Risk Assessment for a Breach of PHI

Clinician viewing patient record on EHR.

Conducting a Risk Assessment for a Breach of Protected Health Information (PHI) is a critical step for healthcare organizations under HIPAA regulations. Prompted by any unauthorized disclosure of PHI, this process, mandated by the HIPAA Breach Notification Rule of 2009, involves a detailed evaluation based on 4 key factors. This guide outlines the essential aspects of this assessment, equipping you with the knowledge to navigate these challenges effectively.

In this Article …


Definition of a breach of PHI

The Health and Human Services (HHS) department uses this definition: “A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the Protected Health Information.”


Do I need to notify patients of a breach of PHI?

A most definite Yes. You must notify patients of a breach of PHI (or an unauthorized disclosure). You must also notify the Office for Civil Rights of HHS, immediately in some instances.  You can avoid these notifications if you can demonstrate that there is a low risk that unauthorized disclosure compromises the PHI.


Risk assessment for a breach of PHI

A risk assessment for a breach of PHI has to include at least four factors.

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
  2. The unauthorized person who used or accessed the protected health information or to whom any disclosure has been made.
  3. Whether the protected health information was actually acquired or viewed.
  4. The extent to which the risk to the protected health information has been mitigated.


1. Nature and extent of PHI involved.

Was the unauthorized disclosure limited to a patient’s name and the name or type of provider the patient was receiving treatment from? This is almost the minimum amount of information that could be considered PHI. This is an example of an email from a provider that revealed the email names/addresses of most of the patients in the practice. It prompted complaints from several patients who did not appreciate having their status as patients revealed to other addressees.

Of course, many times the amount of PHI is much more significant. Assess the types of identifiers and the likelihood of re-identification as part of this factor. In this example, it was possible to identify some of the patients visiting this provider. And a list of email addresses could be of interest to bad actors who could use it for “phishing” expeditions.

2. The unauthorized person who used or accessed the PHI or to whom any disclosure has been made.

Many times, other patients receive another patient’s PHI. Staff errors such as handing after-visit summaries to the wrong person. They email test results to the wrong patient. They scan results into the wrong patient record; those results then appear in the wrong patient’s portal. Staff associate the wrong account guarantor with a patient. In most cases, when a patient receives PHI about another patient, they recognize it is probably an error. They delete the email or shred the paper record. They report the presence of someone else’s test results in their portal. People almost always cooperate in returning information or destroying the PHI of someone else.

Of course, situations involving bad actors who hack into electronic health record systems are another story. Many times phishing attacks are conducted using viruses that do not usually result in the “exfiltration” of PHI from an electronic health records system. That circumstance supports a finding of a low-risk event. Other times, it is impossible to even know who might have had access to PHI, for instance from a stolen or lost laptop with unencrypted files containing PHI.

3. Whether the PHI was actually acquired or viewed.

Can there be instances when PHI is potentially disclosed but is not actually acquired or viewed? Suppose an unencrypted file containing PHI is emailed using an unencrypted email. The recipient realizes the email is not intended for him or her and deletes the email before looking at the attached file. The more likely it is that the PHI was acquired or viewed, the less likely you can support a finding of a low-risk disclosure.

4. The extent to which the risk to the PHI has been mitigated.

The Oxford Dictionary defines mitigation as “the action of reducing the severity, seriousness, or painfulness of something”. Mitigation of unauthorized disclosure of PHI could include:

  • Removing the PHI from the wrong medical record.
  • Receiving believable assurances that PHI misdirected in person or through email/mail has been deleted or destroyed.
  • Retrieving PHI that was misdirected.
  • Changing access for staff members who commit repeated unauthorized disclosures of PHI by looking at records they have no business need for accessing.


Risk assessment for a breach of protected health information and patient notification

A risk assessment may conclude that there is more than a low probability of compromise of the PHI. Follow this result by notification to the patient(s). Covered entities must provide notice of unauthorized disclosure of PHI within 60 days of discovery of the breach.

Include specific information in the notice to an individual:

  • A brief description of what happened, including the date of the breach and the date of discovery of the breach
  • A description of the types of information that were compromised in the breach (personal identifiers such as name, address, Social Security number, account numbers, etc.)
  • The measures individuals should take to protect themselves from potential harm
  • A brief description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent a repeat of the breach
  • Contact details for individuals to ask questions or request further information, which should include a toll-free number, an email address, a website, or a postal address.

Send such notices via first class mail, and use plain language in the letter. Use email only if the patient has agreed to receive the notice via email.  There are several other provisions that apply when contact information is out of date or there are more than 10 persons to be notified.

You must also send notices to the Secretary of HHS, immediately in some cases, or as part of an annual report.

Don’t forget about possible state notification requirements.  Many states have regulations requiring notification to the state Attorney General or other state government departments. Be sure to understand those requirements when you have out-of-state patients who are subject to unauthorized disclosure.

Finally, if you get a notice from the OCR about a patient complaint, DON’T IGNORE IT! The OCR has a long list of covered entities that have suffered breaches or not released patient medical records timely. In many cases, the entities ignored requests from the OCR.  That type of response begins to weigh heavily after the  OCR has completed its investigation and is deciding on your fine!

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.