New HIPAA Rule Expands Data Breach Notification Requirements

April 15, 2013

The U.S. Department of Health and Human Services (HHS) released the Omnibus Rule, a collection of changes under the Health Insurance Portability and Accountability Act (HIPAA) also known as “the final rule.” One significant change under the final rule is that a covered entity or business associate must presume that when protected health information (PHI) is compromised, a data breach has occurred, and the burden is on the covered entity or business associate to demonstrate a low probability of breach.

A breach is the unauthorized acquisition, access, impermissible use, or disclosure of PHI which compromises its security or privacy. This definition excludes:

(1) Any unintentional acquisition, access, or use of PHI by a person acting under the authority of a covered entity or business associate—if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure not permitted by law

(2) Any inadvertent disclosure of PHI from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate—or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted by law

(3) A disclosure of PHI where the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information

Under HIPAA’s previous rule, a covered entity or business associate was required to report a breach to an affected individual where use or disclosure of PHI posed significant risk of financial, reputational, or other harm to that person. Now, under the final rule, notification is required, unless a covered entity or business associate can demonstrate there is a low probability that PHI has been compromised.

In other words, the final rule presumes that any unauthorized acquisition, access, use or disclosure of PHI is a breach; that the burden is on the covered entity or business associate to demonstrate through a risk assessment low probability that the PHI has been compromised. The risk assessment must consider:

(1) The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification

(2) The unauthorized person who used the PHI or to whom the disclosure was made

(3) Whether the PHI was actually acquired or viewed

(4) The extent to which the risk to PHI has been mitigated

Covered entities and business associates must only provide the required notification if the breach involved unsecured PHI, which is defined by having not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology. The rules governing the notice timing, content, and method for notifying the affected individuals of a breach remain unchanged.

The final rule went into effect on March 26, 2013, with a compliance date of September 23, 2013. The next steps for covered entities and business associates are to educate their employees regarding these changes, as well as to update and implement new written policies and procedures that outline the new breach notification requirements in the context of their businesses.

To subscribe to email alerts from Axley Law Firm, click here.