How to Conduct a PHI Breach Risk Assessment

Any time your healthcare organization experiences a PHI breach, you need to assess the nature and gravity of the harm done by that breach. The HHS OCR divvies out penalties based on how severe the impact was on patients. For example, accidental disclosure of protected health information between two internal employees isn’t nearly as harmful as a hacker accessing that information.

This is why healthcare organizations are required to conduct PHI breach risk assessments. Learn what a risk assessment is, as well as the four steps you need to follow to weigh a breach’s true risk level.

What Is a PHI Breach Risk Assessment?

According to the HIPAA Security Rule, one of the three safeguards for protecting ePHI, providers must conduct a PHI breach risk assessment every time there’s an impermissible disclosure of PHI. The four-factor breach risk assessment helps you determine the true level of harm done to patients as a result of the breach.

HIPAA acknowledges that not all PHI data breaches are the same, which is why providers need to conduct a risk assessment for every breach. The goal of the assessment is to determine what’s been compromised and how damaging the leak is to patients. If you determine that the breach is low risk, you don’t have to notify patients or the OCR. However, medium and high-risk breaches require you to follow HIPAA’s Breach Notification Rule.

Regardless of whether you think the breach was significant or not, you’ll need to conduct a PHI breach risk assessment to determine your next course of action.

The 4 steps to Conducting a PHI Breach Risk Assessment

The breach risk assessment is officially called the Security Risk Assessment (SRA) tool. To do the assessment, download it either as a desktop application or as an Excel workbook. From there, your team will need to go through this four-factor test to determine the extent of the breach.

Factor 1: The Type and Nature of the PHI

First, was the information disclosed actually PHI? If the data doesn’t identify or isn’t tied to the identity of a patient, it’s not considered protected health information. What type of PHI was disclosed? The amount of PHI disclosed matters, too; the more PHI leaked, the greater the potential harm to a patient.

You’ll also need to weigh the sensitivity of the data. Social Security numbers and credit card information are very sensitive, and you should weigh them more heavily. High-risk information also includes:

  • Name
  • Address
  • Medication
  • Diagnoses
  • Treatment plans

Sometimes a breach might include a small amount of personal data that, in certain contexts, still make it possible to identify an individual. For example, if the data includes a patient’s birthdate and no other patient has that same birthday, it’s possible to use the data to identify the patient.

Factor 2: The Parties Accessing PHI

Who received the disclosed PHI? The more removed the person is from a HIPAA covered entity or business associate, the greater the potential for harm. Since a non-HIPAA entity doesn’t promise to protect patient data, there’s little reason to presume they will take the necessary steps to do so.

For example, an internal disclosure between employees is a very low-risk PHI disclosure. A ransomware attacker stealing and accessing PHI would be very high risk.

Factor 3: Use of PHI

Did the receiving party access or use the PHI? It’s possible for accidental breaches to happen, yet the receiving party doesn’t access that information. For example, if you mail a patient’s test results to the wrong address and the receiver mails the letter back unopened, there was little risk to the patient.

For online disclosures, you can use digital forensics to determine if a receiving party improperly accessed PHI or not. For example, if a thief steals a password-protected laptop containing PHI, you can check your system logs to ensure that they didn’t access patient information.

A Situational ePHI Awareness solution like Tausight can help you reconstruct any incident thanks to an immutable, off-site audit trail that provides forensic-level detail across all endpoints. Tausight provides a consolidated, real-time view into PHI as it’s created, stored, copied, moved, and shared between providers, patients, applications, and third parties, giving you complete visibility into all PHI throughout the healthcare ecosystem and its activity.

Factor 4: Risk Mitigation

Finally, HIPAA asks you to list the steps your organization took to mitigate potential risks to patients. What did you do after the PHI data breach to reduce harm? Did you shred documents, change passwords, or delete emails? If you took steps that minimized the level of damage patients could experience from a breach, that can reduce the risk level of a PHI breach.

Situational ePHI Awareness is Crucial Before and After a Breach

PHI breaches have become the scourge of the healthcare industry, and they’re on the rise. If your practice hasn’t experienced a breach yet, it likely will. Now’s the time to familiarize yourself with the PHI breach risk assessment process so you’re ready before a breach occurs.

While you should know how to respond to a breach, your efforts should focus on preventing breaches in the first place. Tausight’s Situational ePHI Awareness solution simplifies regulatory alignment and reporting on 405(d) Healthcare Industry Cybersecurity Practices (HICP), enabling you to accurately identify and analyze PHI activity and risk throughout your healthcare ecosystem.

Tausight also offers a forensic audit trail for all PHI activity tracing back to user accounts, so you can quickly identify the source of a PHI breach should it occur. Contact Tausight today and learn how our Situational ePHI Awareness solution can help you balance compliance demands while simultaneously supporting the growing need to share PHI securely.

profile photo of David Ting

David Ting

Founder and CTO, Tausight

Related Articles