A HIPAA violation risk assessment is a documented evaluation performed after an impermissible use or disclosure to determine whether the incident is a breach of unsecured protected health information under the HIPAA Breach Notification Rule and whether breach notification is required.
The process begins by confirming that protected health information was involved, identifying the exact data elements, and determining whether the information was unsecured at the time of the incident. The incident is scoped by establishing what happened, the date or date range, the systems or locations involved, how the impermissible use or disclosure occurred, and whether any business associate or subcontractor participated. Evidence is preserved through log retention and controlled collection of relevant records, and access pathways involved in the incident are closed to prevent further impermissible activity.
The assessment applies the four factors used to evaluate the probability that protected health information has been compromised. The nature and extent of the protected health information is assessed, including identifiers and the potential for re-identification, clinical detail, and any financial or account information. The unauthorized person who used or received the protected health information is evaluated, including whether the recipient is subject to legal duties to protect the information. Whether the protected health information was actually acquired or viewed is analyzed using available evidence such as access logs, transmission records, and forensic findings. The extent to which the risk has been mitigated is documented, including retrieval, secure deletion, confirmed destruction, or other containment actions that reduce the likelihood of further use or disclosure.
The final determination records whether the organization can support a finding of low probability that the protected health information has been compromised or whether breach notification is required. Documentation includes the facts relied on, the application of each factor, the decision rationale, and the corrective actions taken under the HIPAA Privacy Rule and HIPAA Security Rule to address the control or process failures that contributed to the incident. If the assessment results in reportable breach obligations, the organization proceeds with notices to individuals and the Department of Health and Human Services, and media notice when thresholds apply, within the timeframes required by the HIPAA Breach Notification Rule.