Modern technology allows the easy collection and distribution of personally identifiable information — and concerns about the unintended distribution of that personal data have led to a wave of data privacy laws around the world.

The U.S. Health Insurance Portability and Accountability Act (HIPAA) is one such law, and imposes strict rules on how hospitals, healthcare businesses, and other “covered entities” handle personal health information (PHI). Protecting PHI is a paramount concern for such businesses, and they can face substantial regulatory penalties and other costs if they suffer a breach of that data.

Given that pressure, healthcare organizations rely on breach risk assessments to determine their exposure to potential theft, misuse, or unauthorized disclosure of protected data. This article will review the factors that go into a breach risk assessment and how an organization can apply them wisely.

What Is a Breach Risk Assessment?

The U.S. Department of Health and Human Services (HHS) defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” That definition also includes any impermissible use or disclosure of PHI where the company can’t demonstrate that the PHI has a low probability of compromise.

HIPAA risk assessments are tools that help organizations evaluate their potential risk for disclosure of PHI.

Unlike other risk assessments, security breach risk assessments under the HIPAA Breach Notification Rule must meet several minimum requirements to determine the likelihood of a HIPAA breach risk.

The Four Factors of a HIPAA Breach Risk Assessment

To assure HIPAA compliance, breach risk assessments must include four factors to determine whether unsecured PHI follows the HIPAA privacy rule. Each factor is rated as high, medium, or low risk; and then used to establish the overall risk of a HIPAA breach.

  1. What kind of PHI was involved, and what is the extent of its use?

    Not all PHI has the same potential to identify the affected patient; therefore, the risk analysis must consider the re-identification capability of the disclosed PHI.

    The larger the amount of PHI disclosed, the higher the risk of re-identifying a patient, so it is not only crucial to consider the sensitivity level of the PHI, such as mental health history or HIV status. The assessment should also consider the total volume of PHI breached.

  2. Who was the unauthorized organization or person?

    Another element to consider is the classification of the unauthorized individual.

    Although not all organizations are covered entities or business associates under HIPAA privacy rules, determining whether the unauthorized entity is bound by these rules substantially reduces the breach risk of unsecured protected health information.

    On the other hand, the breach risk is much higher if the entity has no relationship to the HIPAA privacy rules. Thus, the nature of the entity or individual must also be taken into account.

  3. Did the organization or person procure or see the PHI?

    There is a notable difference between the possibility that information has been acquired or seen and whether the PHI was actually acquired or seen.

    With forensic analysis, a company can determine whether the opportunity to access unsecured PHI was in fact taken by someone. Regardless of whether the incident was unintentional (someone opening a PHI file by accidentI), unauthorized access to PHI has still occurred.

  4. How has the risk been mitigated?

    It’s impossible to determine a risk level without also assessing the mitigation steps an organization had put in place.

    Whether those steps involve using confidentiality agreements (which can vary in their effectiveness depending on the unauthorized person or entity) or the destruction of the information, mitigation efforts play a vital role in the PHI breach risk assessment.

Breach Risk Assessment Conclusion

Once the organization has determined the level of risk for each factor, you should make a good-faith conclusion about the overall risk level.

If the HIPAA risk assessment finds a low-risk level of breach, the organization isn’t required to notify affected individuals. Notification is mandatory, however, when the factors lead you to conclude that there is a medium or high risk of a breach.

Where Do I Find a HIPAA Breach Risk Assessment Tool?

The HHS Office for Civil Rights (OCR), along with the Office of the National Coordinator for Health Information Technology (ONC), has created the Security Risk Assessment tool (SRA) to help covered entities develop security risk assessments required by the HIPAA Security Rule.

ZenGRC can help you conduct these and other types of risk assessments, along with risk management and regulatory compliance. Our user-friendly platform not only tracks your workflows, but also efficiently detects areas of high risk before they become a threat.

ZenGRC is a governance, risk, and compliance solution that may help you set up, administer, and monitor your risk management framework and remedial procedures. Additionally, it can aid you in streamlining the administration of all essential cybersecurity risk management frameworks, such as PCI, ISO, HIPAA, and others.

Schedule a free demo now to discover more about how ZenGRC may help you improve your cybersecurity practices.