How to Perform the HIPAA Four-Factor Risk Assessment, Explained

If you suspect an impermissible disclosure or security incident involving Protected Health Information (PHI), the HIPAA four-factor risk assessment helps you decide whether the event is a breach under the Breach Notification Rule. The assessment estimates the probability that PHI was compromised so you can act quickly and defensibly.

This guide explains how to examine the nature and extent of PHI, evaluate the unauthorized use or disclosure, determine if PHI was actually acquired or viewed, and assess mitigation. You will then apply breach notification criteria and document a clear, auditable PHI compromise assessment.

Nature and Extent of PHI Involved

Start by detailing the PHI at issue and whether it could reasonably enable data re-identification. The more sensitive, identifiable, complete, and intelligible the data, the higher the risk. Record exactly what elements were exposed and in what form.

• Identifiers and re-identification risk: direct identifiers (name, SSN) raise risk; quasi-identifiers (DOB, ZIP, gender) can still enable data re-identification when combined.
• Sensitivity: diagnoses (e.g., mental health, substance use), lab results, financial or insurance data, images, and full clinical notes carry greater harm potential.
• Volume and scope: single patient vs. large dataset; depth of history; inclusion of dependents or guarantors.
• Format and security: plaintext versus encrypted or otherwise rendered unusable; paper, verbal, screenshots, logs, or full exports.
• Completeness and context: isolated data points versus longitudinal records, which increase the likelihood of PHI compromise.

Evaluate Unauthorized Use or Disclosure

Next, analyze who used the PHI or to whom it was disclosed, and their ability and incentive to misuse it. Impermissible disclosure to a party under confidentiality obligations often poses less risk than disclosure to an unknown third party.

• Recipient role and relationship: workforce member, business associate, another covered entity, or a layperson.
• Confidentiality obligations: business associate agreement (BAA), nondisclosure agreement, or professional licensure can reduce misuse likelihood.
• Channel and exposure: private email/fax vs. public posting or theft; systemic exfiltration vs. single misdirected message.
• Intent and capability: accidental receipt vs. deliberate access; technical skill to open, copy, or disseminate the data.

Document why the recipient’s context raises or lowers risk. For example, a misdirected fax to a clinician bound by confidentiality differs materially from a public social media post.

Determine if PHI Was Acquired or Viewed

Distinguish between the mere opportunity to access PHI and evidence that it was actually acquired or viewed. Concrete evidence that no one saw or retained the information lowers risk.

• System evidence: EHR and file audit logs, download counts, DLP/SIEM alerts, email delivery and read receipts, link access logs.
• Physical evidence: sealed mail returned unopened; devices recovered with forensic confirmation of no access.
• Transmission outcomes: bounced emails, blocked attachments, corrupted files, or overwritten media.
• Recipient confirmations: written attestations that PHI was not viewed, retained, or further disclosed, and was securely deleted.

Note whether data was copied, forwarded, printed, or posted elsewhere. Each propagation increases the probability of compromise.

Assess Risk Mitigation Actions

Immediately reduce risk and record each step taken. Effective, timely risk mitigation strategies can materially lower the probability of compromise.

• Containment: retrieve or sequester records, remove public posts, disable shared links, revoke credentials, rotate keys, and reset passwords.
• Secure deletion: remote wipe of devices, verified destruction of media, and confirmation of purge from backups when feasible.
• Recipient engagement: obtain attestations of non-use/non-retention and deletion; remind recipients of confidentiality obligations.
• Hardening: enforce encryption, DLP rules, access limits, and minimum necessary; patch systems; retrain staff; adjust workflows to prevent recurrence.

Evaluate the effectiveness of each action. Favor mitigations with verifiable proof (forensic logs, signed attestations) over assumptions.

Apply Breach Notification Criteria

After weighing all four factors together, determine whether there is a low probability that PHI has been compromised. If you cannot demonstrate a low probability, the event is a breach under the Breach Notification Rule and notifications are required.

• Exceptions: (1) unintentional, good-faith access or use by a person within authority, with no further improper disclosure; (2) inadvertent disclosure between two authorized persons within the same organization or business associate; (3) good-faith belief that the unauthorized recipient could not reasonably have retained the PHI.
• If it is a breach: notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For incidents affecting 500 or more residents of a state or territory, also notify prominent media, and report to the federal regulator per required timelines. Business associates must notify the covered entity without unreasonable delay.
• Notice content typically includes what happened, the types of PHI involved, steps individuals should take, actions you are taking, and contact information.

Confirm whether state privacy or breach laws impose additional or faster timelines, content requirements, or regulators to notify, and align your response accordingly.

Document Assessment Findings

Create an audit-ready record of your PHI compromise assessment. The documentation should show what happened, how you applied each factor, your risk reasoning, and the final decision.

• Event overview: discovery date, timeline, systems and data involved, number of individuals, and how the incident was identified.
• Factor analyses: nature and extent of PHI, evaluation of unauthorized use/disclosure, whether PHI was acquired or viewed, and mitigation outcomes, with supporting evidence.
• Risk conclusion: rationale for low probability (or not), overall determination, and whether notifications are required.
• Notifications and remediation: whom you notified, dates sent, content summary, and corrective actions to prevent recurrence.
• Governance: approvers, legal/privacy/security reviewers, and retention location for the file and artifacts.

Using a consistent template and decision rubric improves repeatability and defensibility, helping you make timely, well-supported decisions when minutes matter.

FAQs

What is the purpose of the HIPAA four-factor risk assessment?

Its purpose is to determine, after an impermissible disclosure or security incident, whether there is a low probability that PHI has been compromised. By analyzing the nature and extent of PHI, the unauthorized person, whether PHI was acquired or viewed, and the effectiveness of mitigation, you decide if the Breach Notification Rule is triggered and document a clear, defensible outcome.

How do organizations determine if PHI was acquired or viewed?

You corroborate with evidence: EHR/file audit logs, email and link access logs, DLP/SIEM alerts, forensic results from devices, mail returned unopened, and written attestations from recipients confirming non-use and deletion. The stronger and more direct the evidence that PHI was not accessed or retained, the lower the assessed risk.

When is breach notification required?

Notification is required when you cannot demonstrate a low probability that PHI was compromised based on the four-factor analysis. In that case, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery, and follow additional requirements for regulators and, when applicable, media. Exceptions apply in limited, well-defined circumstances where the risk is inherently low.