What is a HIPAA Four Factor Risk Assessment?

Knowing when to report a breach requires first knowing what constitutes a breach. The HIPAA Breach Notification Rule defines a breach as the “acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI.” 

OK… So, what constitutes a “compromise of the security or privacy of PHI?” Well, HIPAA has a test for determining that. The test is called the HIPAA four factor risk assessment test.

HIPAA Four Factor Risk Assessment: The Rules of the Game

As implied by the name, a HIPAA four factor risk assessment is an assessment of four risk factors. Under HIPAA, a breach is presumed to have compromised the security or privacy of PHI. 

A provider or business associate must perform the HIPAA four factor risk assessment to determine whether this presumption is appropriate. Considering the four factors is the minimum assessment an entity must make; it can assess other factors relevant in determining the risk of compromise as appropriate.

The results of the HIPAA four factor risk assessment may warrant a conclusion that there is a  more-than-low probability that PHI has been compromised. Or, the results might point the other way, warranting a conclusion that there is a low probability of compromise. If there is a low probability of compromise, the incident is not a breach under the HIPAA breach notification rule.

So, on to the four factors.

HIPAA Four Factor Risk Assessment Number 1: Nature and Extent of PHI Involved

The first factor to evaluate under the HIPAA four factor risk assessment is, ”What is the nature and extent of the PHI involved in this potential breach?” 

To make a proper assessment, covered entities (CEs) and business associates (BAs) should consider the type of PHI involved. 

• Is that information sensitive, such as credit card or social security numbers?  
• What is the likelihood that the PHI involved can be used by an unauthorized person to cause harm to a patient? 

If, for example, the exposed PHI is an individual’s first and last name, there is less of a “likelihood of harm” than if the PHI included not only first and last name but also credit card numbers and bank account numbers. This extra, sensitive information allows hackers to steal identity and money with greater ease and speed.

This assessment should also take into account how many direct identifiers were exposed. A direct identifier identifies an individual; no additional evidence is needed, and no inferences need to be drawn. 

“Mrs. Jane Smith lives on 120 Pamela Lane, in a Chicago suburb” is a direct identifier. “A lady with brown hair lives in Chicago” is not – further sleuthing is needed to determine that the brown-haired Chicagoan lady is Mrs. Smith of 120 Pamela Lane. 

In situations where there are few direct identifiers in the information that was exposed, a CE or BA should determine whether it is likely that the exposed PHI could be either reidentified based on context, or linked with other available information. Change the facts slightly. 

“Mrs. (insert longer, more-difficult-to-pronounce name here) lives within 2 miles of Lake Tear of the Clouds.” The context now is not the whole of Chicago but a small tarn on the southwest slope of Mount Marcy. Suddenly, the possibility of re-identification appears more likely. A greater probability of re-identification points to an overall greater, rather than smaller, risk of compromise.

HIPAA Four Factor Risk Assessment Number 2: Unauthorized Person Who Used PHI

The first HIPAA four factor assessment primarily focuses on what. What was viewed, and what might have been disclosed. 

For the second assessment, the HIPAA eye turns to who (yes, they’re in the wrong order, as any journalist would know). The second assessment requires consideration of whether the unauthorized person who viewed PHI, is themselves under an obligation to comply with HIPAA. 

For example, the unauthorized recipient may work for a different provider or a group health plan. This recipient’s employment requires them to comply with HIPAA. Therefore, if the information is disclosed to a “HIPAA-bound” person, a CE or BA performing the assessment can conclude that the PHI is less likely to be compromised than if the recipient were a known identity thief. However, the unauthorized HIPAA-bound employee may be a disgruntled former employee of the CE or BA. In performing the assessments, the law permits a CE or BA to make reasonable conclusions, which are not perfect and never wrong.  

The CE or BA should perform the second assessment in tandem with the “risk of re-identification” assessment. In other words, if the PHI that was impermissibly used or disclosed is not immediately identifiable, the CE or BA should determine whether the unauthorized recipient is capable of re-identifying the information. 

For example, if an employer, without authorization, viewed exposed PHI containing treatment dates and diagnoses of its employees, the employer has a re-identification leg up, so to speak. The employer, based on other information at its disposal, such as dates of work and absences, may be able to put the PHI pieces together with an accuracy and speed another entity could not. If re-identification is easier because of “who,” there may be more than a low probability that the PHI was compromised.

On the other hand, if the information is used without authorization within an organization, but that use does not result in unauthorized disclosure to the outside world, the probability that PHI was compromised may be lower, all other things equal. 

HIPAA Four Factor Risk Assessment Number 3: Whether PHI Was Actually Acquired or Viewed

You’ve made it to factor 3. The factor 3 risk assessment requires an entity to determine whether PHI was actually acquired or viewed. Here, the CE or BA must consider whether PHI was actually acquired or viewed or, in contrast, whether only the opportunity to acquire or view the PHI was present. 

Forensic analysis plays a key role here. Say a laptop is hacked. Painstaking forensic analysis reveals that PHI on the computer was never actually viewed, acquired, accessed, transferred, or otherwise exposed. Whew. This good news supports the conclusion that there is a lower probability that PHI was compromised. 

What about if a provider accidentally mails a medical record of patient X to person Z? Z opens the envelope, and promptly calls the provider to say that Z received the information by mistake. We know that Z viewed and acquired the information. We don’t know for how long. 

Z may have viewed the information only for as long enough as needed for Z to conclude a mailing error was made. Or, if a nosy type, Z may have read the information several times. We don’t know, and we can’t find out. The conclusion to draw here is ambiguous, neither clearly supporting nor refuting a finding of low probability of PHI compromise.

HIPAA Four Factor Risk Assessment Number 4: The Extent to Which PHI is Mitigated

The fourth risk assessment factor requires CEs and BAs to analyze the extent to which the risk to PHI has been mitigated. To perform this assessment, CEs and BAs should attempt to mitigate risks following an unauthorized use or disclosure. 

Mitigation measures to consider include:

• Obtaining the recipient’s satisfactory assurances (in the form of a confidentiality agreement) that the information will not be further used or disclosed.
• Obtaining the recipient’s satisfactory assurances that the information will be destroyed and obtaining a statement verifying that the information was destroyed.

Granted, people may lie. But, HIPAA allows a CE or BA to conclude that assurance from one’s workforce, BA, or another HIPAA-bound entity is “worth” more than a similar assurance from a non-HIPAA-bound party.

Once the four assessments are performed, covered entities and business associates should document all findings. The assessment should bear on the issue of whether there is a low probability that PHI was disclosed. 

Covered entities and business associates should assess other factors as well. Other factors to assess include, for example: 

• Whether there have been any recent breaches; 
• How those breaches were caused; and
• Whether the problems that led to the breach were corrected or mitigated. 

Additionally, a CE or BA can consider factors such as their own workforce’s history (if any) of inappropriate access to PHI. All additional assessments should be documented. The more thorough the overall assessment is, the greater the strength of the overall conclusion (compromised or not?) will be.