At 563 pages, the Final Rule released by the U.S. Department of Health and Human Services (HHS) is hardly light reading. Despite its bulk, the Final Rule boils down to a few key points for those responding to a potential data security breach. First, the Final Rule does not change the requirements for method or timing of data breach notification, or what must be in the notice; those all stay the same. It does change the standard for whether notification is required.
The Final Rule essentially shifts the burden of proof to the Covered Entity (CE) or Business Associate (BA) to prove that there is a low probability that Protected Health Information (PHI) has been compromised. It presumes that an impermissible use or disclosure of PHI is a breach requiring notification. Rather than the “risk of harm” standard outlined in the Interim Final Rule, CEs and BAs must assess the probability that exposed PHI has been compromised based on the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
Entities are required to maintain documentation of notification or documentation of the risk assessment demonstrating that an impermissible use or disclosure did not constitute a breach. HHS stated that it believed these changes would “result in a more objective evaluation of the risk to the [PHI] and a more uniform application of the rule.”
Given these changes, it is important to update your incident response plan and training to reflect this new standard for determining whether a breach occurred and to ensure that your organization is maintaining sufficient access controls and system logging to facilitate a conclusive forensics investigation in the event of a potential breach event. And as always, it is important to make sure employees recognize and report potential data breaches as quickly as possible. HITECH does not pre-empt more stringent state laws, so shorter state notification deadlines may apply. Quick remediation of HIPAA violations can also lessen the potential civil monetary penalties entities may face in connection with the underlying cause of the data breach.
In Part 2, we’ll take a more in-depth look at the four factors that must be a part of your breach risk assessment and offer insight into how they should be interpreted.
By Kroll Editorial Team