Wilson Technology Group and More

Your One Stop IT and Telecommunications Firm

HIPAA Breach Notification Standard Lowered

Leave a comment

In perhaps the most significant change under the Final Rule, the new regulations considerably alter what constitutes a breach of Protected Health Information (PHI) and whether the breach notification requirements are triggered.  Under the current HIPAA regulations, to determine whether a breach has occurred a Covered Entity or Business Associate must conduct a risk assessment to determine whether the use or disclosure of PHI in question “poses a significant risk of financial, reputational, or other harm to the individual.”  Under the Final Rule, an improper use or disclosure of PHI is presumed now to be a breach unless the Covered Entity or Business Associate “demonstrates that there is a low probability that the protected health information has been compromised” through a risk assessment of at least four factors set forth in the new regulations:

a)  The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification

b)  The unauthorized person who used the PHI or to whom the disclosure was made

c)  Whether the PHI was actually acquired or viewed

d)  The extent to which the risk to the PHI has been mitigated

The “presumption of breach” standard is a much lower standard than the previous “significant risk of harm” standard and is likely to lead to more breach notifications from Covered Entities and their Business Associates.

Taken in part from:  Miller & Martin, PLLC 3/8/2013


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s