{"id":1404,"date":"2013-01-24T18:01:59","date_gmt":"2013-01-24T18:01:59","guid":{"rendered":"http:\/\/ncjolt.org\/?p=1404"},"modified":"2020-06-04T20:54:03","modified_gmt":"2020-06-04T20:54:03","slug":"hhs-changes-up-standard-for-hippa-breach-notifications","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/hhs-changes-up-standard-for-hippa-breach-notifications\/","title":{"rendered":"HHS Changes Up Standard for HIPAA Breach Notifications"},"content":{"rendered":"<p>Wednesday, January 23, 2013, by Justin Mann<br \/>\nOn January 17, 2013, the Department of Health and Human Services released <a href=\"http:\/\/www.complianceweek.com\/new-healthcare-privacy-and-security-rules-finally-emerge\/article\/276744\">a final omnibus rule<\/a> based on amendments to the HITECH Act.\u00a0 \u00a0HHS Director Leon Rodriguez heralded the 562 page document as \u201cthe most <a href=\"http:\/\/www.mcknights.com\/omnibus-hipaa-rule-lays-out-sweeping-changes\/article\/276581\/\">sweeping changes<\/a> to the HIPAA Privacy and Security Rules since they were first implemented.\u201d\u00a0 In addition to expanding the scope of responsible persons to <a href=\"http:\/\/www.privacyandsecuritymatters.com\/2013\/01\/finally-hhs-office-of-civil-rights-releases-hipaa-omnibus-rule-with-sweeping-changes-to-compliance-requirements-and-enforcement\/?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+PrivacyAndSecurityMattersBlog+%28Privacy+and+Security+Matters+Blog%29\">business associates and some subcontractors<\/a>, the rule completely changed the standard used for determining when patients need to be notified of a potential breach of PHI (protected health information).<br \/>\nAnalysis under the new rule begins with the presumption that a breach has occurred, unless the business associate or entity is able to demonstrate, to a \u201c<a href=\"https:\/\/s3.amazonaws.com\/public-inspection.federalregister.gov\/2013-01073.pdf\">low probability<\/a>,\u201d that the incident would qualify as compromising.\u00a0 Rather than assessing the probability of breach in terms of the potential harm to the patient, the new rule sets out four objective factors: (1) type of PHI at issue (e.g., social security number or just height\/weight), (2) who had unauthorized access to the PHI (e.g., another physician or an ex-wife), (3) whether the PHI was actually accessed (e.g., was it with a stack of other documents or simply in the body of an email), and (4) mitigation of risk (e.g., fax immediately destroyed without being read or unable to locate destination).<br \/>\nAfter making a good faith and reasonable risk assessment, the entity or business associate must <a href=\"https:\/\/s3.amazonaws.com\/public-inspection.federalregister.gov\/2013-01073.pdf\">maintain documentation<\/a> that either the PHI owner was notified or that their risk assessment resulted in a low probability that the PHI was compromised.\u00a0 It should be noted that beyond over coming this presumption, an entity also has the option of adopting one of the safe harbor provisions (e.g., encrypting datasets according to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals).<br \/>\nPrior to this final rule, entities had operated under a \u201c<a href=\"http:\/\/www.insidecounsel.com\/2013\/01\/21\/new-hipaa-rule-expands-patient-privacy-regulations\">significant risk of harm<\/a>\u201d standard.\u00a0 Many acknowledged it was <a href=\"http:\/\/www.govinfosecurity.com\/hipaa-omnibus-impact-on-breach-notices-a-5436\">too subjective<\/a>, and HHS explained it was interpreted as a <a href=\"https:\/\/s3.amazonaws.com\/public-inspection.federalregister.gov\/2013-01073.pdf\">higher threshold<\/a> than had been intended.\u00a0 The question now is what will be the practical implications of this change?\u00a0 As Harry Rhodes of the American Health Information Management Association has <a href=\"http:\/\/www.databreachtoday.com\/hipaa-omnibus-impact-on-breach-notices-a-5436\/p-2\">noted<\/a>, the new factors will change entities\u2019 approaches to risk assessment.\u00a0 In this same vein, entities will have to ensure that they update their <a href=\"http:\/\/www.healthleadersmedia.com\/content\/TEC-288495\/HIPAA-Final-Rule-Raises-Fines-for-NonCompliance\">policies and train<\/a> their employees on the new standards, if for no other reason than to encourage them to use the right terminology.\u00a0 Deven McGraw, Director of the Health Privacy Project at the Center for Democracy &amp; Technology, wonders if this <a href=\"http:\/\/www.govhealthit.com\/news\/omnibus-hipaa-rules-impact-data-breach-notification\">middle of the road approach<\/a> will have any real impact at all on the number of breaches <a href=\"http:\/\/www.govinfosecurity.com\/hipaa-omnibus-impact-on-breach-notices-a-5436\">reported<\/a>.\u00a0 She pointed out that risk averse institutions were already operating under self-imposed lower standards, preferring to err on the side of caution.\u00a0 Even HHS, in the <a href=\"https:\/\/s3.amazonaws.com\/public-inspection.federalregister.gov\/2013-01073.pdf\">final rule<\/a>, recognized that entities were already implementing some form of the risk assessment it was calling for.\u00a0 Regardless of the overall effect on breach notifications, the change has certainly added to the to-do lists of compliance officers across the country.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Wednesday, January 23, 2013, by Justin Mann On January 17, 2013, the Department of Health and Human Services released a final omnibus rule based on amendments to the HITECH Act.\u00a0 \u00a0HHS Director Leon Rodriguez heralded the 562 page document as \u201cthe most sweeping changes to the HIPAA Privacy and Security Rules since they were first <a href=\"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/hhs-changes-up-standard-for-hippa-breach-notifications\/\" class=\"more-link\">&#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/1404"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=1404"}],"version-history":[{"count":1,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/1404\/revisions"}],"predecessor-version":[{"id":7640,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/1404\/revisions\/7640"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=1404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=1404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=1404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}