According to the final rule published by the U.S. Department of Health and Human Services (HHS) on Jan. 25, 2013 that overhauls the Health Insurance Portability and Accountability Act of 1996 (HIPAA), “covered entities” and their business associates will have to conduct more thorough risk assessments following breaches of “unsecured protected health information.”
Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, covered entities have had to provide notification of discovered breaches—defined for HIPAA purposes as the impermissible acquisition, access, use, or disclosure of “protected health information” (PHI) that compromises the security or privacy of the PHI—to affected individuals, the federal government, and even the media in some cases. To this end, under an interim rule released by HHS later that year, covered entities and their business associates had to determine if a breach occurred by performing a risk assessment of whether there was a “significant risk of harm to the individual as a result of the impermissible use or disclosure.” As HHS concluded in the new rule, however, this “harm standard” was often interpreted as setting a much higher threshold for breach notification than the agency intended and frequently resulted in subjective, inconsistent determinations as to what amounted to “harm.”
In an attempt to address these concerns, HHS modified the breach analysis in several ways in the new rule, with which covered entities and business associates must comply by Sept. 23, 2013. First, it adds a presumption that an impermissible use or disclosure of PHI is a breach. Second, it replaces the harm standard with a new standard that requires covered entities and business associates to demonstrate that there is a “low probability that the protected health information has been compromised . . . .” This standard, in turn, incorporates several factors that were previously weighed under the harm standard:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired and viewed; and
- The extent to which the risk to the PHI has been mitigated.
In light of these changes, covered entities and business associates should examine their risk-assessment policies to ensure that they conform to the new breach standard. In doing so, they should bear in mind that HHS requires all of the above factors to be considered in a breach analysis, in addition to other factors that may be warranted depending on the circumstances of an impermissible use or disclosure.