HIPAA Breach Risk Assessment Analysis Tool - ACBHCS

ACBHCS HIPAA Breach Policy Attachment 1

HIPAA Breach
Risk Assessment Analysis Tool

Note: For an acquisition, access, use or disclosure of PHI

Q# Question
U

Was the impermissible use/disclosure unsecured PHI (e.g.. not rendered un
unreadable, indecipherable to unauthorized individuals through the use of
1 or methodology specified by the Secretary)?

Min

2 Was more than the minimum necessary for the purpose accessed, used or d
Was there a significant risk of harm to the individual as a result of the impe

Was it received and/or used by another entity governed by the HIPAA Priv
Security Rules or a Federal Agency obligated to comply with the Privacy A
3 & FISA of 2002?
Were immediate steps taken to mitigate an impermissible use/disclosure (e
the recipients’ assurances the information will not be further used/disclose
4 destroyed)?

Was the PHI returned prior to being accessed for an improper purpose (e.g
is lost/stolen, then recovered & forensic analysis shows the PHI was not ac
5 altered, transferred or otherwise compromised)?
What type and amount of PHI was involved in the impermissible use or disc

6 Does it pose a significant risk of financial, reputational, or other harm?

Did the improper use/disclosure only include the name and the fact service
7 received?

1

Copyright 2009 HIPAA COW

I to constitute a breach, it must constitute a violation of the Privacy Rule

Yes - Next Steps No - Next Steps

Unsecured PHI Notifications not required.
Document decision.
nusable, May determine low risk and not
technology provide notifications. Document
decision.
Continue to next question
Continue to next question
nimum Necessary
Continue to next question
disclosed? Continue to next question
Continue to next question
ermissible use or disclosure? May determine low risk and not
provide notifications. Document
vacy & May determine low risk and not decision.
Act of 1974 provide notifications. Document
decision. Continue to next question

ex. Obtain May determine low risk and not
ed or will be provide notifications. Document
decision.

g., A laptop May determine low risk and not
ccessed, provide notifications. Document
decision. Note: don't delay
closure? notification based on a hope it will
be recovered.

es were Higher risk - should report

May determine low risk and not
provide notifications. Document
decision.

1

ACBHCS HIPAA Breach Policy Attachment 1

Did the improper use/disclosure include the name and type of services rece
services were from a specialized facility (such as a substance abuse facility
information increases the risk of ID Theft (such as SS#, account#, mother'
8 name)?

Did the improper use/disclosure not include the 16 limited data set identifi
164.514(e)(2) nor the zip codes or dates of birth? Note: take into consider
risk of re-identification (the higher the risk, the more likely notifications sh
9 made).

Is the risk of re-identification so small that the improper use/disclosure pos
significant harm to any individuals (ex. Limited data set included zip code
10 on population features doesn't create a significant risk an individual can be

Specific Brea

Was it an unintentional access/use/disclosure by a workforce member actin
organization's authority, made in good faith, within his/her scope of author
(workforce member was acting on the organization's behalf at the time), an
result in further use/disclosure (ex. billing employee receives an e-mail co
about a patient mistakenly sent by a nurse (co-worker). The billing emplo
11 the nurse of the misdirected e-mail & deletes it)?
Was access unrelated to the workforce member’s duties (ex. did a receptio
12 through a patient's records to learn of their treatment)?

Was it an inadvertent disclosure by a person authorized to access PHI at a
another person authorized to access PHI at the same organization, or its OH
the information was not further used or disclosed (ex. A workforce membe
the authority to use/disclose PHI in that organization/OHCA discloses PHI
13 individual in that same organization/OHCA and the PHI is not further used

Was a disclosure of PHI made, but there is a good faith belief than the una
recipient would not have reasonably been able to retain it (Ex. EOBs were
sent to wrong individuals and were returned by the post office, unopened,
14 undeliverable)?

2

Copyright 2009 HIPAA COW

eived, High risk - should provide Continue to next question
y), or the notifications May determine low risk and not
's maiden provide notifications. Document
High risk - should provide decision.
iers in notifications
ration the Continue to next question
hould be
Continue to next question
ses no May determine low risk and not Continue to next question

es that based provide notifications. Document Continue to next question
Continue to next question. Note: if
e identified)? decision. the EOBs were not returned as
undeliverable, these should be
ach Definition Exclusions treated as breaches.

ng under the May determine low risk and not
rity provide notifications. Document
nd didn't decision.
ontaining PHI
oyee alerts High risk - should provide
notifications
onist look

CE or BA to May determine low risk and not
HCA, and provide notifications. Document
er who has decision.
I to another
d/disclosed)? May determine low risk and not
provide notifications. Document
authorized decision.
e mistakenly

as

2

ACBHCS HIPAA Breach Policy Attachment 1

Was a disclosure of PHI made, but there is a good faith belief than the una
recipient would not have reasonably been able to retain it (ex. A nurse mis
hands a patient discharge papers belonging to a different patient, but quick
the mistake and recovers the PHI from the patient, and the nurse reasonabl
15 the patient could not have read or otherwise retained the information)?

Burden of Proof: Required to document whether the impermissible use or discl
reputational, or other harm to the individual).

3

Copyright 2009 HIPAA COW

authorized May determine low risk and not
stakenly provide notifications. Document
kly realized decision.
le concludes

Document findings.

losure compromises the security or privacy of the PHI (significant risk of financial,

3