The Final Rule significantly modified the HIPAA/HITECH breach notification rules relating to the procedures that covered entities or business associates, as applicable, must take when determining whether a breach of unsecured Protected Health information ("PHI") requires notification to affected individuals, the Secretary of the Department or the media.

The Final Rule creates a presumption that an impermissible use or disclosure of unsecured PHI is a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probabilitythat the PHI has been compromised. This regulatory change represents a significant burden on covered entities and business associates. As a result, for each improper release of PHI, covered entities and business associates, as applicable, will need to document in a detailed and comprehensive fashion their risk assessment review and conclusions regarding impermissible uses or disclosures of unsecured PHI, even if they ultimately determine that the use or disclosure was not a breach.

The new "low probability" standard replaces the previous "harm standard" that was set forth in the Interim Final Rule (issued by the Department on October 30, 2009) (the "IFR"), which called for a more objective approach to the determination of whether a breach has occurred. Under the Final Rule, a covered entity's determination of whether there is a "low probability" that PHI was compromised must address, at the least, the following four factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

Further, after addressing each of the above stated factors, the covered entity or business associate must evaluate the overall probability that the PHI was compromised by considering all factors in combination. The Department clarified that a covered entity or business associate may choose to automatically provide the required notification following any impermissible use or disclosure of PHI without performing a risk assessment to determine if one is necessary.

The Final Rule also removed the IFR exception to the breach notification rule that was applicable to "limited data sets". Under that exception, an impermissible use or disclosure of PHI that qualified as a limited data set but excluded dates of birth and zip codes, was not considered a "breach." Now, even in those cases the covered entity must conduct a risk assessment using the above-described criteria to determine whether a breach occurred.

The Final Rule addressed and clarified a number of detailed questions raised by commenters. For example, it clarified that uses or disclosures that impermissibly involve more than the minimum necessary information may qualify as breaches, even though such information if disclosed to a business associate or as an internal use within a covered entity or business associate, may have a low probability that the PHI was compromised since the information was not acquired by a third party. Further, the Department declined to provide an explicit exception to the definition of "breach" in the event a laptop is lost and recovered and a forensic analysis shows that the PHI on the computer was not accessed. Instead, the covered entity will still need to go through its risk assessment and may determine that there is a low probability that the PHI was compromised. The Department noted that if a computer is lost or stolen, it is not reasonable to delay breach notification in hopes that it will be recovered.

As a result of the new "low probability" standard, covered entities and business associates will need to examine and revise their breach notification policies and procedures prior to the September 23, 2013 effective date of the Final Rule.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.