In order to determine whether PHI has been compromised in a physician office, you should always consider the following:
- The nature and extent of PHI involved, including the types of identification and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to PHI has been mitigated.
This is not an exhaustive list but one to get you started. Other considerations may be applied depending on the actual circumstances surrounding the breach.