Breach Definition + Risk Assessment
Description
Determine whether an impermissible use or disclosure constitutes a breach requiring notification via the 4-factor risk assessment.
⚠️ Risk Impact
Not every impermissible use is a 'breach' requiring notification — but the 4-factor test must be documented per incident. Skipping the assessment + assuming 'low risk' fails HIPAA when audited.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Per impermissible use/disclosure: conduct + document 4-factor risk assessment (nature/extent of PHI, who used/disclosed, was PHI actually acquired, mitigation). Default presumption is breach; documented + low-probability determination allows non-notification.
💀 Real-World Attack Scenario
A laptop with 8K patient records was stolen from a clinician's car. The hospital assumed 'low risk' due to encryption + didn't document the 4-factor assessment. OCR investigation determined the 4-factor presumption wasn't documented; treated as full breach with full notification + penalty.
💰 Cost of Non-Compliance
Missing 4-factor assessment: $200K-$1.5M penalty + full notification cost.
📋 Audit Questions
- 1.4-factor assessment per incident?
- 2.Show documented assessment for last 3 incidents.
- 3.Who makes the determination? Authority?
- 4.How is the assessment process trained?
⚡ Common Pitfalls
- ⛔Skipping the formal 4-factor assessment + relying on intuition
- ⛔Single-person determination without review
- ⛔Inconsistent application across incidents
📈 Business Value
Documented 4-factor assessment is the legal foundation for non-notification when justified.
⏱️ Effort Estimate
Per-incident ~2 hours
EchelonGraph templates 4-factor assessment workflow
🔗 Cross-Framework References
Automate HIPAA 164.402 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →