HIPAA/HITECH Breach Risk Assessment Tool: Requirements, Factors, and Examples

Breach Definition and Presumptions

Under HIPAA and the HITECH Act, a breach is an impermissible use disclosure under the Privacy Rule that compromises the security or privacy of protected health information PHI. PHI includes individually identifiable health information in any form, including electronic records. Unless you can demonstrate through a documented analysis that there is a low probability the PHI was compromised, the event is presumed to be a breach.

The presumption hinges on whether the incident involves unsecured PHI. If information is rendered unusable, unreadable, or indecipherable to unauthorized individuals—for example through strong encryption or proper destruction—the event may fall outside the unsecured PHI breach category. When PHI is not secured in this way, you must evaluate the event and, if warranted, proceed with notification.

Example 1: A billing file with names, dates of birth, and diagnosis codes is emailed to the wrong external recipient. Because this is an impermissible use disclosure involving identifiers and clinical details, the incident is presumed a breach until an assessment shows a low probability of compromise.

Example 2: A stolen laptop was encrypted to a recognized standard and protected by strong authentication. With no evidence of access, the incident likely does not constitute an unsecured PHI breach and may not trigger notification.

Risk Assessment Factors Analysis

To rebut the presumption of breach, you must perform a risk probability assessment using four required factors. Base your decision on specific evidence, not generalizations.

1. Nature and extent of PHI involved: Consider sensitivity (diagnoses, SSNs, financial details), volume, and likelihood of re-identification. Highly sensitive combinations raise risk.
2. Unauthorized person who used or received the PHI: A covered entity or business associate bound by obligations presents less risk than a member of the public. Record the recipient’s role and duties.
3. Whether the PHI was actually acquired or viewed: Audit logs, bounce messages, and confirmations help determine if anyone accessed or retained the data. Potential exposure differs from confirmed viewing.
4. Extent of mitigation: Rapid containment, secure deletion attestations, remote wipe confirmations, and retrieval reduce risk. Weak or unverifiable mitigation carries less weight.

Applying the factors: First collect facts (what, who, when, how much), then analyze each factor with evidence. Many programs rate each factor on a defined scale and record the rationale. The outcome should be a clear narrative conclusion: either low probability of compromise (no notification) or that notification is required.

Example A: An employee opens the wrong chart, immediately closes it, and self-reports. Logs confirm a brief view without download, and the supervisor retrains the employee. Given limited PHI exposure, an internal recipient, and strong mitigation, you may conclude a low probability of compromise.

Example B: An unencrypted spreadsheet with 1,200 patients’ names, MRNs, and procedure details is posted to a public website for several days. Unknown parties could have copied it, and mitigation is uncertain. The factors point toward notification.

Exceptions to Breach Definition

Three narrow exceptions mean certain incidents are not breaches, even though they involve PHI:

• Unintentional, good-faith access or use within scope: An acquisition, access, or use by a workforce member or person acting under authority, done in good faith and within scope, without further impermissible use. This is the workforce member good faith exception.
• Inadvertent disclosure between authorized persons: A disclosure by someone authorized to access PHI to another authorized person within the same entity or organized health care arrangement, with no further impermissible use.
• Recipient could not reasonably retain the information: For example, a sealed letter returned unopened or an email that immediately bounces back without delivery.

Example: A physician emails PHI to a clinic colleague who is authorized to access the same patients and immediately requests deletion. The incident fits an exception and is not a breach; still, record the event and address any process gaps.

Documentation Requirements for Compliance

Maintain thorough records that demonstrate how you met documentation compliance standards. Keep policies, procedures, and evidence for at least six years from the date of creation or last effective date.

• For each incident, document: discovery date and timeline; systems and locations; data elements involved; who received the PHI; your factor-by-factor analysis; final decision and approvals; mitigation steps; and whether breach notification requirements apply. Preserve logs, screenshots, attestations, and copies of notices.
• Program-level records: risk analysis and risk management plans; security incident response plans; sanction records; workforce training and attestations; business associate agreements; device and media inventories; encryption and destruction standards; and the breach log.

Consistent, organized documentation supports audits and defends your determinations. Make sure your tool timestamps actions and preserves version history of analyses and decisions.

Breach Notification Procedures

If you cannot show a low probability of compromise, treat the matter as an unsecured PHI breach and notify as required. Start the clock on the date of discovery—when the incident is known or should reasonably have been known to your organization.

Individual notice: Provide written notice without unreasonable delay and no later than 60 calendar days after discovery. Use first-class mail or email if the individual has agreed to electronic notice. If you lack contact information for 10 or more individuals, provide substitute notice such as a conspicuous website posting and a toll-free number for at least 90 days.

Content of notice:

• What happened and the dates involved
• Types of PHI affected
• Steps individuals should take to protect themselves
• What you are doing to investigate, mitigate, and prevent recurrence
• How to contact your organization for more information

Regulatory notice to HHS: For breaches affecting 500 or more individuals, notify without unreasonable delay and no later than 60 days after discovery. For fewer than 500, log the events and report to HHS within 60 days after the end of the calendar year.

Media notice: For incidents affecting 500 or more residents of a state or jurisdiction, notify prominent media in that area without unreasonable delay and no later than 60 days after discovery.

Business associate notice: A business associate must notify the covered entity without unreasonable delay and include, to the extent possible, identities of affected individuals and details needed for notification.

Law enforcement delay: If a law enforcement official states that notice would impede an investigation or cause harm, delay notification as directed and document the request.

Risk Assessment Tools Overview

A practical HIPAA/HITECH Breach Risk Assessment Tool should guide you from intake to decision with an auditable trail. The best tools standardize how you capture facts, apply the four factors, and determine whether notification is required.

• Core capabilities: structured intake forms; prompts aligned to each factor; configurable scoring for a risk probability assessment; secure storage for logs and attestations; decision trees that flag likely notification scenarios; and exports of your rationale and decision.
• Operational features: workflow routing to privacy and security officers; reminders to meet breach notification requirements; template letters for individual, media, and HHS notices; dashboards and a breach log; vendor and business associate tracking; integrations with email and EHR audit logs.
• Security and governance: role-based access, encryption in transit and at rest, change history, and periodic criteria reviews.

A clear, consistent tool increases accuracy, reduces cycle time, and strengthens defensibility when you are audited.

Compliance Resources and Training

Strengthen prevention and response with a multi-layered program. Provide onboarding and annual training, plus targeted refreshers after incidents. Teach minimum necessary use, data classification, secure messaging, phishing awareness, and timely reporting of suspected events.

Emphasize practical scenarios such as lost devices, misdirected email, snooping, third-party mishandling, and disposal errors. Clarify when the workforce member good faith exception applies and when it does not. Run tabletop exercises that walk through intake, factor analysis, decisions, and timely notifications.

Keep leadership engaged with metrics like incident counts, time to containment, percentage concluded as low probability, and training completion rates. Audit departments, review access reports, verify vendor safeguards, and test remote wipe and backups. Align policies, procedures, and training with your documentation compliance standards.

Conclusion: A disciplined process and a capable tool help you quickly determine whether an event is a breach, document a defensible analysis, and meet breach notification requirements when required. By consistently applying the factors, tracking lessons learned, and training your workforce, you reduce risk and strengthen patient trust.

FAQs

What qualifies as a breach under HIPAA and HITECH Act?

A breach is an impermissible use disclosure that compromises the privacy or security of protected health information PHI. Unless you can show through a documented analysis that there is a low probability the PHI was compromised, the event is presumed to be a breach. If the PHI was properly encrypted or destroyed, the incident may fall outside the unsecured PHI breach category.

How do risk assessment factors determine breach status?

You evaluate four factors: the nature and extent of PHI involved, who used or received it, whether it was actually acquired or viewed, and the effectiveness of mitigation. Your risk probability assessment weighs these facts and produces a reasoned conclusion—either low probability of compromise or that breach notification requirements apply.

What are the exceptions to the breach definition?

There are three: the workforce member good faith exception for unintentional, within-scope access or use without further impermissible use; inadvertent disclosures between authorized persons within the same entity or arrangement; and disclosures where the unauthorized recipient could not reasonably have retained the information.

What documentation is required for compliance?

Maintain written policies and procedures; incident intake records; a factor-by-factor analysis; decisions and approvals; mitigation evidence; copies of notices; and a breach log. Retain training, sanctions, vendor agreements, and security safeguards as part of your documentation compliance standards, typically for at least six years.