On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services issued its final rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The final rule becomes effective on March 26, 2013, and compliance is required by September 23, 2013. At 138 pages, the rule addresses a number of topics, but one key change involves the breach notification requirements first enacted under the HITECH Act.

Currently, a “breach” is defined as an inappropriate use or disclosure of protected health information (PHI) involving significant risk of financial, reputational, or other harm. The final rule changes the definition by stating that an impermissible use or disclosure of PHI is presumed to be a breach, unless the covered entity or business associate, as applicable, can demonstrate that there is a low probability that the PHI has been compromised.

The rule further provides that the determination of whether PHI has been compromised should be evaluated based on at least the following four factors:

  1. The nature and extent of the PHI involved;
  2. The identity of the unauthorized person who used the PHI or to whom the PHI was disclosed;
  3. Whether the PHI was actually accessed or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

To access the final rule, click here

Our Insight.  Your Advantage.  While these factors are similar to those that may have been assessed under prior risk of harm analyses, their increased importance and the presumption of a breach under the new rule could have a significant impact on breach reporting. Accordingly, covered entities and business associates should review their breach notification policies and procedures prior to the September 23, 2013 compliance date to ensure they are consistent with these changes.