HITECH's Harm Threshold: A Guide to Performing a Risk Assessment to Determine if a Breach Occurred

Executive Summary

The HITECH Act fundamentally reshaped the HIPAA Breach Notification Rule by establishing clear requirements for determining whether an impermissible use or disclosure of protected health information (PHI) constitutes a breach. One critical concept originally part of HHS guidance but since superseded by the “low probability of compromise” standard was the harm threshold test

Although the harm threshold itself is no longer the formal rule, understanding it remains valuable because many small practices still rely on its underlying principles when performing risk assessments to determine breach status. The methodology, rooted in assessing potential harm to affected individuals, offers a practical lens for evaluating incidents.

Understanding the Harm Threshold Concept

Understanding the Harm Threshold Concept

The harm threshold test asked: Would the impermissible use or disclosure pose a significant risk of financial, reputational, or other harm to the individual?

Under this framework, if an organization determined there was no significant risk of harm, it could decide that breach notification was not required. HHS later replaced this approach with the “low probability of compromise” standard, which requires a more objective analysis of four factors under 45 CFR § 164.402(2):

  1. The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification

  2. The unauthorized person who used the PHI or to whom the disclosure was made

  3. Whether the PHI was actually acquired or viewed

  4. The extent to which the risk has been mitigated

Despite this change, the harm threshold remains a useful conceptual framework for evaluating harm in the context of these factors.

Why Risk Assessments Are Critical Under HITECH

HITECH places the burden of proof on covered entities and business associates to show that all required notifications were made or that a breach did not occur. A well-documented risk assessment:

  • Demonstrates due diligence in evaluating incidents

  • Provides the rationale for your decision whether to notify

  • Serves as evidence during OCR investigations

  • Supports a consistent, defensible breach determination process

Steps to Performing a Risk Assessment

Steps to Performing a Risk Assessment

Step 1: Gather All Incident Facts

Collect details about the incident, including how it occurred, what PHI was involved, and who had access. Interview staff, review logs, and preserve evidence.

Step 2: Classify the PHI Involved

Determine the sensitivity of the information, does it include financial data, Social Security numbers, or sensitive medical diagnoses? The higher the sensitivity, the greater the potential harm.

Step 3: Identify the Unauthorized Party

Assess whether the recipient is bound by HIPAA or other confidentiality obligations. Disclosure to another covered entity may present lower risk than to a non-affiliated individual.

Step 4: Assess the Likelihood of Access or Use

Consider whether the PHI was actually accessed or viewed. For example, a misdirected fax immediately destroyed by the recipient may pose minimal risk.

Step 5: Evaluate Mitigation Steps

Document actions taken to reduce risk, such as retrieving the PHI, obtaining confidentiality assurances, or disabling compromised accounts.

Step 6: Determine the Probability of Compromise

Weigh all factors to conclude whether there is a low probability that the PHI has been compromised. This conclusion drives your decision on breach notification.

Step 7: Document Your Analysis

Maintain detailed records of your methodology, findings, and decision. This documentation is crucial for demonstrating compliance.

Real-Life Case Study: The Misdirected Email

In 2021, a small family practice accidentally sent an appointment reminder email to the wrong patient. The message included the name and date of birth of another individual. Upon discovering the error, the practice’s privacy officer immediately initiated a structured risk assessment under 45 CFR § 164.402 to determine whether the incident met the definition of a breach requiring notification.

Nature of PHI: The disclosed information consisted solely of the patient’s name and date of birth, with no medical, diagnostic, or financial details.

Recipient: The unintended recipient was an established patient of the practice, already bound by an existing provider–patient relationship.
Acquisition/View: The recipient confirmed that they had opened the email, recognized the mistake, and promptly deleted it without saving or sharing the information.

Mitigation: The recipient also signed a confidentiality acknowledgment to further confirm non-disclosure.

Based on this analysis, the privacy officer concluded that the probability of compromise was low and that breach notification under the HIPAA Breach Notification Rule was not required. The decision and all supporting evidence were thoroughly documented.

When the Office for Civil Rights (OCR) later reviewed the incident during a desk audit, it accepted the determination, citing the completeness of the risk assessment documentation.

Lesson Learned: A well-documented, methodical risk assessment can help a practice avoid unnecessary breach notifications and potential regulatory penalties.

Risk Assessment Checklist for Breach Determination

Requirement

How to Implement

Gather all incident facts

Collect details on how the incident occurred, PHI involved, and who had access; interview staff and review logs.

Classify PHI sensitivity

Identify if data includes financial info, SSNs, or sensitive medical details.

Identify unauthorized recipient

Determine if recipient is covered by HIPAA or bound by confidentiality.

Assess likelihood of access or use

Confirm if PHI was actually acquired or viewed.

Evaluate mitigation actions

Document steps taken to reduce risk, such as retrieval or confidentiality assurances.

Determine probability of compromise

Analyze all factors to conclude if risk of breach is low or significant.

Document risk assessment thoroughly

Use standardized templates; keep records of findings, methodology, and decisions for at least six years.

Involve appropriate personnel

Include privacy, security officers, and legal counsel in assessments.

Integrate state law requirements

Review and apply stricter state breach laws when applicable.

Provide staff training

Educate on recognizing and reporting potential breaches promptly.

Use a standardized, repeatable process

Ensure consistent and defensible breach determinations across incidents.
Common Pitfalls and How to Avoid Them

Common Pitfalls and How to Avoid Them

Pitfall 1: Incomplete Documentation

Some practices conduct an assessment but fail to record their findings, leaving no proof of due diligence.

How to Avoid It: Create a standardized risk assessment template that captures all four regulatory factors, and store completed forms for at least six years.

Pitfall 2: Overreliance on the Old Harm Threshold

Using only the harm threshold concept without considering the “low probability of compromise” standard may lead to noncompliance.

How to Avoid It: Incorporate both harm considerations and the four required factors into your assessment process.

Pitfall 3: Failing to Involve the Right People

Assessments conducted solely by IT staff may overlook privacy or legal considerations.

How to Avoid It: Include the privacy officer, security officer, and, if needed, legal counsel in the assessment process.

Pitfall 4: Ignoring State Law Requirements

Some states have stricter breach definitions or shorter notification timelines than HIPAA.

How to Avoid It: Review and integrate state-specific rules into your incident response plan.

Pitfall 5: Underestimating “Benign” Disclosures

Even seemingly harmless disclosures can create risk if combined with other data sources.

How to Avoid It: Consider the possibility of re-identification or data linkage when evaluating risk.

Pitfall 6: No Timely Assessment Process

Delays in assessing an incident can shorten your window for required notifications.

How to Avoid It: Begin the risk assessment as soon as an incident is reported and set internal deadlines.

Pitfall 7: Lack of Staff Awareness

If employees don’t recognize potential breaches, incidents may go unreported and unassessed.

How to Avoid It: Provide regular training on identifying and reporting potential breaches.

Pitfall 8: Inconsistent Decision-Making

Without standardized criteria, similar incidents may be treated differently.

How to Avoid It: Use a documented, repeatable process for all risk assessments.

References and Further Reading

  1. HHS OCR – Guidance on Risk Assessment Under the Breach Notification Rule

  2. 45 CFR § 164.402 – Definitions Related to Breach Notification

  3. HHS OCR – Breach Notification Rule Overview

Final Thoughts and Recommended Next Steps

The harm threshold concept may no longer be the formal standard, but its focus on potential harm remains relevant for small practices performing risk assessments under HITECH. By integrating both the harm analysis and the “low probability of compromise” factors, you can create a robust, defensible process that meets regulatory expectations.

Next Steps for Your Practice:

  • Develop or update your breach risk assessment template to align with 45 CFR § 164.402(2)

  • Train staff to promptly report potential breaches

  • Integrate state law requirements into your assessment process

  • Maintain all documentation to meet HITECH’s burden of proof requirement

By approaching each incident with a structured, documented methodology, small practices can make defensible breach determinations, maintain compliance, and protect patient trust.

For added assurance, invest in a compliance management tool designed for HITECH. These solutions centralize regulatory tracking, provide continuous risk evaluation, and ensure your practice is prepared for audits by addressing weak points before they escalate, reflecting a proactive commitment to compliance.