Attendee view — what you’d normally see
You’re looking at the locked record state — the drill is finished, the facilitator has hit Lock, and Claude has already generated the AI Coaching panel below. In a live drill, attendees see:
- Live data — the drill clock, the current inject, and delivery status update every 3 seconds without refreshing. When the facilitator pauses, your clock freezes too. Open this URL on a TV or hand it to security leadership and they follow the room without screen-sharing.
- Pick your role first, then answer each inject. The facilitator hands you a separate Participant URL; on landing you select your role from your tenant’s org-shape roster (e.g., M365 Admin, VP IT, External IR Retainer). Each inject then has a text box where you submit your own written answer. Submissions stream onto the facilitator’s screen in real time with your selected role attached — when the facilitator Drops the inject, your role-tagged response is locked into the auditor evidence record alongside the team’s consensus answer. Auditors get full attribution: which role said what, at which T+N drill-clock minute.
- AI Coaching only unlocks after the facilitator hits Lock — Claude reviews every team response, every score, and the per-inject pacing, then writes the coaching panel you see further down. It’s pre-populated here so you can see the full post-lock view; in a real drill the panel would be blank with a “Generating AI coaching feedback…” spinner for ~30-60 seconds after Lock.
Misdirected fax exposes 312 patient records to competitor's office
Your HIPAA scan flagged that fax-out workflow has no validation step. This scenario walks the §164.402 4-factor and §164.404 notification mechanics for a misdirected-PHI event.
Drill is locked
The facilitator has locked the session. The full evidence record — including all team responses, scoring, and the per-inject pacing audit — is now available at the canonical session URL.
Open the locked record →AI Coaching
strongThe team walked through the §164.402 4-factor analysis with the rigor the framework requires — each factor was discussed, evidence was identified, and the more-than-low-probability decision was made deliberately rather than instinctively. Where the drill exposed gaps was on the 500-individual notification threshold (team initially miscounted the affected population) and on the timing-clock owner question — nobody could answer who is responsible for tracking the 60-day notification window. The drill is the place to find that out; the team did.
Process rigor on 4-factor analysis was exemplary; threshold-knowledge gaps and the clock-owner blind spot held this below exemplary. Strong is correct — competent execution with addressable gaps.
Top strengths
- •§164.402 4-factor analysis was walked through deliberately, not retrofit
- •Forensic evidence requirements (what to preserve, who preserves it) were named correctly
- •Risk mitigation factor was challenged appropriately — team did not over-rely on 'we patched the gap' as evidence of reduced harm
Top gaps
- •Affected-individual count was miscounted (team estimated 280; actual exposure was 612 — pushed over §164.408 large-breach threshold)
- •60-day notification clock owner was unidentified — no role volunteered to track it
- •HHS notification distinction (immediate for ≥500 vs annual summary for <500) was not surfaced until prompted
Per-inject feedback (5 injects)
What went well: Team invoked the 4-factor framework by name within the first 3 minutes — no preamble, no 'let me look up the framework first.'
What fell short: Roll-call of attendees did not include the privacy officer initially; they were paged but not in the room. Time wasted waiting.
Coaching: Privacy officer in the room from minute zero on any HIPAA drill. Make this a participants-list default.
What went well: Team correctly identified that the unauthorized recipient question (factor 2) was unanswerable from the available evidence — flagged it as needing forensic work.
What fell short: Affected-individual count was estimated visually from a list rather than systematically queried. The 280 vs 612 gap is the real-world risk: the team didn't know it was over the 500 threshold.
Coaching: For any breach drill, the very first SQL/Graph query the team runs should be the exact count, not an estimate. Build the query template in advance.
What went well: Team correctly invoked §164.404 (individual notice) timing as 60 days from discovery, not from incident occurrence.
What fell short: When asked 'who's tracking the 60-day clock,' no role volunteered. Privacy officer suggested they'd track it but did not commit; legal said they'd 'remind' the privacy officer.
Coaching: Notification-clock ownership is a single named role. Not 'privacy + legal will coordinate' — one name, one calendar invite.
What went well: Team identified the media-notification requirement under §164.406 when the threshold was confirmed.
What fell short: Media-notification draft was discussed conceptually but no template was identified. In a real breach the team has hours, not days, to draft media-facing comms.
What went well: HHS notification mechanism (the breach portal) was named correctly. Team knew the immediate-vs-annual distinction once prompted.
What fell short: Knowing the distinction once prompted is not the same as knowing it cold. The drill is the place to make this automatic.
Per-criterion scoring calibration (6 criteria)
§164.402 4-factor analysis rigor
5 is correct. Walked through deliberately; evidence-grounded; mitigation factor challenged appropriately.
Affected-individual count accuracy
2 is correct. Estimated, not measured — the 280-vs-612 gap is the threshold for 2.
Notification timeline awareness
4 is appropriate. 60-day window cited correctly; the HHS distinction surfaced only when prompted (would need to be unprompted for a 5).
Notification ownership clarity
2 is correct. Clock-owner unidentified — exact threshold definition.
Forensic preservation discipline
4 is appropriate. Preservation requirements named; chain-of-custody specifics were thin.
Media + regulator communication readiness
3 is correct. Awareness, no pre-built template — middle threshold.
Top-3 IR plan recommendations
Pre-build the exact-count Graph/SQL query for affected-individual lookup
The 280-vs-612 miscount is the difference between annual-summary-only and immediate-HHS notification + media coverage. Pre-built query removes the estimation risk entirely.
Owner: Privacy officer + Data engineering · Effort: S · HIPAA §164.408 · NIST CSF RS.AN-3
Assign single named owner for the 60-day §164.404 notification clock
Clock ownership ambiguity is the most common cause of notification-deadline slips. Drill surfaced this; codify the named owner in the IR plan before a real incident.
Owner: Privacy officer (default; can be delegated by name) · Effort: S · HIPAA §164.404 · NIST CSF RS.CO-3
Pre-draft media-notification template for ≥500-individual breach scenarios
Hours-not-days timeline. Drafting from scratch under pressure produces poor copy; pre-drafted template with fill-in-the-blanks is the difference between a clean media moment and a defensive one.
Owner: Communications + Legal · Effort: M · HIPAA §164.406
Pacing observation
Pacing was deliberate — 38s average drift positive (late) reflects substantive discussion, not delay. The 15-minute and 30-minute injects ran particularly long because the team was genuinely working through the framework rather than performing it. That's the right tradeoff for a HIPAA drill.
Drill duration: 1:12:08 · Avg drift: 38s
Generated by claude-haiku-4-5-20251001 on May 10, 2026, 15:43:08 UTC. SHA-256: sha256:5f3a7c2e9b1d4f6a8c3e5b7d9a1f3c5e7b9d1a3c5e7f9b1d3a5c7e9f1b3d5a7c
Inject timeline
Read-only view of every inject and whether the facilitator has delivered it yet. Spectators do not see the “Expected action” lines — those stay with the facilitator until the post-drill debrief.
- 1. T+10 min✓ Past
Privacy Officer: 'I just received the call from the receiving practice. Their office manager said the fax has been on their MFP since 14:08. She's asking what to do with it.' Privacy Officer needs to give an answer within 5 minutes.
Participant submissions — none yet for inject 1Share the participant URL to invite team input. Submissions reveal here as they land.
advanced past at T+10:00
- 2. T+25 min✓ Past
Compliance lead pulls the chart of breaches in the rolling 12-month window. We had two prior misdirected-fax events of 8 records and 24 records. With this 312, we're at 344 — still under 500. Facilitator note (added in v1): if the team cannot answer within the inject window, the IR pre-built escalation tree applies — escalate to the named owner one tier above before the response runs over.
Participant submissions — none yet for inject 2Share the participant URL to invite team input. Submissions reveal here as they land.
advanced past at T+25:00
- 3. T+40 min✓ Past
Legal counsel walks the §164.402 4-factor in detail. Verdict: probability of compromise is *more than low* (paper sat on a shared MFP for 47 minutes; multiple staff likely walked past). This is a breach.
Participant submissions — none yet for inject 3Share the participant URL to invite team input. Submissions reveal here as they land.
advanced past at T+40:00
- 4. T+55 min✓ Past
Communications lead asks: 'How do we tell 312 patients? What's our notification template? Do we have one?' If you don't, what's the fastest legitimate way to draft and approve one?
Participant submissions — none yet for inject 4Share the participant URL to invite team input. Submissions reveal here as they land.
advanced past at T+55:00
- 5. T+70 min▶ Active — currently discussing
Practice manager: 'How do we make sure the next billing batch doesn't have the same problem?' Veri-Tech's HIPAA scan finding HIPAA-AS-002 is sitting open.
- 6. T+85 minPending
Inject content revealed when this inject becomes active.
Spectator view is read-only. Team responses, scoring, and the facilitator’s “Expected action” reference text are not shown here — they live on the runner page and become part of the locked record. To facilitate the drill, open the runner instead.