In a surprise move, the new omnibus HIPAA Rule has modified the breach notification requirements.  As a result, HHS has also altered the criteria to be used in the risk assessment that covered entities must perform when there has been a potential breach.

Seemingly minor, these changes may dramatically increase the number of breaches that covered entities will need to report in the future.  Here’s how:

Up to now, covered entities were allowed a certain amount of discretion when determining whether a security or privacy incident qualified as a reportable breach.  They were able to apply a somewhat subjective “risk of harm” standard; in other words, the incident was considered a breach only if it posed a significant risk of financial, reputational or other harm to an individual.

That threshold has been lowered.  The new Rule redefines “breach” to include any impermissible use or disclosure of protected health information (PHI), unless the covered entity can show that there is low probability that the PHI has been compromised. HHS provides an example of the latter — of a misdirected fax containing PHI, where the recipient physician immediately calls to say he has destroyed the fax.

The new breach definition requires that covered entities will have to undertake a stricter risk assessment when a privacy or security incident occurs.  The assessment must focus on the probability that PHI has been compromised, whether or not there is risk of harm to an individual.  At least the following four factors must be considered in making the assessment:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.

One additional consideration: in the past, impermissible use or disclosure of limited data sets that did not contain dates of birth or zip codes were excluded from the definition of a breach. HHS has removed this exception. Now, in such cases, the risk assessment process described above must still be performed to determine if breach notification is required.

HHS believes that this updated assessment will result in a more objective evaluation of the risk to the PHI and a more uniform application of the Rule. Because the breach definition is much broader, more incidents are likely to qualify as breaches.

As a final note, HHS encourages covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other PHI, as noted in its Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740, 42742). If PHI is thus encrypted, then no breach notification is required following an impermissible use or disclosure of PHI. We strongly encourage the use of such encryption and encrypted devices to avoid the cost, expense and embarrassment resulting from having to go through the breach notification process.

What challenges do you expect these modifications to impose on covered entities?