What is a HIPAA Four Factor Risk Assessment?

HIPAA four factor risk assessment

You may have heard of a HIPAA four factor risk assessment but aren’t sure what the term means. The HIPAA Breach Notification Rule requires certain breaches of unsecured protected health information (PHI) to be reported to affected individuals and the Department of Health and Human Services (HHS).

Knowing when to report a breach requires first knowing what constitutes a breach. The HIPAA Breach Notification Rule defines a breach as the “acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI.” 

OK… So, what constitutes a “compromise of the security or privacy of PHI?” Well, HIPAA has a test for determining that. The test is called the HIPAA four factor risk assessment test.

HIPAA Four Factor Risk Assessment: The Rules of the Game

As implied by the name, a HIPAA four factor risk assessment is an assessment of four risk factors. Under HIPAA, a breach is presumed to have compromised the security or privacy of PHI. 

A provider or business associate must perform the HIPAA four factor risk assessment to determine whether this presumption is appropriate. Considering the four factors is the minimum assessment an entity must make; it can assess other factors relevant in determining the risk of compromise as appropriate.

The results of the HIPAA four factor risk assessment may warrant a conclusion that there is a  more-than-low probability that PHI has been compromised. Or, the results might point the other way, warranting a conclusion that there is a low probability of compromise. If there is a low probability of compromise, the incident is not a breach under the HIPAA breach notification rule.

So, on to the four factors.

HIPAA Four Factor Risk Assessment Number 1: Nature and Extent of PHI Involved

The first factor to evaluate under the HIPAA four factor risk assessment is, ”What is the nature and extent of the PHI involved in this potential breach?” 

To make a proper assessment, covered entities (CEs) and business associates (BAs) should consider the type of PHI involved. 

  • Is that information sensitive, such as credit card or social security numbers?  
  • What is the likelihood that the PHI involved can be used by an unauthorized person to cause harm to a patient? 

If, for example, the exposed PHI is an individual’s first and last name, there is less of a “likelihood of harm” than if the PHI included not only first and last name but also credit card numbers and bank account numbers. This extra, sensitive information allows hackers to steal identity and money with greater ease and speed.

This assessment should also take into account how many direct identifiers were exposed. A direct identifier identifies an individual; no additional evidence is needed, and no inferences need to be drawn. 

“Mrs. Jane Smith lives on 120 Pamela Lane, in a Chicago suburb” is a direct identifier. “A lady with brown hair lives in Chicago” is not – further sleuthing is needed to determine that the brown-haired Chicagoan lady is Mrs. Smith of 120 Pamela Lane. 

In situations where there are few direct identifiers in the information that was exposed, a CE or BA should determine whether it is likely that the exposed PHI could be either reidentified based on context, or linked with other available information. Change the facts slightly. 

“Mrs. (insert longer, more-difficult-to-pronounce name here) lives within 2 miles of Lake Tear of the Clouds.” The context now is not the whole of Chicago but a small tarn on the southwest slope of Mount Marcy. Suddenly, the possibility of re-identification appears more likely. A greater probability of re-identification points to an overall greater, rather than smaller, risk of compromise.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance