§164.402
Definitions: Breach – Risk Assessment.
Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E of this part which compromises the security or privacy of the PHI.
(2) Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the PHI or to whom the disclosure was made;
(iii) Whether the PHI was actually acquired or viewed; and
(iv) The extent to which the risk to the PHI has been mitigated.
Audit Inquiry
§164.402 Definitions: Breach – Risk Assessment
Has the covered entity implemented policies and procedures regarding the determination of whether an impermissible acquisition, access, use or disclosure, requires notification under the Breach Notification Rule?
Obtain and review a list of breaches, by date, that occurred in the previous calendar year. Obtain and review a list of security incidents, by date, that occurred in the previous calendar year. Obtain and review a list of breaches reported to HHS, by date, that occurred in the previous calendar year.
Does the covered entity have a process for conducting a breach risk assessment when an impermissible use or disclosure of PHI is discovered, to determine whether there is a low probability that PHI has been compromised?
If not, does the covered entity have a policy and procedure that requires notification without conducting a risk assessment for all or specific types of incidents that result in impermissible uses or disclosures of PHI?
Obtain and review policies and procedures regarding the process for determining whether notifications must be provided when there is an impermissible acquisition, access, use, or disclosure of PHI.
If the entity does not have a policy and procedure that treats all potential breaches as requiring notifications without conducting a risk assessment, review the covered entity’s risk assessment policies and procedures. Evaluate whether they require the covered entity to consider at least the following four factors:
(i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
(ii) The unauthorized person who used the PHI or to whom the disclosure was made
(iii) Whether the PHI was actually acquired or viewed
(iv) The extent to which the risk to the PHI has been mitigated.
Obtain a list of risk assessments, if any, conducted within the specified period where the covered entity determined there was a low probability of compromise to the PHI. Obtain and review all documentation associated with the conduct of the risk assessments. Assess whether the risk assessments were completed in accordance with these requirements and the entity’s policies and procedures.
Obtain a list of risk assessments, if any, conducted within the specified period where the covered entity determined that the PHI was compromised and notification were required under 164.404-164.408. Obtain and review all documentation associated with the conduct of the risk assessments. Assess whether the risk assessments were completed in accordance with these requirements and the entity’s policies and procedures.