Emergency Response

Breach Risk Assessment: The 4-Factor Analysis Required by 45 CFR 164.402

9 min read · Last reviewed May 23, 2026

After a possible PHI incident, the four-factor breach risk assessment at 45 CFR § 164.402 determines whether the practice must notify under the Breach Notification Rule. The standard is a presumption of breach unless the practice demonstrates a low probability that the PHI has been compromised. Complete the assessment in writing, document each factor against the facts, and retain the assessment for six years — regardless of the outcome.

What the four-factor analysis actually is

The 2013 Omnibus Rule rewrote the definition of breach at 45 CFR § 164.402 and replaced the older "harm threshold" with a four-factor objective standard. The four factors are:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
  2. The unauthorized person who used the PHI or to whom the disclosure was made.
  3. Whether the PHI was actually acquired or viewed (as distinct from merely exposed).
  4. The extent to which the risk to the PHI has been mitigated.

These are evaluated together, not as a checklist. The presumption is that a breach occurred. The practice's burden is to demonstrate the low probability of compromise; if the analysis cannot do that, notification is required.

When the assessment is triggered

The four-factor analysis is triggered any time PHI is used, accessed, acquired, or disclosed in a manner not permitted by the Privacy Rule under 45 CFR Part 164, Subpart E. Common triggers in a small practice:

  • A laptop, phone, USB drive, or paper record containing PHI is lost or stolen
  • A ransomware or other malware event affects systems containing ePHI
  • An email containing PHI is sent to the wrong recipient
  • A misdirected fax containing PHI
  • An employee accesses a patient record without a treatment, payment, or operations purpose
  • A vendor (business associate) reports an incident under their notice obligation at 45 CFR § 164.410
  • A patient or third party reports unauthorized access

Three carve-outs at 45 CFR § 164.402 are not breach (and thus do not require a four-factor analysis):

  • Unintentional access by a workforce member acting in good faith within the scope of authority, with no further use or disclosure
  • Inadvertent disclosure between two authorized people at the same covered entity or business associate, with no further use or disclosure
  • Disclosure where the covered entity has a good-faith belief the unauthorized recipient would not reasonably have been able to retain the PHI

These carve-outs are narrow. OCR scrutinizes their application closely.

Encryption safe harbor

If the PHI involved was rendered unusable, unreadable, or indecipherable per the HHS Guidance to Render Unsecured PHI Unusable — usually meaning the PHI was encrypted at the time of the incident with the encryption key not also compromised — the PHI is not "unsecured PHI" under 45 CFR § 164.402 and the Breach Notification Rule does not apply.

This is the single highest-leverage technical control in HIPAA. Document the encryption posture at the time of the incident — encryption standard (AES-256, FIPS 140-2 module), key-management posture (where the key resides, who has access), and whether the key was exposed in the incident.

Working the four factors

Factor 1: Nature and extent of the PHI involved

Document what kinds of PHI were involved and the volume:

  • Direct identifiers (name, SSN, MRN, DOB, address, phone, email)
  • Sensitive PHI categories (HIV status, mental health, substance use under 42 CFR Part 2, reproductive health, minors)
  • Financial PHI (insurance numbers, credit card data)
  • Whether the data set permits re-identification even if direct identifiers are absent
  • Number of affected individuals (a single patient versus 500+ affects HHS notification path)

More identifiers and more sensitive PHI tilt the analysis toward compromise.

Factor 2: The unauthorized person

Document who accessed or received the PHI:

  • A specific known individual (named recipient on a misdirected email) versus an unknown actor (stolen laptop)
  • Whether the recipient is also a covered entity, business associate, or otherwise bound by confidentiality obligations
  • The recipient's apparent intent (return the device, delete the email versus forward, sell, or post the data)
  • For a recipient who is themselves a covered entity, the analysis tilts toward low probability of compromise; for an unknown actor, it tilts the other way

Document any signed attestation of deletion or return — a fax recipient confirming destruction in writing materially helps the analysis.

Factor 3: Whether the PHI was actually acquired or viewed

Document the evidence that the PHI was — or was not — actually accessed:

  • For lost laptops: was the device powered off, was the disk encrypted, were system logs available to show no login attempts
  • For ransomware: was data exfiltration evidence present in network logs, or was the attack purely encryption-in-place
  • For misdirected email: did the recipient confirm receipt and indicate whether the email was opened
  • For unauthorized internal access: do audit logs show the records were actually opened, or only that they appeared in a query

This is the factor where audit-log quality determines the analysis. Practices with weak logging cannot demonstrate non-acquisition and default toward notification.

Factor 4: The extent to which the risk has been mitigated

Document the actions taken after discovery:

  • Immediate steps to contain the incident (remote-wipe the device, disable the account, recall the email)
  • Recovery actions (signed attestation of destruction from the recipient, return of the device, change of all credentials)
  • Long-term mitigation (encryption deployed, MFA enforced, training reinforced, policy updated)
  • Time elapsed between discovery and mitigation

Strong mitigation evidence tilts the analysis toward low probability of compromise. Weak or absent mitigation tilts the other way.

Documenting the assessment

The assessment is a single document, dated and signed, that walks the four factors in order, identifies the conclusion, and lists the evidence supporting each factor. Standard structure:

  • Incident summary: who, what, when, where, how discovered
  • Volume and category of PHI affected
  • Factor 1 analysis with evidence
  • Factor 2 analysis with evidence
  • Factor 3 analysis with evidence
  • Factor 4 analysis with evidence
  • Overall conclusion: low probability of compromise (not a breach) or breach
  • Decision on notification path (individuals, HHS, media, business associate, state authorities)
  • Signature of Security Official, Privacy Official, and where engaged, counsel
  • Date of assessment

Retain the assessment for six years under 45 CFR § 164.530(j)) and 45 CFR § 164.316(b)). If OCR opens an investigation on the same facts under 45 CFR § 160.306, the assessment is the first document they will ask for.

What not to do

  • Do not skip the assessment because the incident looks small. A misdirected fax to one recipient still requires the four-factor analysis on the record.
  • Do not conclude "not a breach" without documenting the analysis. OCR's published Resolution Agreements repeatedly cite absent or inadequate four-factor analysis.
  • Do not back-date the assessment. The assessment is dated on the day it is completed.
  • Do not have the same individual who caused the incident sign off on the analysis. The Security Official or Privacy Official owns the document.
  • Do not bypass counsel for incidents of any complexity. Privilege over the assessment process is meaningful; the underlying records are still discoverable.
  • Do not assume "low probability" means "no harm occurred." The OCR standard is the probability of compromise of the PHI, not the probability of patient harm.

If the conclusion is breach: notification clock

If the four-factor analysis concludes the incident is a breach, the notification clock at 45 CFR § 164.404 requires individual notice without unreasonable delay and in no case later than 60 calendar days from discovery. The required content of the notice is specified at 45 CFR § 164.404(c)):

  • A brief description of what happened, including dates of breach and discovery
  • A description of the types of unsecured PHI involved
  • Steps individuals should take to protect themselves
  • A brief description of investigation, mitigation, and prevention
  • Contact procedures for further questions

HHS notice paths at 45 CFR § 164.408:

  • 500 or more individuals affected: notify the Secretary contemporaneously with individual notice, no later than 60 days, via the HHS Breach Reporting form
  • Fewer than 500 individuals affected: log the incident and submit an annual report within 60 days of the end of the calendar year

Breaches affecting 500 or more individuals in a state or jurisdiction also require notice to prominent media outlets under 45 CFR § 164.406.

State-law overlay

Federal rules above; state breach-notification law may impose stricter timelines, broader scope, or different thresholds. The four-factor HIPAA analysis governs federal notification; state-level analyses must be performed independently on the same incident:

  • California: the Confidentiality of Medical Information Act (Civil Code §§ 56–56.37) imposes a 15-business-day patient notice for licensed facilities under CDPH rules. California's general data breach statute at Civil Code § 1798.82 may also apply.
  • Texas: Business & Commerce Code Chapter 521 requires notice without unreasonable delay, with attorney-general notice for breaches affecting 250 or more Texas residents.
  • New York: New York breach notification (including Attorney General notice) is governed by General Business Law § 899-aa; the SHIELD Act's data-security program requirement (administrative, technical, and physical safeguards) lives at § 899-bb. Both apply on top of HIPAA for New York residents.
  • Massachusetts: 201 CMR 17 imposes a written information security program standard alongside the M.G.L. c. 93H breach notice obligation.

The HIPAA "low probability of compromise" conclusion does not control state notice obligations. Counsel should evaluate every incident against both standards.

Restraint about claims

No vendor or guide can prevent a breach in absolute terms. Encryption, access controls, and training reduce both the probability and the consequences. The practice's job is to maintain the underlying program, document the response, perform the four-factor assessment honestly, and learn from each incident.

How d3rx fits

The d3rx compliance binder includes the breach-incident workflow, the four-factor assessment worksheet, the fewer-than-500 log, and references back to the HHS notification portal. The d3rx audit defense workflow walks the post-incident documentation steps and the OCR follow-up posture. d3rx does not represent the practice in any OCR or state proceeding and does not replace counsel; it is a point-in-time administrative documentation aid that the practice and counsel work from.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversBreach Risk Assessment: The 4-Factor Analysis Required by 45 CFR 164.402. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

If we encrypted the laptop, do we still have to do the four-factor analysis?

No, if the encryption meets the HHS [Guidance to Render Unsecured PHI Unusable](https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html) standard and the encryption key was not also compromised. Encrypted PHI that meets the HHS guidance is not 'unsecured PHI' under [45 CFR § 164.402](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402), so the Breach Notification Rule does not apply. Document the encryption status and the key-management posture; that documentation is the safe-harbor record.

Who in the practice can perform the four-factor risk assessment?

The HIPAA Security Official and Privacy Official designated under [45 CFR § 164.308(a)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a)(2)) and [45 CFR § 164.530(a)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(a)) own the assessment. For incidents of any complexity — laptop loss, ransomware, email misdirection of more than a handful of patients — counsel should review the assessment before it is finalized. The four-factor analysis is the document OCR asks for first in any breach-triggered investigation.

What does 'low probability that the PHI has been compromised' actually mean?

The 2013 Omnibus Rule replaced the prior 'significant risk of harm' standard with the 'low probability of compromise' standard at [45 CFR § 164.402](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402). It means a presumption of breach applies unless the four factors, evaluated together, demonstrate that compromise was unlikely. The standard is higher than 'no harm occurred' — OCR has interpreted it conservatively in published Resolution Agreements.

How long do we have to complete the assessment before notifying?

Notification under [45 CFR § 164.404](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404) is required without unreasonable delay and in no case later than 60 calendar days from discovery. Within that 60 days, the practice must complete the risk assessment, identify whether the incident is a breach, prepare and send the notice if required, and notify HHS and possibly the media. Many practices complete the assessment within 14 to 30 days and use the remaining window for notice preparation.

Do we have to notify if the risk assessment concludes it is not a breach?

No. If the four-factor assessment concludes there is a low probability of compromise, the incident is not a breach under [45 CFR § 164.402](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402) and no notification is required. The assessment itself must be documented and retained for six years under [45 CFR § 164.530(j)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j)) and [45 CFR § 164.316(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b)). If OCR later opens an investigation on the same facts, the assessment is the document they will ask for first.

Can the same incident be 'not a breach' under HIPAA but reportable under state law?

Yes, and this happens frequently. Several state breach-notification laws use the older 'significant risk of harm' threshold or a flat 'unauthorized access' threshold that does not include a four-factor analysis. California's CMIA, Texas Business & Commerce Code Chapter 521, the New York SHIELD Act, and Massachusetts 201 CMR 17 each impose their own notice triggers. The four-factor HIPAA conclusion governs federal notification; state notice obligations run in parallel.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402
  2. 45 CFR Part 164, Subpart Ehttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E
  3. 45 CFR § 164.410https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.410
  4. HHS Guidance to Render Unsecured PHI Unusablehttps://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
  5. 42 CFR Part 2https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2
  6. 45 CFR § 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
  7. 45 CFR § 164.316(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b
  8. 45 CFR § 160.306https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.306
  9. 45 CFR § 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
  10. 45 CFR § 164.404(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404#p-164.404(c
  11. 45 CFR § 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
  12. HHS Breach Reporting formhttps://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true
  13. 45 CFR § 164.406https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.406
  14. § 899-aahttps://www.nysenate.gov/legislation/laws/GBS/899-AA
  15. § 899-bbhttps://www.nysenate.gov/legislation/laws/GBS/899-BB

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides