The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, originally published in August 2009, is an extremely important, but often overlooked HIPAA provision.
A breach (or compromise) to the security or privacy of PHI is defined by the U.S. Department of Health & Human Services (“HHS”) as acquisition, access, use or disclosure that “poses a significant risk of financial, reputational or other harm to the individual.”
Among other things, the HIPAA Breach Notification Rule requires health care providers to demonstrate to HHS that he/she has taken appropriate remedial measures following the discovery of a breach or disclosure of unsecured PHI. Providers who can demonstrate such may avoid or limit their liability related to the alleged breach.
Remedial measures include notice to patients and others of the impermissible use or disclosure that compromised the security or privacy of the PHI.
In January 2013, HHS published a final rule, including modifications to HIPAA’s Privacy and Security Rules. A main area affected by this update was the addition of obligations on providers and their business associates to identify and report breaches of PHI.
Under the previous “harm standard,” providers had discretion as to whether a breach was reportable, based on whether that breach would result in a significant risk of financial or reputational harm. But HHS decided to change the “harm standard” due to its inconsistent application by providers.
The new standard, as announced in the final rule, presumes that any unauthorized use or disclosure of unsecured PHI is a reportable breach. Providers can rebut that presumption only by determining there is a low probability that the PHI has been compromised.