back to checklists

Risk Assessment When a Breach has Occurred

Now that you have discovered a breach occurred what do you do. Remember: the acquisition, access, use, or disclosure of PI in a manner not permitted by law is an apparent breach unless the agency can demonstrate that it is not reasonable to believe that the PI has been compromised based on a risk assessment of at least the factors below.

  • Determine the nature and extent of PI involved, including types of identifiers and ability to identify individuals:

  • Determine the nature of the person who acquired, accessed, used or received the PI:

  • Risk: Determine whether PI was actually accessed or acquired or viewed by unauthorized individual:

  • Take steps to mitigate the results of the breach

    Ex: confirmed confidential information sent to the wrong recipient was returned or destroyed or policies and procedures were modified as a result of incident.

  • For each Risk Assessment Questions above (boxes 1-4) create a chart and enter your risk rating (e.g. low, moderate, high).

  • Finally, determine whether the unauthorized acquisition, access, use, or disclosure of PI compromised the security or privacy of Personal Health information (PHI)

  • Record your findings and provide an explanation.


back to checklists

The Office of Privacy and Data Protection announces beta testing of “Privacy Modeling,” a new web application that identifies the privacy laws relevant to the product or service you wish to create.

Go to Privacy Modelling App

Something went wrong. Please try again.