On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services issued its final rule modifying the HIPAA privacy, security, enforcement, and breach notification rules. The final rule became effective on March 26, 2013, and providers have just over a month left to comply with the new rule. Compliance is required by September 23, 2013.
Changes to Breach Identification
Under the old standard, a reportable breach was an unauthorized use or disclosure of PHI that posed a significant risk of financial, reputational or other harm to the affected individual. Under the new standard, all unauthorized uses and disclosures of PHI are presumed to be reportable breaches unless, following a risk assessment, it is determined that there is a low probability that the PHI has been compromised.
Previously, we recommended including the following factors in breach risk assessments:
- the type and amount of PHI disclosed;
- to whom the PHI was disclosed; and
- the risk of further disclosure.