HHS ISSUES FINAL BREACH NOTIFICATION RULES – The end of “no harm, no foul”?

Last week the Department of Health and Human Services (HHS) issued its long-awaited “Final Rule”[.pdf] meant to strengthen various HIPAA/HITECH privacy and security rules related to individuals’ health information.  The 563 pages of federal regulations contain numerous rule modifications.  Notably with respect to the scope of this Blog, there are significant changes to the Breach Notification Rule for protected health information (PHI).

When originally issued as an “interim final rule” in 2009, the Breach Notification Rule included a risk of harm assessment for determining whether protected health information had been compromised in a breach incident.  Specifically, the interim rule stated:

“compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”

Thus, covered entities under HIPAA had been able to conduct a risk of harm analysis focusing on the individuals potentially affected by a breach, when assessing whether a breach had occurred.  This subjective standard certainly could be helpful to an organization if it was inclined to lean towards a determination that a particular incident involving PHI did not trigger notification obligations.  Now, however, this potential “never mind” no longer exists.

Rather, under the final rule, HHS has clarified that the impermissible use or disclosure of PHI is PRESUMED to be a breach unless the covered entity demonstrates that there is a low probability that the PHI has been compromised.  The new regulations include 4 factors for an entity to use in conducting such a risk assessment:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.

In other words, the focus of any risk assessment after a potential breach has moved from the point of view of whether individuals were harmed, to instead considering factors related to the PHI itself.   While it remains to be seen how these new risk assessment rules will play out, it certainly appears that HHS has intentionally lowered the bar for reportable incidents.

Whether focusing on PHI (data), instead of individuals, is a good thing is certainly debateable and the new rule is likely to lead to many more PHI incidents where breach notification obligations are triggered.  If the goal is to ensure the privacy and security of PHI, perhaps the threshold lowering is meant to make covered entities and business associates pay more attention.

Of course, cynics may point out that the new rules simply increase the power of a government agency, but fail to adequately take into account the actual impact on individuals.  In other words, no harm no foul, may no longer apply when it comes to the Breach Notification Rule.

Note that the effective date of the final rule is technically March 26, 2013.  However, Covered Entities and Business Associates have until September 23, 2013 to comply with the requirements of the final rule.