News & Resources | Publications

HIPAA Alert: Breach & Notification Requirements
February 7, 2013

As discussed in the previous HIPAA alert, a final, 563-page Omnibus HIPAA Rule was released by the Department of Health and Human Services Office of Civil Rights to strengthen HIPAA’s security and privacy protections. The final rule, effective March 26, 2013, makes sweeping changes to HIPAA’s data security and breach requirements that will have widespread effects on covered entities, business associates and subcontractors of business associates.

In particular, the final rule’s change to the definition of “breach” marks a sea change that moves the focus away from harm to the individual caused by a breach to a probability determination of whether the Protected Health Information has been compromised. Covered entities and business associates should reassess their breach and notification policies in light of the final rule’s new definition.

Some of the issues associated with the final rule’s new definition of breach are included below:

The final rule’s new definition of breach creates regulatory uncertainty concerning how these factors will be interpreted and applied by OCR. To avoid action by OCR and potential civil penalties, covered entities and business associates will need to implement new processes to ensure that these four factors are incorporated into their risk assessments. In assessing a potential breach, covered entities and business associates should document the way each factor is assessed.

Bernstein Shur’s Health Care Practice Group and Data Security Team are actively engaged in analyzing the final rule and advising clients about the implications. For more information, contact 207 774-1200.