What is the low probability of compromise exception?

The low probability of compromise is an exception to breach notification requirements, allowing organizations to avoid sending a notice if it is highly unlikely that a disclosure could lead to a breach. According to an American Medical Association article, “An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a ‘low probability’ that the PHI has been compromised.” This avoids the trouble of enacting notification requirements if the actual risk to protected health information (PHI) was minimal.

The factors considered in a risk assessment

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
2. The unauthorized person who accessed or used the breached PHI.
3. Whether PHI was actually acquired or viewed.
4. The extent to which the risk to PHI has been mitigated. 

The process 

1. Determine if an unauthorized use or disclosure of PHI has occurred.
2. Conduct a risk assessment to evaluate the probability that the PHI has been compromised. 
3. If the risk assessment demonstrates a low probability that the PHI has been compromised, document the analysis.
4. If a low probability is determined, breach notification is not required.
5. If the PHI is obviously compromised, covered entities may always begin the breach notification process without conducting a formal risk assessment.

What happens if the risk assessment shows a low probability 

If a HIPAA risk assessment demonstrates a low probability that PHI has been compromised, several specific outcomes and actions follow. The covered entity is not required to proceed with breach notification to affected individuals, the Department of Health and Human Services (HHS), or the media. 

It is because the impermissible use or disclosure is not considered a breach under the HIPAA Breach Notification Rule in such cases. However, the covered entity must document the findings of the risk assessment, including all considerations and factors that led to the conclusion of low probability of compromise. 

The documentation serves as evidence of compliance with HIPAA and demonstrates the rationale behind the decision not to notify. It also should be noted that covered entities always have the option to skip the risk assessment and proceed directly with breach notifications through means like HIPAA compliant email, even if they suspect a low probability of compromise. 

FAQs

What constitutes a breach under HIPAA? 

A HIPAA breach is the acquisition, access, use, or disclosure of PHI in a way that is not permitted by HIPAA. 

When is a risk assessment not needed? 

A risk assessment isn't needed if the PHI is obviously compromised, and covered entities may begin the breach notification process without one.

What counts as an unauthorized disclosure of PHI?

An unauthorized disclosure of PHI typically involves the disclosure of PHI to an unauthorized individual or entity, or access by an unauthorized individual or entity to PHI, and can also include the loss of unsecured PHI.