Question 11
UnclassifiedWhen assessing whether an impermissible use or disclosure of PHI is a reportable breach under HIPAA, what concept is especially important?
Correct answer: A
Explanation
HIPAA treats an impermissible use or disclosure as a breach unless the covered entity or business associate shows a low probability that the PHI has been compromised. The required analysis is a risk assessment of factors affecting that probability, so the key issue is whether the PHI was likely compromised.
Why each option is right or wrong
A. A risk assessment regarding the probability that the PHI has been compromised
45 C.F.R. § 164.402 defines a “breach” as an impermissible use or disclosure of unsecured PHI unless the covered entity or business associate demonstrates, through a documented risk assessment, that there is a low probability the PHI has been compromised. The assessment must consider at least the four regulatory factors in 45 C.F.R. § 164.402(2): the nature and extent of the PHI, the unauthorized person who used or received it, whether the PHI was actually acquired or viewed, and the extent to which the risk was mitigated. If that analysis does not support a low probability of compromise, the incident is reportable under the HIPAA Breach Notification Rule.
B. Whether the patient is famous
C. Whether the organization has cyber insurance
D. Whether the incident occurred on a weekend