The new HIPAA final rule has significantly changed the rules for what constitutes a breach and how a breach is to be reported. Below we have provided the most prominent changes.

Notice of Breach

The final HIPAA Privacy and Security Rule require that individuals be told that they will receive notice following a breach of unsecured protected health information.

REQUIRED ACTION:
UPDATE AND RE-DISTRIBUTE THE “NOTICE OF PRIVACY PRACTICES” TO COMPLY WITH THIS REQUIREMENT.

What Constitutes a Breach

The final HIPAA Privacy and Security Rule removed the requirement that “harm” must occur in order for a breach to exist. In the place of the “harm” standard, the definition of “breach” was changed to “impermissible use or disclosure of protected health information unless the covered entity or a business associate can show low probability that the protected health information was compromised.” Therefore, no breach notification is required if a risk assessment indicates a low probability that the protected health information was compromised.

Note: if the risk assessment is not performed, there is a presumption of breach.

Also, out of concern that certain protected health information may be compromised, the final rule requires that if lists referred to as “limited data sets” are impermissibly disclosed, a risk assessment is required to determine if a breach notification is required, even if the limited data sets do not contain any birthdates or zip codes.

A risk analysis considers four factors:

  • Nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • Unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • Extent to which the risk has been mitigated.

REQUIRED ACTION:

UPDATE AND RE-DISTRIBUTE THE “NOTICE OF PRIVACY PRACTICES” TO COMPLY WITH THIS REQUIREMENT.

Reporting a Breach

The final HIPAA Privacy Rule requires that when a breach occurs, if the breach affects fewer than 500 individuals, the plan will provide notice to the HHS no later than 60 days after the end of the calendar year in which the breach is discovered.

REQUIRED ACTION:
PREPARE TO PROVIDE NOTICE TO HHS IN THE EVENT OF A BREACH.

 

Powered by Willis