HIPAA Tip: Risk Assessment Process for Breaches

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. An impermissible use or disclosure of unsecured PHI is presumed to be a breach unless the Covered Entity or Business Associate demonstrates (based on a risk assessment) that there is a low probability that the PHI has been compromised. When a breach of unsecured PHI occurs, the Rules require your organization to notify affected individuals, the Secretary of HHS, and in some cases, the media.

When a suspected breach of PHI has occurred, first conduct a risk assessment to examine the likelihood that the PHI has been compromised. In order to demonstrate a breach has not compromised PHI, your organization must thoroughly assess at least the four required elements:

  • The nature and extent of the PHI involved in the use or disclosure, including the types of identifiers and the likelihood that PHI could be re-identified. NOTE: if the organization has a breach of encrypted data (standard encryption specifications), it would not be considered a breach of unsecured data.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • The likelihood that any PHI was actually acquired or viewed (audit trail).
  • The extent to which the risk to the PHI has been mitigated (passwords, encryption keys changed).

Breach Notification Rule

On a last note, be diligent and proactive. Conduct an annual Risk Analysis for your organization to identify risks and vulnerabilities before they turn into a security incident, or worse, a breach.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.