The low probability of compromise is an exception to breach notification requirements, allowing organizations to avoid sending a notice if it is highly unlikely that a disclosure could lead to a breach. According to an American Medical Association article, “An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a ‘low probability’ that the PHI has been compromised.” This avoids the trouble of enacting notification requirements if the actual risk to protected health information (PHI) was minimal.
If a HIPAA risk assessment demonstrates a low probability that PHI has been compromised, several specific outcomes and actions follow. The covered entity is not required to proceed with breach notification to affected individuals, the Department of Health and Human Services (HHS), or the media.
It is because the impermissible use or disclosure is not considered a breach under the HIPAA Breach Notification Rule in such cases. However, the covered entity must document the findings of the risk assessment, including all considerations and factors that led to the conclusion of low probability of compromise.
The documentation serves as evidence of compliance with HIPAA and demonstrates the rationale behind the decision not to notify. It also should be noted that covered entities always have the option to skip the risk assessment and proceed directly with breach notifications through means like HIPAA compliant email, even if they suspect a low probability of compromise.
A HIPAA breach is the acquisition, access, use, or disclosure of PHI in a way that is not permitted by HIPAA.
A risk assessment isn't needed if the PHI is obviously compromised, and covered entities may begin the breach notification process without one.
An unauthorized disclosure of PHI typically involves the disclosure of PHI to an unauthorized individual or entity, or access by an unauthorized individual or entity to PHI, and can also include the loss of unsecured PHI.