News & Resources

Publications & Media

HIPAA Final Rule On Breach Notification: Shark Or Minnow? (Discuss Amongst Yourselves)

Health Law Update Sarah E. Coyne

The HIPAA Final Rule is here, and there's lots of chatter about the changed standard for breach notification! For all of the background on the Final Rule, see our previous updates in this series (links below). For a more detailed analysis of the Final Rule and its impact on notifications, click here.

So what is new? The harm threshold is gone!

As any law-abiding covered entity or business associate knows, the existing breach notification regulations allowed privacy officers some discretion as to whether a breach was reportable, based on whether that breach would result in a significant risk of financial or reputational harm. Nobody knew exactly what this meant or how to figure it out, but we all had fun trying. Then HHS decided to change the game because the application and results of the harm standard were inconsistent.
The new standard in the Final Rule is equally fun but just has a different starting place. We now presume that an unauthorized use or disclosure of unsecured PHI is a reportable breach, and we can rebut that presumption only by determining that there is a low probability that the PHI has been compromised. Privacy officers may consider four fascinating factors (and other stuff, as appropriate) in making this risk analysis. (We told you this was fun!)

Below are the four factors, with some of our editorial deep thoughts. An impermissible use or disclosure of PHI is presumed to be a reportable breach unless the covered entity or business associate can demonstrate that there is a "low probability" that the PHI has been compromised after considering:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.

  • Consider whether there is sensitive health information at issue (mental health, AODA).
  • Consider whether there is financial information/identity theft risk.
  • Consider how identifiable the patient is from the information disclosed.

2. The unauthorized person who used the PHI or to whom the disclosure was made.

  • Consider whether the recipient is also regulated by HIPAA.
  • Consider whether the recipient is a horrible criminal.
  • Consider whether the recipient is Swiper from Dora The Explorer ("Swiper, No Swiping!").

3. Whether the PHI was actually acquired or viewed.

  • You know this one from the current rule.
  • Consider whether your IT department can determine that nobody ever saw the information. (If a laptop falls in the forest with no accessible PHI, does it make a sound?)

4. The extent to which the risk to the PHI has been mitigated.

  • Immediately enter into confidentiality agreements with recipients.
  • Do other stuff to mitigate and document it.

What does this really mean? We have seen a lot of commentary that it is a startling, sweeping change that will result in floods of additional breach reports, and we are not sure we agree. We will have to see how it unfolds. HHS does helpfully tell us that the risk assessment must be done in good faith and must be reasonable, so if you were considering a bad faith or unreasonable risk assessment, we advise against it. The four factors were in the original rule as factors to consider anyway, and may well be built into your breach notification policies.

So, what needs to change? Here are our suggestions:

  • Revise your breach notification policy to reflect the new standard described above, and the steps to take in rebutting the presumption of a data breach.
  • Evaluate your security protections, including encryption, password protection, mobile devices, data destruction, etc., and be sure they are compliant with the Security Rule.
  • For covered entities, review your vendor contracts with regard to their obligation to maintain security measures and to notify you in the event of a breach, and timelines for that.
  • Review all vendor agreements with regard to the HHS guidance on when a business associate is an agent of a covered entity.
  • Get busy rebutting!

Previous HITECH Updates:

For more information about HIPAA, the Final Rule, the Security Rule, the Enforcement Rule or other related issues, contact Sarah Coyne at (608) 283-2435 / sarah.coyne@quarles.com or your Quarles & Brady attorney.