The Four-Factor Breach Risk Assessment for HIPAA Compliance

When healthcare professionals suspect a breach of protected health information, they must conduct a four-factor HIPAA breach risk assessment. This helps identify whether the incident qualifies as a reportable breach under the HIPAA Breach Notification Rule. 

HIPAA defines a breach as any unauthorized use or disclosure of PHI that presents more than a low probability of compromise. Examples include losing an unencrypted laptop, improperly handling paper PHI, or falling for a phishing attack.

What Is a Four-Factor HIPAA Breach Risk Assessment?

Under the HIPAA Breach Notification Rule (45 CFR §§164.400–414), a breach is presumed when unsecured PHI is used or disclosed in a way that violates the Privacy Rule. Breaches that impact 500 or more individuals may end up on the OCR Wall of Shame. Covered entities and business associates may rebut this presumption only by conducting a documented risk assessment.

This assessment must evaluate four specific factors to determine the likelihood that the PHI was compromised. If the probability of compromise is low, the incident may not qualify as a breach and may not require notification.

The four factors of a HIPAA Breach Risk Assessment are as follows:

1: Nature and Extent of the PHI Involved

Begin your breach risk assessment by identifying what types of protected health information (PHI) were disclosed. Was it limited to basic identifiers, or did it include more sensitive elements?

Ask the following questions:

• Was the data limited to basic identifiers like patient names, dates of service, or provider names?
• Did it include sensitive clinical information such as diagnoses, lab results, or treatment details?
• Were financial identifiers exposed, such as credit card numbers, billing information, or insurance account numbers?
• Did the PHI include Social Security numbers or government-issued ID numbers, which could be used for identity theft?
• Were photographs, videos, or images of patients involved?

The more sensitive and specific the information, the greater the potential harm to the individual. High-risk data elements increase the likelihood of identity theft, medical fraud, or reputational damage.

You must also consider whether the information could be combined with publicly available or previously exposed data. When PHI can be linked with other identifiers, the risk to the individual is magnified.

2: Unauthorized Person Who Used or Received the PHI

Determine who accessed, received, or potentially viewed the protected health information (PHI) for your breach risk assessment. The level of risk depends heavily on the recipient’s identity and their obligation to protect patient privacy.

The risk may be significantly reduced if the PHI was disclosed to another covered entity or a business associate. These parties are legally required to protect PHI and limit its use and disclosure to the minimum necessary.

However, the risk increases if the information was accessed by an unauthorized individual, such as a former employee, a member of the public, or a third-party service provider without a business associate agreement. Exposure to individuals without a duty to protect the data increases the likelihood of misuse or further unauthorized disclosure.

As part of your assessment, you must document whether the recipient had a legitimate reason to view the PHI and whether they are reasonably expected to maintain its confidentiality. The more unknown or untrustworthy the recipient, the more likely that breach notification will be required.

3: Whether the PHI Was Actually Acquired or Viewed

Assess whether the protected health information (PHI) was actually seen, read, downloaded, or otherwise acquired by an unauthorized party for your breach risk assessment. The fact that the data was exposed is not enough to confirm a breach. You must try to determine whether it was truly accessed.

Start by reviewing system logs, email metadata, and device tracking information. For example, if a misdirected email bounced back without being opened, or if a lost device was recovered with no signs of unauthorized access, the risk may be lower. 

On the other hand, if access logs confirm that files were opened, messages were read, or credentials were used to access a system, the risk increases. The inability to verify whether the PHI was accessed, such as when a device is permanently lost or when logging is incomplete, should be treated as a red flag.

Your risk assessment must clearly document the evidence used to reach your conclusion. A defensible analysis will show whether there is a reasonable basis to believe the PHI was actually viewed or acquired. 

4: The Extent to Which the Risk Was Mitigated

After a potential breach, the final step in the four-factor assessment is to evaluate how effectively the organization reduced the risk of harm to affected individuals. 

Start by identifying the actions taken to contain the incident. 

• Did the organization immediately reach out to the unintended recipient and request deletion or return of the information? 
• Was there confirmation that no further disclosure occurred? 
• If a device was lost or stolen, was it remotely wiped?
• Were login credentials deactivated or changed?

The effectiveness of mitigation depends on timing, verification, and follow-through. If the recipient confirms in writing that the data was not accessed or was destroyed securely, the likelihood of compromise may be reduced. The organization should document if PHI was rendered unreadable through encryption or if no access occurred before containment.

Your analysis should describe what steps were taken, who was involved, and how success was measured. Weak or unverified mitigation may leave the risk level unchanged, especially if the recipient is unknown or uncooperative.

Strong mitigation does not erase the exposure but can shift the determination from a reportable breach to a non-reportable event if all other factors support that outcome and the documentation holds up under scrutiny.

When to Conduct the Four-Factor HIPAA Risk Assessment

Organizations must initiate the four-factor breach risk assessment immediately after discovering any unauthorized use or disclosure of protected health information (PHI).  This evaluation determines whether the incident meets HIPAA’s definition of a breach and whether notification is required.

The HIPAA Breach Notification Rule sets a firm deadline of 60 calendar days after discovering a breach. 

Every four-factor risk assessment must be documented, even if the incident does not result in breach notification. The Office for Civil Rights (OCR) may request this documentation during an investigation or audit to verify compliance.

Your documentation should clearly show how the determination was made. At minimum, it must include:

• A description of the incident, including how it was discovered
• An analysis of each of the four required factors
• The rationale for the final determination
• Names and roles of individuals involved in the assessment
• Key dates, including discovery, assessment, and resolution

Under HIPAA (45 CFR §164.316(b)(2)(i)), all documentation related to compliance activities, such as breach assessments and mitigation steps, must be retained for at least six years from the date of creation or the date it was last in effect, whichever is later. 

A well-documented and retained risk assessment demonstrates due diligence and can be critical to defending your organization’s actions during regulatory review.

How ChartRequest Helps Mitigate Breach Risk

Completing a four-factor HIPAA breach risk assessment is essential after any suspected privacy incident, but the best defense is prevention.

ChartRequest is a HIPAA-compliant release of information platform built to modernize how healthcare organizations handle medical record requests. We help providers securely fulfill requests while reducing administrative burden and protecting patient data across every step. Features include:

Powerful Encryption: All data managed through ChartRequest is encrypted both in transit and at rest to protect sensitive information from unauthorized access.

Strict Access Controls: ChartRequest enforces role-based access to ensure users only see the information required for their specific roles.

Detailed Audit Logs: Every user action is automatically recorded with timestamps, creating a comprehensive audit trail and strengthening risk assessments.

ChartRequest helps you minimize breach risk, strengthen HIPAA compliance, and avoid costly investigations. Schedule a consultation today to see how our platform can support your privacy and security goals.