The HIPAA Omnibus Final Rule issued in January 2013 contains many updates to the current regulations, and finalizes the Breach Notification Interim Final Rule of 2009. Among these changes, the 2013 Final HIPAA Rule has broadened the definition of breach. It is crucial for Covered Entities (CE’s) and Business Associates (BA’s) to understand how a HIPAA breach is defined in order to prevent breaches and deal with the ones that occur. Below, we cover the definition of a HIPAA breach, the four factors used in evaluating the probability of compromise of PHI, and breach exclusions.
Under the current HIPAA breach regulations, a breach is considered the use or disclosure of PHI that involves a risk of financial, reputational or other harm to the patient. With the new changes to the 2013 HIPAA Final Rule, any impermissible use or disclosure of PHI will be considered a breach unless the CE or BA can show that the chance of the PHI being compromised was low. This replaces the previous requirement to perform a “risk of harm analysis” following a breach. CE’s and BA’s may still perform a risk of harm analysis, but they are now required to perform a risk assessment using the four factors listed below. These four factors aid in determining whether the PHI has been compromised to the extent necessary to be considered and reported as a HIPAA breach:
- the identity of the person to whom the PHI was disclosed to,
- if the PHI was acquired or viewed,
- the actual content of the PHI e.g. identifying factors, and
- how the risk of disclosure of PHI has been mitigated.
Documenting the risk assessment also serves the purpose of documenting the reason for not notifying patients or government authorities of a breach.
Current exceptions to the HIPAA Breach Notification provisions will still be in effect under 2013 HIPAA Final Rule:
- First, breaches do not occur when there is an inadvertent or unintentional disclosure to someone within a CE or BA , provided there is no further impermissible use or disclosure of PHI.
- Second, PHI can be shared amongst individuals covered as CE’s or BA’s if the information is not used or disclosed in violation of the Privacy Rule.
- Lastly, it would not be considered a breach if a CE or BA disclosed PHI to someone who is unable to retain the information.
Covered Entities and Business Associates also need to remember to update their Business Associate Agreement and Notice of Privacy Practices, as well as getting a HIPAA Compliance Program in place by September 23, 2013. Don’t delay!