An employee at Health Facility E searched the facility's encrypted Electronic Health Record (EHR) for patient X's medical record using patient X's first and last name. After the Privacy Office conducted an audit trail of the employee's search, it was determined that the employee only accessed patient X's MRN and date of birth.

1. any HIPAA exceptions apply?

2.Four-factored Risk Assessment

1.Nature and extent of information involved

Is the type of PHI sensitive in nature (for example, financial or clinical in nature)?

Could the information be used by the recipient in a manner adverse to the individual?

Is there a likelihood that the PHI released could be reidentified based on the context and ability to link the information with other information?

2.Unauthorized person/entity to whom the information was disclosed/used

Is the unauthorized recipient obligated to protect the privacy and security of the PHI?

Is the recipient able to reidentify the information?

Does the impermissible use or disclosure result in further impermissible disclosure outside the entity?

3.Was the PHI actually acquired or viewed?

Was there merely an opportunity to acquire or view the PHI?

4.Has the risk to the PHI been mitigated?

Was the information returned, recovered, or destroyed by the unauthorized recipient?

Are there satisfactory assurances from the recipient that PHI will not be further used or disclosed (for example, confidentiality agreement)?

3.Is the breach reportable to OCR and/or the Secretary?