HIPAA Breach Definition Updated in the 2013 HIPAA Omnibus Final Rule

HIPAA Breach Definition Update

The HIPAA Omnibus Final Rule issued in January 2013 contains many updates to the current regulations, and finalizes the Breach Notification Interim Final Rule of 2009.  Among these changes, the 2013 Final HIPAA Rule has broadened the definition of breach. It is crucial for Covered Entities (CE’s) and Business Associates (BA’s) to understand how a HIPAA breach is defined in order to prevent breaches and deal with the ones that occur.  Below, we cover the definition of a HIPAA breach, the four factors used in evaluating the probability of compromise of PHI, and breach exclusions.

Under the current HIPAA breach regulations, a breach is considered the use or disclosure of PHI that involves a risk of financial, reputational or other harm to the patient. With the new changes to the 2013 HIPAA Final Rule, any impermissible use or disclosure of PHI will be considered a breach unless the CE or BA can show that the chance of the PHI being compromised was low. This replaces the previous requirement to perform a “risk of harm analysis” following a breach.  CE’s and BA’s may still perform a risk of harm analysis, but they are now required to perform a risk assessment using the four factors listed below. These four factors aid in determining whether the PHI has been compromised to the extent necessary to be considered and reported as a HIPAA breach:

  • the identity of the person to whom the PHI was disclosed to,
  • if the PHI was acquired or viewed,
  • the actual content of the PHI e.g. identifying factors, and
  • how the risk of disclosure of PHI has been mitigated.

Documenting the risk assessment also serves the purpose of documenting the reason for not notifying patients or government authorities of a breach.

Current exceptions to the HIPAA Breach Notification provisions will still be in effect under 2013 HIPAA Final Rule:

  • First, breaches do not occur when there is an inadvertent or unintentional disclosure to someone within a CE or BA , provided there is no further impermissible use or disclosure of PHI.
  • Second, PHI can be shared amongst individuals covered as CE’s or BA’s if the information is not used or disclosed in violation of the Privacy Rule.
  • Lastly,  it would not be considered a breach if a CE or BA disclosed PHI to someone who is unable to retain the information.

Covered Entities and Business Associates also need to remember to update their Business Associate Agreement and Notice of Privacy Practices, as well as getting a HIPAA Compliance Program in place by September 23, 2013. Don’t delay!

When you need proven expertise and performance

Neha Sharma, MBBS

Dr. Neha Sharma is a physician, trained in China, working in the US, with experience in eHealth, mHealth and related healthcare technologies.

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy

One thought on “HIPAA Breach Definition Updated in the 2013 HIPAA Omnibus Final Rule

  1. Another big issue that Covered Entities and Business Associates often ignore – or don’t place much emphasis on – is securing remote access for end-users who can access PHI. Specifically, healthcare providers should have a comprehensive checklist covering aspects, such as securing the computer that is being used, ensuring anti-virus and proper passwords on the system, not using your home computer (which could be infected with all types of malware), only connecting using a company approved laptop, etc. And of course, all remote access should be done over encrypted and secure transmissions (i.e., port 443), which goes without saying. Also, don’t forget the importance of having a well-documented remote access policy and procedure in place, along with a remote access request form.