HIPAA Breach Risk Assessment Procedure ([RES-PROC-002])
1. Purpose
To guide the Privacy Officer and Incident Response Team through the formal risk assessment mandated to determine if a security incident qualifies as a notifiable breach under the HIPAA Breach Notification Rule.
2. Scope
This procedure applies to any security incident involving the potential compromise of electronic Protected Health Information (ePHI).
3. Overview
This procedure details the steps for conducting a formal risk assessment to determine the probability that ePHI has been compromised, in accordance with the HIPAA Breach Notification Rule.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | Privacy Officer / IRT | Determine if the security incident involves Protected Health Information (PHI) or electronic Protected Health Information (ePHI). |
| 2 | Privacy Officer / IRT | Assess the probability that the PHI/ePHI has been compromised by evaluating the following factors: - The nature and extent of the PHI involved. - The unauthorized person who used the PHI or to whom the disclosure was made. - Whether the PHI was actually acquired or viewed. - The extent to which the risk to the PHI has been mitigated. |
| 3 | Privacy Officer | Document the complete risk assessment findings and the final rationale for the determination (i.e., whether it is a notifiable breach or not) on the HIPAA Breach Risk Assessment form. |
5. Standards Compliance
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-3 | HIPAA Breach Notification Rule | 45 CFR § 164.400-414 |
6. Artifact(s)
A completed and signed HIPAA Breach Risk Assessment form.
7. Definitions
ePHI (electronic Protected Health Information): Any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format.
Breach: The acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the protected health information.
8. Responsibilities
| Role | Responsibility |
|---|---|
| Privacy Officer | Leads the breach risk assessment process and makes the final determination of a notifiable breach. |
| Incident Response Team (IRT) | Provides technical details and context about the security incident to support the risk assessment. |