Help With A Potential HIPAA Breach

I Think A HIPAA Breach May Have Occurred. What Do I Do Now?

If the practice discovers that a potential breach has occurred the practice will need to determine the extent to which protected health information (PHI) has been compromised, if at all, and whether notification is required.

Only the practice’s HIPAA privacy and security officer/s can make the determination that a breach has, or has not, occurred - and only after a fact specific risk assessment investigating the breach has taken place.  The practice should notify their risk management department at their liability carrier and seek legal guidance from their attorney/s regarding how such a risk assessment is to be conducted in their practice.  And what further steps, if necessary, must take place.

Risk Assessments - examples of things to consider:
 Risk Assessment under the Final Rule requires consideration of at least these four factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; 
  • The unauthorized person who used the PHI or to whom the disclosure was made; 
  • Whether the PHI was actually acquired or viewed; and 
  • The extent to which the risk to the PHI has been mitigated

Factor 1:
Evaluate the nature and the extent of the PHI involved, including types of identifiers and likelihood of re-identification of the PHI –Social security numbers, credit cards, financial data (risk of identity theft or financial fraud) –Clinical detail, diagnosis, treatment, medications –Mental health, substance abuse, sexually transmitted diseases, pregnancy

Factor 2:
 Consider the unauthorized person who impermissibly used the PHI or to whom the impermissible disclosure was made –Does the unauthorized person who received the information have obligations to protect its privacy and security?
 –Does the unauthorized person who received the PHI have the ability to re-identify it?

Factor 3:

 Consider whether the PHI was actually acquired or viewed or if only the opportunity existed for the information to be acquired or viewed
 –Example: Laptop computer was stolen, later recovered and IT analysis shows that the PHI on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised, the entity could determine the information was not actually acquired by an unauthorized individual, although opportunity existed

Factor 4:

 Consider the extent to which the risk to the PHI has been mitigated
 –Example: Obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement, etc.) or will be destroyed (if credible, reasonable assurance)

Evaluate the overall probability that the PHI has been compromised by considering all the factors in combination (and more, as needed) 

Risk assessments should be:


  • Thorough,  
  • Completed in good faith, and  
  • Conclusions should be reasonable


If evaluation of the factors fails to demonstrate that low probability that the PHI has been compromised, breach notification is required

A Covered entity or business associate has the discretion to provide the required notifications following an impermissible use or disclosure of protected health information without performing a risk assessment

Also, see the US HHS Office of Civils Rights website for information on the breach notification rule: 

The most current version of TMA’s Policies and Procedures: A Guide for Medical Practices has an extensive section on HIPAA Privacy and Security including sample notification letters and policies and procedures relating to risk assessments:

Links to tools, resources, and information related to HIPAA can be found on the TMA website here:

Also, US HHS Office of Civil Rights has published a very informative Guide to Privacy and Security of Electronic Health Information:

NOTICE: The Texas Medical Association provides this information with the express understanding that 1) no attorney-client relationship exists, 2) neither TMA nor its attorneys are engaged in providing legal advice and 3) that the information is of a general character. This is not a substitute for the advice of an attorney. While every effort is made to ensure that content is complete, accurate and timely, TMA cannot guarantee the accuracy and totality of the information contained in this publication and assumes no legal responsibility for loss or damages resulting from the use of this content. You should not rely on this information when dealing with personal legal matters; rather legal advice from retained legal counsel should be sought. 

Last Updated On

May 06, 2016

Originally Published On

April 22, 2016

Related Content