In perhaps the most significant change under the Final Rule, the new regulations considerably alter what constitutes a breach of Protected Health Information (PHI) and whether the breach notification requirements are triggered. Under the current HIPAA regulations, to determine whether a breach has occurred a Covered Entity or Business Associate must conduct a risk assessment to determine whether the use or disclosure of PHI in question “poses a significant risk of financial, reputational, or other harm to the individual.” Under the Final Rule, an improper use or disclosure of PHI is presumed now to be a breach unless the Covered Entity or Business Associate “demonstrates that there is a low probability that the protected health information has been compromised” through a risk assessment of at least four factors set forth in the new regulations:
a) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
b) The unauthorized person who used the PHI or to whom the disclosure was made
c) Whether the PHI was actually acquired or viewed
d) The extent to which the risk to the PHI has been mitigated
The “presumption of breach” standard is a much lower standard than the previous “significant risk of harm” standard and is likely to lead to more breach notifications from Covered Entities and their Business Associates.
Taken in part from: Miller & Martin, PLLC 3/8/2013