HIPAA Alert: Breach & Notification Requirements

As discussed in the previous HIPAA alert, a final, 563-page Omnibus HIPAA Rule was released by the Department of Health and Human Services Office of Civil Rights to strengthen HIPAA’s security and privacy protections. The final rule, effective March 26, 2013, makes sweeping changes to HIPAA’s data security and breach requirements that will have widespread effects on covered entities, business associates and subcontractors of business associates.

In particular, the final rule’s change to the definition of “breach” marks a sea change that moves the focus away from harm to the individual caused by a breach to a probability determination of whether the Protected Health Information has been compromised. Covered entities and business associates should reassess their breach and notification policies in light of the final rule’s new definition.

Some of the issues associated with the final rule’s new definition of breach are included below:

• Pursuant to the current rule, which will change in March 2013, breach means the acquisition, access, use or disclosure of PHI which compromises the security or privacy of PHI. To determine whether the security or privacy of PHI is compromised, the current rule requires one to determine whether the compromise poses a significant risk of financial, reputational or other harm to the individual. This approach focuses on risk of harm to the individual in determining (1) whether there is a data breach, and (2) whether notification of the data breach is required.
• The final rule changes the definition of breach to clarify that an impermissible use or disclosure of PHI is “presumed to be a breach unless the covered entity or business associate . . . demonstrate that there is a low probability that the protected health information has been compromised based on a risk assessment of at least four factors.” The final rule focuses on the probability of whether PHI has been compromised whereas the former rule focused on harm to the individual.   
• The four minimum factors a covered entity or business associate must consider in conducting a risk assessment include (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification (2) the unauthorized person who used the PHI or to whom the disclosure was made (3) whether the PHI was actually acquired or viewed (4) the extent to which the risk to the PHI has been mitigated.

The final rule’s new definition of breach creates regulatory uncertainty concerning how these factors will be interpreted and applied by OCR. To avoid action by OCR and potential civil penalties, covered entities and business associates will need to implement new processes to ensure that these four factors are incorporated into their risk assessments. In assessing a potential breach, covered entities and business associates should document the way each factor is assessed.

Bernstein Shur’s Health Care Practice Group and Data Security Team are actively engaged in analyzing the final rule and advising clients about the implications. For more information, contact 207 774-1200.