Final HIPAA Rule on Breach Notification - A Breach Is Now Something Different

PHILADELPHIA, Jan. 18, 2013 /PRNewswire/ -- A key change to the notification requirements for breaches involving protected health information (PHI) could make a significant difference to healthcare providers, health plans and their vendors, increasing the risks of their failing to notify affected individuals.

Katherine Keefe, head of Beazley Breach Response Services, a dedicated unit within specialist insurer Beazley that helps clients manage data breaches, said:

"The long awaited final HIPAA rule readdresses the breach notification requirements first enacted under the Health Information Technology for Economic and Clinical Health Act (HITECH) and changes the game fairly materially."  

Under the current interim rule, a breach is defined as an inappropriate use or disclosure of PHI involving significant risk of financial, reputational or other harm. The final rule changes this definition by stating that an impermissible use or disclosure of PHI is presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised.

"In particular," Ms Keefe noted, "the final rule requires that four factors be considered when determining if PHI has been compromised.  First, the nature and extent of the PHI involved.  Second, the unauthorized person who used the PHI or to whom the disclosure of PHI was made.  Third, whether the PHI was actually viewed or acquired.  And fourth, the extent to which the risk to the PHI has been mitigated. The government makes very clear that that each of these factors must be considered when evaluating impermissible uses or disclosures of PHI, and that compliance policies need to include these factors."

Ms Keefe said that the final rule would likely make healthcare providers and health plans (and their business associates, which are also covered by the rule) even more wary about failing to notify affected individuals of inappropriate uses or disclosures of PHI.  Even under the interim rule, in force since 2009, more than 21 million victims of "large" healthcare breaches (affecting 500 people or more) have received notifications. While the final rule is slated to take effect on March 26^th, compliance by covered entities and business associates is required by September 23, 2013.
 
Note to editors: 
In 2010 Beazley launched Beazley Breach Response (BBR), a unique insurance, loss control and risk mitigation service for privacy and data breaches.  In less than two years BBR has become recognised as the most comprehensive solution available to the challenge of data breaches.  BBR brings together expert forensic, legal, notification and credit monitoring services to satisfy all legal requirements and maintain customer confidence.