HIPAA Q&A: What’s the New Word on Data Breaches?

“The definition of a data ‘breach’ was changed. The Omnibus Rules replaced the more subjective ‘harm standard’ with a more objective test that requires the covered entity to determine (based on a four-factor risk assessment) whether protected health information has been ‘compromised.’” (Snell & Wilmer)

One of the key components of the new HIPAA / HITECH Act Omnibus Rule, issued on January 17, 2013, is a new set of rules regarding data breaches: how they are defined, how to determine when a breach occurs, and when to notify the authorities, among other matters.

For your reference, five questions (and answers) on the revised breach notification rules:

1. What is considered a “breach,” exactly?

“HHS defines ‘breach’ as the ‘acquisition, access, use, or disclosure’ of [Protected health information (PHI)] in violation of the Privacy Rule that ‘compromises the security or privacy’ of the PHI. Under the interim rule, HHS defined the phrase ‘compromises the security or privacy of the PHI’ to mean the inappropriate use or disclosure of PHI involving significant risk of financial, reputational or other harm. The final rule changes this definition by stating that, unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a ‘breach,’ unless the HIPAA-covered entity can demonstrate there is a low probability that the PHI has been compromised based upon, at minimum, a four-part risk assessment.” (Duane Morris)

2. What triggers the notification requirement?

“The new standard for assessing whether or not a reportable breach has occurred shifts the burden of proof to the covered entities or BA to show that there is a ‘low probability of risk’ that the information has been ‘compromised.’… The regulations provide guidance on risk analysis information which include an assessment of 1) the type of information, including identifiers, which is contained within the data as well as how much data may have been subject to breach; 2) The nature and type of unauthorized person or entity [that] received the information… 3) a factual assessment as to whether or not the information was actually acquired or reviewed … and 4) whether or not the risk of ‘compromise’ has been mitigated and in what manner.” (Davis Brown)

3. Are there exceptions to the breach rules?

“The Interim Breach Rule established the following four exceptions to the definition of a breach:

  • An impermissible use or disclosure of PHI that would qualify as a limited data set but also excludes dates of birth and zip codes does not constitute breach.
  • A workforce member who unintentionally accesses or uses PHI in good faith does not trigger a breach.
  • An inadvertent disclosure between two individuals authorized to access PHI at the same covered entity, business associate, or organized health care arrangement is not a breach.
  • A disclosure where the covered entity has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the PHI is not a breach.” (Manatt, Phelps & Phillips)

4. When must breaches be reported?

“The Final Rule modifies the breach notification requirements to the Secretary of HHS to require that the Secretary must be notified of all breaches affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breaches were ‘discovered,’ and not in which the breaches ‘occurred.’” (King & Spalding)

5. How will the rule changes affect the industry?

‘We expect the elimination of the harm threshold to markedly increase the number of breaches reported to HHS. The agency reports that it already receives approximately 19,000 breach notifications annually, about 250 of which affect more than 500 people. OCR estimates about 6.71 million people are affected by these breaches annually. With these rule changes, that number will go up, but will also motivate covered entities and business associates to pursue safe harbors like encryption and redouble efforts to comply with these rules to prevent breaches.” (Poyner Spruill)

The updates:

See also:

Read more on the HIPAA Omnibus Final Rule >>