How does a covered entity or business associate perform a risk assessment to determine if a breach occurred?
A covered entity or business associate needs to develop a risk assessment plan for determining whether a breach occurred and if there is a significant risk of harm to financial, reputational, or other harm to the affected individual as a result. In developing its risk assessment plan, a covered entity or business associate should also consider requirements under state law. In general, the risk assessment plan will need to define processes to do the following:
1) Determine whether an impermissible use or disclosure of PHI under the Privacy Rule occurred.
The risk assessment plan should include an assessment of whether the potential breach involved PHI. If the information involved was de-indentified or a limited data set with date of birth and zip code excluded, it is not PHI under the HIPAA Privacy Rule.
- De-identified health information: Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information. (45 CFR Sec. 164.514 (a)).
- Limited data set: A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual. Under the Breach Notification Rule, an explicit exception to a breach exists if the limited data set also excludes date of birth and zip code.
2) Determine whether the PHI involved in the impermissible use or disclosure was unsecured.
The plan should next attempt to determine whether the PHI involved in the breach was appropriately encrypted or destroyed prior to the use or disclosure in question. (See question -- What can we do to render PHI "unusable, unreadable, or indecipherable"?)
3) Determine whether the use or disclosure falls under an exception.
- If the use or disclosure of the PHI was by a workforce member (e.g., employee, volunteer, trainee, or other person who works for a covered entity regardless of whether they are paid) made in good faith within the course or scope of employment or other professional relationship and does not result in further use or disclosure.
- Inadvertent disclosures by similarly situation individual who is authorized to access PHI at the same facility.
- If the unauthorized person to whom PHI had been disclosed would not have been reasonably able to read or retain this information.
4) Determine and document whether the impermissible use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual(s).
In determining whether the use or disclosure compromised the security or privacy of the PHI and poses a significant risk of harm, the following factors should be considered:
- Who impermissibly used the PHI or to whom was the PHI impermissibly disclosed?
- Did immediate steps taken to mitigate an impermissible use or disclosure eliminate or reduce the risk of harm to a less than "significant risk"?
- Was the PHI returned prior to it being accessed for an improper purpose?
- What type and amount of PHI was involved in the impermissible use or disclosure?
Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.