While it has been over three years since HHS amended the Breach Notification Rule, in some ways, we are no closer to understanding what constitutes a reportable breach under HIPAA. HIPAA requires entities to conduct a breach risk assessment, in which at least four factors are considering to determine whether there is a "low probability of compromise" of the data. But what does it mean for data to be "compromised?" Can one breach risk assessment factor outweigh the others? What other factors can be considered in a breach risk assessment? This session will start off with a refresher on the Breach Notification Rule, including commentary explaining each of the required breach risk assessment factors. The speaker will then lead an interactive discussion of various common but complex case studies to identify which ones qualify as a reportable breach, obtaining the attendee's input throughout.