Conducting HIPAA Breach Risk Assessments Using the “LoProCo” Analysis

by Margaret Young Levi and Kathie McDonald-McClure

clip_image009The U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) has a new acronym, “LoProCo,” relating to assessing data breaches under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule that became effective March 26, 2013.

It is OCR’s position that a breach is presumed—unless an entity can demonstrate that there is a Low Probability that the data has been Compromised (LoProCo). With any breach, entities should immediately perform a risk assessment and look at certain factors to decide whether there is a low probability of compromise or LoProCo.  The risk assessment should consider:

1. The nature and extent of the protected health information (PHI) involved (including the types of individual identifiers and the likelihood of re-identification);
2. Who was the unauthorized person who received or accessed the PHI;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.

Take, for example, a breach involving a misdirected fax, which is one of the most frequent small breaches reported to OCR. In performing this analysis, entities should consider who received the fax. Was the fax sent to the wrong physician’s office? Or perhaps to a bank? In either case, it is expected the data would not be compromised because both those entities have confidentiality requirements. However, if the fax is sent to a local convenience store then there is more risk. Also consider how quickly the recipient was contacted about the fax? Was there time for the fax to be reviewed or copied? Was the fax destroyed?

If a thorough LoProCo analysis does not lead to a conclusion that there was a low probability that the PHI was compromised, then breach notification is required.  For additional information on the OCR’s breach notification requirements, click here.  For a further discussion by the OCR on assessing the low probability of data’s compromise, click on “HIPAA Omnibus Rule” on our Blog’s side bar and go to page 5642.

3 thoughts on “Conducting HIPAA Breach Risk Assessments Using the “LoProCo” Analysis

  1. […] Remember: HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule, has a new definition of a “breach” that became effective March 26, 2013.  It is OCR’s position that a breach is presumed—unless an entity can demonstrate that there is a Low Probability that the data has been Compromised (LoProCo). With any loss, theft or potential unauthorzed access to unsecured protected health information, entities should immediately perform a risk assessment and look at certain factors to decide whether there is a low probability of compromise or LoProCo. If a LoProCo analysis is not done, a breach is presumed and, even if under a LoProCo analysis it would not have been a breach, a loss, theft or unauthorized access of unsecured protected health information must be reported as a breach to OCR.  For more information about the LoProCo analysis, see our previous post on December 1, 2013, here. […]

  2. […] Remember: HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule, has a new definition of a “breach” that became effective March 26, 2013.  It is OCR’s position that a breach is presumed—unless an entity can demonstrate that there is a Low Probability that the data has been Compromised (LoProCo). With any loss, theft or potential unauthorzed access to unsecured protected health information, entities should immediately perform a risk assessment and look at certain factors to decide whether there is a low probability of compromise or LoProCo. If a LoProCo analysis is not done, a breach is presumed and, even if under a LoProCo analysis it would not have been a breach, a loss, theft or unauthorized access of unsecured protected health information must be reported as a breach to OCR.  For more information about the LoProCo analysis, see our previous post on December 1, 2013, here. […]

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s