Overview:
ยง164.402
Definitions: Breach - Risk Assessment.
Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E of this part which compromises the security or privacy of the PHI.
(2) Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the PHI or to whom the disclosure was made;
(iii) Whether the PHI was actually acquired or viewed; and
(iv) The extent to which the risk to the PHI has been mitigated.
Action Items:
1) Obtain and review a list of breaches, by date, that occurred in the previous calendar year. Obtain and review a list of security incidents, by date, that occurred in the previous calendar year. Obtain and review a list of breaches reported to HHS, by date, that occurred in the previous calendar year.
2) Obtain and review policies and procedures regarding the process for determining whether notifications must be provided when there is an impermissible acquisition, access, use, or disclosure of PHI.
Related Documents:
1) List of breaches, by date, that occurred in the previous calendar year.
2) List of security incidents, by date, that occurred in the previous calendar year.
3) List of breaches reported to HHS, by date, that occurred in the previous calendar year.
4) Policies and procedures regarding the process for determining whether notifications must be provided when there is an impermissible acquisition, access, use, or disclosure of PHI.
Additional Guidance:
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2) The unauthorized person who used the protected health information or to whom the disclosure was made;
3) Whether the protected health information was actually acquired or viewed; and
4) The extent to which the risk to the protected health information has been mitigated.
Article ID: 587
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-privacy-breach-risk-assessment-164-402-587.html