|
|
248
|
-
- Document analysis contemporaneously
|
|
249
|
-
- Determine: Reportable Breach or Not?
|
|
250
|
-
│
|
|
251
|
-
├─ NOT A BREACH ──→ Document findings; close incident; review safeguards
|
|
252
|
-
│
|
|
253
|
-
▼
|
|
254
|
-
STEP 4: IF REPORTABLE BREACH
|
|
255
|
-
│
|
|
256
|
-
├─ Notify INDIVIDUALS within 60 days of discovery
|
|
257
|
-
├─ Notify HHS:
|
|
258
|
-
│ ├─ 500+ affected: Within 60 days of discovery
|
|
259
|
-
│ └─ <500 affected: Add to annual log; report by Mar 1 of following year
|
|
260
|
-
└─ Notify MEDIA if 500+ residents in a state/jurisdiction
|
|
261
|
-
│
|
|
262
|
-
▼
|
|
263
|
-
STEP 5: REMEDIATION
|
|
264
|
-
- Address root cause
|
|
265
|
-
- Enhance safeguards
|
|
266
|
-
- Update policies/procedures
|
|
267
|
-
- Retrain workforce
|
|
268
|
-
- Update Risk Analysis
|
|
269
|
-
│
|
|
270
|
-
▼
|
|
271
|
-
STEP 6: DOCUMENTATION
|
|
272
|
-
- Incident report with all details
|
|
273
|
-
- Risk assessment documentation
|
|
274
|
-
- Copies of all notifications sent
|
|
275
|
-
- Remediation steps taken
|
|
276
|
-
```
|
|
277
|
-
|
|
278
|
-
---
|
|
279
|
-
|
|
280
|
-
## 10. Common Breach Scenarios
|
|
281
|
-
|
|
282
|
-
| Scenario | Breach? | Key Considerations |
|
|
283
|
-
|----------|---------|-------------------|
|
|
284
|
-
| Laptop with unencrypted PHI stolen | **Yes** (unless risk assessment rebuts) | Encryption safe harbor doesn't apply; document risk assessment |
|
|
285
|
-
| Encrypted laptop stolen | **Likely not** | Confirm encryption was FIPS 140-2 compliant; document |
|
|
286
|
-
| Email with PHI sent to wrong patient | **Risk assess** | Did recipient view it? Can they be contacted to confirm deletion? |
|
|
287
|
-
| PHI mailed to wrong address | **Risk assess** | Was it returned unopened? Could recipient have retained it? |
|
|
288
|
-
| Employee snoops on celebrity patient records | **Yes** | Workforce members are authorized users but this is impermissible access |
|
|
289
|
-
| Ransomware encrypts ePHI | **Likely yes** | Access/acquisition occurred; must conduct risk assessment; difficult to rebut |
|
|
290
|
-
| Vendor (BA) has breach | **Yes** | BA must notify CE; CE must notify individuals within 60 days |
|
|
291
|
-
| PHI posted on social media by employee | **Yes** | Impermissible disclosure; high severity |
|
|
292
|
-
| Paper PHI left in unsecured area briefly | **Risk assess** | Was it accessed? By whom? Mitigated? |
|
|
293
|
-
| Verbal disclosure of PHI to wrong party | **Privacy Rule** (not Security Rule) | Breach Notification applies to PHI broadly, not just ePHI |
|
|
1
|
+
# HIPAA Breach Notification Rule Reference
|
|
2
|
+
## 45 CFR Part 164, Subpart D (HITECH / 2009)
|
|
3
|
+
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
## Table of Contents
|
|
7
|
+
1. [What is a Breach?](#1-what-is-a-breach)
|
|
8
|
+
2. [Breach Risk Assessment (4-Factor Test)](#2-breach-risk-assessment-4-factor-test)
|
|
9
|
+
3. [Notification to Individuals](#3-notification-to-individuals)
|
|
10
|
+
4. [Notification to HHS](#4-notification-to-hhs)
|
|
11
|
+
5. [Notification to Media](#5-notification-to-media)
|
|
12
|
+
6. [Business Associate Obligations](#6-business-associate-obligations)
|
|
13
|
+
7. [Documentation Requirements](#7-documentation-requirements)
|
|
14
|
+
8. [Penalties & Enforcement](#8-penalties--enforcement)
|
|
15
|
+
9. [Breach Response Workflow](#9-breach-response-workflow)
|
|
16
|
+
10. [Common Breach Scenarios](#10-common-breach-scenarios)
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## 1. What is a Breach?
|
|
21
|
+
|
|
22
|
+
### Definition (§164.402):
|
|
23
|
+
A **breach** is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.
|
|
24
|
+
|
|
25
|
+
### Three Exceptions — These Are NOT Breaches:
|
|
26
|
+
1. **Unintentional access** by workforce member acting in good faith within scope of authority — if no further use/disclosure
|
|
27
|
+
2. **Inadvertent disclosure** between authorized persons at the CE/BA — if no further use/disclosure
|
|
28
|
+
3. **Good faith belief** that unauthorized person who received PHI could not have retained it (e.g., misdirected fax that was immediately returned/destroyed)
|
|
29
|
+
|
|
30
|
+
### Presumption:
|
|
31
|
+
**Assume it's a breach unless the CE/BA demonstrates low probability that PHI has been compromised** using the 4-Factor Risk Assessment.
|
|
32
|
+
|
|
33
|
+
---
|
|
34
|
+
|
|
35
|
+
## 2. Breach Risk Assessment (4-Factor Test)
|
|
36
|
+
### §164.402(2)
|
|
37
|
+
|
|
38
|
+
To rebut the presumption of a breach, document a risk assessment considering:
|
|
39
|
+
|
|
40
|
+
### Factor 1: Nature and Extent of PHI Involved
|
|
41
|
+
- What types of identifiers were included?
|
|
42
|
+
- Was financial information involved (SSN, credit card, bank account)?
|
|
43
|
+
- Was clinical information included (diagnosis, treatment, medication)?
|
|
44
|
+
- Higher sensitivity = higher likelihood of compromise
|
|
45
|
+
|
|
46
|
+
### Factor 2: Who Unauthorized Person Was
|
|
47
|
+
- Was it another CE or BA (who would understand privacy obligations)?
|
|
48
|
+
- Was it a member of the public?
|
|
49
|
+
- Was it a malicious actor vs. inadvertent recipient?
|
|
50
|
+
- Known or unknown recipient?
|
|
51
|
+
|
|
52
|
+
### Factor 3: Whether PHI Was Actually Acquired or Viewed
|
|
53
|
+
- Did the unauthorized person actually access the information?
|
|
54
|
+
- Was the email read? Was the USB drive opened?
|
|
55
|
+
- Technical evidence (email delivery receipts, server logs)?
|
|
56
|
+
- Attestation from recipient that they did not view/retain?
|
|
57
|
+
|
|
58
|
+
### Factor 4: Extent to Which Risk Has Been Mitigated
|
|
59
|
+
- Was the PHI retrieved/destroyed?
|
|
60
|
+
- Did recipient sign a confidentiality agreement?
|
|
61
|
+
- Did recipient provide credible assurance of destruction?
|
|
62
|
+
|
|
63
|
+
### Assessment Outcome:
|
|
64
|
+
- **Low probability of compromise** → Not a reportable breach (document your reasoning thoroughly)
|
|
65
|
+
- **Cannot demonstrate low probability** → Treat as reportable breach
|
|
66
|
+
|
|
67
|
+
> **Important**: HHS scrutinizes risk assessments. Document contemporaneously, thoroughly, and honestly. A weak or post-hoc justification is worse than treating the incident as a breach.
|
|
68
|
+
|
|
69
|
+
### Safe Harbor — Encryption:
|
|
70
|
+
If PHI was **encrypted** using NIST-approved methods AND the encryption key was not also compromised → **Not a reportable breach** (§164.402(2) exception).
|
|
71
|
+
- Acceptable: AES-128+, NIST FIPS 140-2 validated
|
|
72
|
+
- Must maintain documentation of encryption
|
|
73
|
+
|
|
74
|
+
---
|
|
75
|
+
|
|
76
|
+
## 3. Notification to Individuals
|
|
77
|
+
### §164.404
|
|
78
|
+
|
|
79
|
+
### Timeline:
|
|
80
|
+
**Without unreasonable delay AND within 60 calendar days** of discovery of the breach.
|
|
81
|
+
|
|
82
|
+
Discovery = when CE/BA knew or should have known of the breach (not when investigation concludes).
|
|
83
|
+
|
|
84
|
+
### Method:
|
|
85
|
+
- **First choice**: Written notice by **first-class mail** to last known address
|
|
86
|
+
- **If email on file and individual agreed to electronic notice**: Email acceptable
|
|
87
|
+
- **If contact info insufficient or out-of-date** (10+ individuals): Substitute notice:
|
|
88
|
+
- Prominent posting on website homepage for 90 days + toll-free number, OR
|
|
89
|
+
- Major print/broadcast media in affected area
|
|
90
|
+
- **Urgent situations** (imminent misuse risk): Phone or other means in addition to written notice
|
|
91
|
+
|
|
92
|
+
### Required Content of Individual Notice (§164.404(c)):
|
|
93
|
+
1. Brief description of what happened (date of breach, date of discovery if known)
|
|
94
|
+
2. Description of types of PHI involved
|
|
95
|
+
3. Steps individuals should take to protect themselves
|
|
96
|
+
4. Brief description of what CE is doing to investigate, mitigate, and prevent recurrence
|
|
97
|
+
5. Contact info (toll-free number, email, website, or postal address)
|
|
98
|
+
|
|
99
|
+
---
|
|
100
|
+
|
|
101
|
+
## 4. Notification to HHS
|
|
102
|
+
### §164.408
|
|
103
|
+
|
|
104
|
+
### Timeline Depends on Breach Size:
|
|
105
|
+
|
|
106
|
+
| Affected Individuals | HHS Notification Deadline |
|
|
107
|
+
|---------------------|--------------------------|
|
|
108
|
+
| **500 or more** in a state/jurisdiction | **Simultaneously with individual notice** (within 60 days of discovery) |
|
|
109
|
+
| **Fewer than 500** | **Annual log** — submit within 60 days after end of calendar year |
|
|
110
|
+
|
|
111
|
+
### How to Submit:
|
|
112
|
+
- HHS Breach Reporting Portal: www.hhs.gov/hipaa/for-professionals/breach-notification/
|
|
113
|
+
- Breaches of 500+ are posted on HHS "Wall of Shame" (public)
|
|
114
|
+
|
|
115
|
+
### Required Information for HHS Report:
|
|
116
|
+
- Name of CE
|
|
117
|
+
- Contact information
|
|
118
|
+
- Type of breach (theft, loss, unauthorized access/disclosure, hacking, improper disposal, other)
|
|
119
|
+
- Location of breached information (laptop, paper, EHR, email, other)
|
|
120
|
+
- Number of individuals affected
|
|
121
|
+
- Date of breach
|
|
122
|
+
- Date of discovery
|
|
123
|
+
- Description of PHI types involved
|
|
124
|
+
- Description of safeguards in place
|
|
125
|
+
- Actions taken in response
|
|
126
|
+
|
|
127
|
+
---
|
|
128
|
+
|
|
129
|
+
## 5. Notification to Media
|
|
130
|
+
### §164.406
|
|
131
|
+
|
|
132
|
+
### Required When:
|
|
133
|
+
Breach affects **500 or more residents** of a **state or jurisdiction**.
|
|
134
|
+
|
|
135
|
+
### Timeline:
|
|
136
|
+
Without unreasonable delay and within **60 calendar days** of discovery.
|
|
137
|
+
|
|
138
|
+
### Method:
|
|
139
|
+
Notify prominent media outlets serving the affected state/jurisdiction (e.g., major newspaper, TV station).
|
|
140
|
+
|
|
141
|
+
### Content:
|
|
142
|
+
Same as individual notification content.
|
|
143
|
+
|
|
144
|
+
> Note: Media notification is IN ADDITION to individual and HHS notification — not a substitute.
|
|
145
|
+
|
|
146
|
+
---
|
|
147
|
+
|
|
148
|
+
## 6. Business Associate Obligations
|
|
149
|
+
### §164.410
|
|
150
|
+
|
|
151
|
+
### BA Must Notify CE:
|
|
152
|
+
- **Without unreasonable delay** and within **60 calendar days** of discovery
|
|
153
|
+
- BA discovery = when any employee, officer, or agent of BA knows (or should know)
|
|
154
|
+
|
|
155
|
+
### What BA Must Provide to CE:
|
|
156
|
+
- Identity of each individual affected (if known)
|
|
157
|
+
- All information needed for CE to provide required notifications
|
|
158
|
+
|
|
159
|
+
### CE Remains Responsible:
|
|
160
|
+
- The CE must send notifications to individuals, HHS, and media
|
|
161
|
+
- CE's 60-day clock runs from CE's discovery OR BA's notification (whichever is earlier)
|
|
162
|
+
- CE and BA should establish clear breach notification obligations in BAA
|
|
163
|
+
|
|
164
|
+
### BA-to-Subcontractor:
|
|
165
|
+
- Subcontractors of BAs must notify the BA (same timeline)
|
|
166
|
+
- Chain of notification flows up: Subcontractor → BA → CE
|
|
167
|
+
|
|
168
|
+
---
|
|
169
|
+
|
|
170
|
+
## 7. Documentation Requirements
|
|
171
|
+
### §164.414
|
|
172
|
+
|
|
173
|
+
### Must Maintain Documentation of:
|
|
174
|
+
- Risk assessments for incidents (justifying breach vs. non-breach determination)
|
|
175
|
+
- All notifications sent (copies)
|
|
176
|
+
- Dates notifications were sent
|
|
177
|
+
- Substitute notice postings
|
|
178
|
+
- HHS reports submitted
|
|
179
|
+
- Media notifications
|
|
180
|
+
|
|
181
|
+
### Retention: 6 years from creation or last effective date
|
|
182
|
+
|
|
183
|
+
### Best Practice — Incident Log:
|
|
184
|
+
Maintain a running log of all security incidents (whether or not they rise to reportable breach level). Useful for:
|
|
185
|
+
- Demonstrating Security Rule compliance (§164.308(a)(6))
|
|
186
|
+
- Pattern identification
|
|
187
|
+
- HHS investigations
|
|
188
|
+
- Annual HHS small breach reporting
|
|
189
|
+
|
|
190
|
+
---
|
|
191
|
+
|
|
192
|
+
## 8. Penalties & Enforcement
|
|
193
|
+
### HITECH / §160.404
|
|
194
|
+
|
|
195
|
+
### Civil Money Penalties (CMPs):
|
|
196
|
+
|
|
197
|
+
| Violation Category | Per Violation | Calendar Year Cap |
|
|
198
|
+
|-------------------|--------------|-------------------|
|
|
199
|
+
| Did not know (reasonable diligence) | $137 – $68,928 | $2,067,813 |
|
|
200
|
+
| Reasonable cause (not willful neglect) | $1,379 – $68,928 | $2,067,813 |
|
|
201
|
+
| Willful neglect — corrected | $13,785 – $68,928 | $2,067,813 |
|
|
202
|
+
| Willful neglect — not corrected | $68,928 – $2,067,813 | $2,067,813 |
|
|
203
|
+
|
|
204
|
+
> Note: Penalty amounts are adjusted annually for inflation (figures above are approximate 2024 levels).
|
|
205
|
+
|
|
206
|
+
### Criminal Penalties (§1320d-6):
|
|
207
|
+
- Knowingly obtaining/disclosing PHI: Up to $50,000 + 1 year imprisonment
|
|
208
|
+
- Under false pretenses: Up to $100,000 + 5 years
|
|
209
|
+
- With intent to sell/transfer/use for commercial advantage: Up to $250,000 + 10 years
|
|
210
|
+
|
|
211
|
+
### State Attorneys General:
|
|
212
|
+
- May bring civil actions for HIPAA violations on behalf of state residents
|
|
213
|
+
- May obtain $100/violation, up to $25,000/year per violation category (pre-inflation)
|
|
214
|
+
|
|
215
|
+
### HHS Enforcement Priorities (Historical):
|
|
216
|
+
- Risk analysis failures (most common)
|
|
217
|
+
- Access control deficiencies
|
|
218
|
+
- Insufficient encryption (not implementing addressable standard)
|
|
219
|
+
- Business Associate Agreement failures
|
|
220
|
+
- Insufficient audit logging
|
|
221
|
+
- Failure to timely notify of breaches
|
|
222
|
+
|
|
223
|
+
---
|
|
224
|
+
|
|
225
|
+
## 9. Breach Response Workflow
|
|
226
|
+
|
|
227
|
+
```
|
|
228
|
+
INCIDENT DETECTED
|
|
229
|
+
│
|
|
230
|
+
▼
|
|
231
|
+
STEP 1: CONTAINMENT (Immediate)
|
|
232
|
+
- Isolate affected systems
|
|
233
|
+
- Preserve evidence (logs, screenshots)
|
|
234
|
+
- Prevent further unauthorized access
|
|
235
|
+
- Assign incident response team
|
|
236
|
+
│
|
|
237
|
+
▼
|
|
238
|
+
STEP 2: INVESTIGATION (Days 1-14)
|
|
239
|
+
- What PHI was involved? (types, quantity)
|
|
240
|
+
- When did breach occur? When discovered?
|
|
241
|
+
- Who was affected (individuals)?
|
|
242
|
+
- How did breach occur?
|
|
243
|
+
- Was encryption in place?
|
|
244
|
+
│
|
|
245
|
+
▼
|
|
246
|
+
STEP 3: RISK ASSESSMENT (Days 1-30)
|
|
247
|
+
- Apply 4-Factor Test (see Section 2)
|
|
248
|
+
- Document analysis contemporaneously
|
|
249
|
+
- Determine: Reportable Breach or Not?
|
|
250
|
+
│
|
|
251
|
+
├─ NOT A BREACH ──→ Document findings; close incident; review safeguards
|
|
252
|
+
│
|
|
253
|
+
▼
|
|
254
|
+
STEP 4: IF REPORTABLE BREACH
|
|
255
|
+
│
|
|
256
|
+
├─ Notify INDIVIDUALS within 60 days of discovery
|
|
257
|
+
├─ Notify HHS:
|
|
258
|
+
│ ├─ 500+ affected: Within 60 days of discovery
|
|
259
|
+
│ └─ <500 affected: Add to annual log; report by Mar 1 of following year
|
|
260
|
+
└─ Notify MEDIA if 500+ residents in a state/jurisdiction
|
|
261
|
+
│
|
|
262
|
+
▼
|
|
263
|
+
STEP 5: REMEDIATION
|
|
264
|
+
- Address root cause
|
|
265
|
+
- Enhance safeguards
|
|
266
|
+
- Update policies/procedures
|
|
267
|
+
- Retrain workforce
|
|
268
|
+
- Update Risk Analysis
|
|
269
|
+
│
|
|
270
|
+
▼
|
|
271
|
+
STEP 6: DOCUMENTATION
|
|
272
|
+
- Incident report with all details
|
|
273
|
+
- Risk assessment documentation
|
|
274
|
+
- Copies of all notifications sent
|
|
275
|
+
- Remediation steps taken
|
|
276
|
+
```
|
|
277
|
+
|
|
278
|
+
---
|
|
279
|
+
|
|
280
|
+
## 10. Common Breach Scenarios
|
|
281
|
+
|
|
282
|
+
| Scenario | Breach? | Key Considerations |
|
|
283
|
+
|----------|---------|-------------------|
|
|
284
|
+
| Laptop with unencrypted PHI stolen | **Yes** (unless risk assessment rebuts) | Encryption safe harbor doesn't apply; document risk assessment |
|
|
285
|
+
| Encrypted laptop stolen | **Likely not** | Confirm encryption was FIPS 140-2 compliant; document |
|
|
286
|
+
| Email with PHI sent to wrong patient | **Risk assess** | Did recipient view it? Can they be contacted to confirm deletion? |
|
|
287
|
+
| PHI mailed to wrong address | **Risk assess** | Was it returned unopened? Could recipient have retained it? |
|
|
288
|
+
| Employee snoops on celebrity patient records | **Yes** | Workforce members are authorized users but this is impermissible access |
|
|
289
|
+
| Ransomware encrypts ePHI | **Likely yes** | Access/acquisition occurred; must conduct risk assessment; difficult to rebut |
|
|
290
|
+
| Vendor (BA) has breach | **Yes** | BA must notify CE; CE must notify individuals within 60 days |
|
|
291
|
+
| PHI posted on social media by employee | **Yes** | Impermissible disclosure; high severity |
|
|
292
|
+
| Paper PHI left in unsecured area briefly | **Risk assess** | Was it accessed? By whom? Mitigated? |
|
|
293
|
+
| Verbal disclosure of PHI to wrong party | **Privacy Rule** (not Security Rule) | Breach Notification applies to PHI broadly, not just ePHI |
|