Under the HIPAA Breach Notification Rule, HIPAA covered entities must provide notification following a breach of unsecured protected health information (PHI). A breach is an impermissible (i.e., not authorized) use or disclosure of PHI under the HIPAA Privacy Rule, that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach, unless the covered entity performs a breach notification rule risk assessment, whose results demonstrate a low probability that the protected health information has been compromised.
What Factors Must be Analyzed in the Breach Notification Rule Risk Assessment?
The covered entity must conduct a breach notification rule risk assessment of at least the following four factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
Each of these four factors is discussed in greater detail below.
HIPAA Breach Notification Rule Risk Assessment Factor One: Nature and Extent of PHI Involved
The first factor requires review of the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. Identifiers involved may include clinical information (e.g.., medical history, diagnoses, treatment plans), as well as non-clinical information (e.g., financial information, Social Security numbers). Even if an identifier does not directly identify an individual (meaning that the identifier must be combined with other information to make the identification), the likelihood of re-identification must be assessed. That is, covered entities must evaluate the possibility of the “non-direct” identifier being used, in combination with other information, to reidentify a specific patient.
HIPAA Breach Notification Risk Assessment Factor Number Two: The Unauthorized Person
Consideration of the second factor involves assessing what type of employee or entity used the PHI, and what type of employee or entity to whom the PHI was disclosed. If the unauthorized person who used the PHI or to whom disclosure of PHI was made, was required to be HIPAA-compliant, there may be a lower probability of compromise, so long as there was no further disclosure or use. If the disclosure of PHI made internally within an organization to an unauthorized person, then there may be a lower probability of compromise of the PHI so long as there was no further disclosure or use. On the other hand, if the unauthorized person was a cyberattacker or a third party with no relationship to either the patient or the covered entity, there would generally exist a higher probability that such individual or party, unconstrained by HIPAA or organizational rules, would make additional disclosures or uses of the PHI. As such, there would be a higher probability that PHI would be compromised.
HIPAA Breach Notification Risk Assessment Factor Number Three: Whether the PHI Was Actually Acquired or Viewed
Assessment of this factor requires the covered entity to consider whether the PHI was actually acquired or viewed by an unauthorized individual. In some cases, tangible evidence may exist that proves the PHI was actually acquired or viewed by an unauthorized individual. Such proof may “turn up” as a result of an audit log or access report.
In some cases, a covered entity may draw a reasonable inference that PHI was acquired or viewed by an unauthorized individual. Such an inference may be drawn when, for example, PHI has been accidentally exposed via a heavily-trafficked public web page. The inference may also be drawn if a device containing electronic protected health information (ePHI), such as a laptop or a flash drive, has been lost which contained PHI. If the ePHI was encrypted, there may be a lower probability of ePHI compromise, than would be the case if the ePHI was not encrypted or otherwise secured.
Breach Notification Rule Risk Assessment Factor Number Four: The Extent to Which the Risk to the PHI Has Been Mitigated
Assessment under the fourth factor involves considering what measures (if any) have been taken to mitigate the risk of the breach. Entities may consider whether specific mitigation measures, such as (for example) the unauthorized person destroying or deidentifying the PHI in an appropriate manner, may be considered.
What Must the Covered Entity Do Upon Completing the Risk Assessment?
If, as a result of the risk assessment, a covered entity cannot demonstrate that there is a low probability of compromise of the PHI, it must begin to follow the breach notification process by notifying the affected individuals, the Secretary of HHS and, when necessary, the media, in accordance with HIPAA regulations.