The final HIPAA Omnibus established a presumption that any unauthorized use or disclosure of Protected Health Information (“PHI”) is a “Breach.” Covered Entities and Business Associates must now perform and document risk assessments on suspected breaches of PHI to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. If it is determined that the risk of harm to the individual is low, then the above notification requirements do not have to be completed. Carosh Compliance Solutions will perform this risk assessment for you. Factors to be considered are referenced in the rule, the OMB Memorandum M-07-16 as our guide for assessing the likely risk of harm to individuals affected by breaches of unsecured PHI.