This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements. 

The HITECH omnibus rule establishes a new standard for determining whether an unauthorized use or disclosure of unsecured protected health information (“PHI”) is a “breach” requiring notification.   Under the current Breach Notification Rule, covered entities are required to notify individuals of a breach involving their unsecured PHI, and business associates have a corresponding obligation to notify covered entities. The current rule states that an unauthorized use or disclosure of PHI is a “breach” if it poses a significant risk of financial, reputational, or other harm to the individuals affected.

The omnibus rule replaces the “risk of harm” test with a default presumption that any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule is a breach unless the covered entity or business associate “demonstrates that there is a low probability that the [PHI] has been compromised based on a risk assessment.”  HHS stated that the omnibus rule establishes a presumption that uses or disclosures of PHI in violation of the Privacy Rule are “breaches” because HHS believes that many covered entities and business associates have construed the existing “risk of harm” standard as setting a higher bar than HHS intended.  Covered entities and business associates now have the burden of proving that there is a “low probability” that PHI has been compromised through a risk assessment that accounts for at least the following factors:

  1.  The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

All of these factors must be considered in combination.  If a covered entity or business associate determines that an unauthorized use or disclosure of PHI is not a breach, it will need to maintain documentation sufficient to overcome the presumption that PHI was compromised.  HHS suggests that these risk assessments allow for a more “objective” evaluation than the current “risk of harm” standard, and plans to provide further guidance on risk assessments that addresses “frequently occurring scenarios.”

The omnibus rule also removes a provision from the current rule’s definition of a “breach,” which says that PHI is not compromised if a use or disclosure in violation of the Privacy Rule involves a limited data set that does not contain dates of birth or zip codes.  While unauthorized uses or disclosures of a limited data set are now subject to the same presumption of breach, HHS suggested that, in most instances, the risk assessment would result in a finding of a low probability that the PHI had been compromised and, thus, no breach had occurred.  This is primarily because of the first risk assessment factor (relating to the types of identifiers and the likelihood of re-identification).

The omnibus rule also revises the breach notification provision related to notifying the Secretary of HHS.  Covered entities are required to notify the Secretary of HHS immediately of any breach affecting more than 500 individuals.  In addition, covered entities must annually submit a log to the Secretary of each breach affecting fewer than 500 individuals.  The omnibus rule modifies the rule to clarify that covered entities must report breaches affecting fewer than 500 individuals to the Secretary “not later than 60 days after the end of the calendar year in which the breaches were ‘discovered,’ not in which the breaches ‘occurred.’”  Thus, if a breach affecting 400 individuals were to occur in December 2013 and were to be discovered in January 2014, the covered entity would not be required to report the breach to the Secretary until the first 60 days of 2015.

The omnibus rule otherwise retained the existing Breach Notification Rule with only stylistic and non-substantive modifications.

It seems likely that the omnibus rule will result in many more notifications of breaches of PHI; this is apparently the result that HHS intends.