The Department of Health and Human Services (“HHS”) issued final omnibus HITECH Regulations on January 17, 2013.2 The HITECH Act was signed into law in February 2009 and significantly modified the Health Insurance Portability and Accountability Act (“HIPAA”). One of the key features of the HITECH Act was the establishment of a breach notification rule that imposed a nationwide notification requirement for breaches of protected health information. This rule has been enforced in interim status since 2009.
The new HITECH Regulations, which go into effect on March 26, 2013, will require covered entities and their business associates to comply with the new breach notification rule starting September 23, 2013. This new breach notification rule features significant differences from the interim rule, and could make many more incidents regarding protected health information reportable.
Under the interim rule, the trigger to notify HHS and affected individuals of a data breach was based upon an assessment that a breach must be reported only if it poses a “significant risk of financial, reputational, or other harm to the individual.” This trigger has been changed to eliminate the “risk of … harm” threshold, and instead, imposes a threshold that presumes that any “unauthorized acquisition, access, use, or disclosure” of protected health information is a data breach, unless the covered entity or its business associate can demonstrate that there is a “low probability” that the protected health information was compromised. The entity must also maintain documentation sufficient to meet that burden of proof, such as by conducting and retaining a written risk assessment. The final rule also identifies some objective factors that must be considered when conducting a risk assessment. These factors include the following:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
According to the new regulation, any probability of harm that is greater than “low” will mean that notification is required for the breach, even if there is no reasonable likelihood of harm to the affected individuals. This new standard could result in more reportable incidents, and increase the burden on companies to perform more formal risk assessments of data security incidents involving protected health information.