For licensed health care professionals and providers already familiar with the HIPAA Breach Notification Rule, it is important to recognize that the rule recently underwent significant changes.
In January 2013, HHS published a final rule that included modifications to HIPAA’s Privacy and Security Rules. A main area affected by this update is the addition of obligations on providers and their business associates to identify and report breaches of PHI.
Under the previous “harm standard,” providers had discretion as to whether a breach was reportable, based on whether that breach would result in a significant risk of financial or reputational harm. The HHS decision to change the “harm standard” was due to its inconsistent application by providers.
The new standard, as announced in the final rule, presumes that any unauthorized use or disclosure of unsecured PHI is a reportable breach. Providers can refute that presumption only by determining there is a low probability that the PHI has been compromised.
There are many nuances to the HIPAA Breach Notification Rule, and providers must know whether they are required to notify:
- the individual affected by the breach of unsecured PHI;
- the Secretary of HHS; and/or
- in certain circumstances, the media.
In addition, providers must know when their business associates are required to notify them if a breach occurs at or by the business associate.