Recently, the Workgroup for Electronic Data Interchange (WEDI) published a Breach Risk Assessment Issue Brief for stakeholders to use in analyzing whether a breach of protected health information (PHI) has occurred under the Health Insurance Portability and Accountability Act (HIPAA).
Background
Under HIPAA’s breach notification rule, covered entities and business associates are required to notify affected individuals, HHS, and, sometimes, the media when they determine that a breach of unsecured PHI has occurred.
In the final HITECH rule promulgated last year, HHS revised the breach notification rule, particularly the standard under which unauthorized disclosures will be considered breaches, thereby triggering an entity’s notification obligations.
Previously, covered entities engaged in a “risk of harm” test that led to the finding of a breach only when an unauthorized use or disclosure posed a significant risk of financial, reputational, or other harm to the affected individuals. The new final rule, at 45 C.F.R. 164.402, presumes that an unauthorized use or disclosure is a breach, unless the covered entity or business associate demonstrates that there is a “low probability that the protected health information has been compromised.” HHS explained that it revised the test of what is considered a breach because, in its view, covered entities were setting too high a bar for unauthorized disclosures to constitute breaches under the “risk of harm” standard. Under the revised standard, more unauthorized uses and disclosures will likely constitute “breaches” that must be reported.
Guidance
WEDI’s guidance walks covered entities and business associates through the step-by-step process of what to do in the event of an unauthorized use or disclosure of unsecured PHI, as required by the new breach notification rule. At the outset, the guidance sets forth specific questions to determine whether the breach notification rule is implicated: (1) whether the information in question is PHI, (2) whether the PHI is unsecured (for example: not encrypted), and (3) whether or not the incident falls under one of the exceptions to the breach definition enumerated in the rule.
If a covered entity or business associate determines that an unauthorized use or disclosure of PHI has occurred, and it does not satisfy one of the enumerated exceptions, the guidance goes on to list detailed steps the entity must take, including conducting a risk assessment to determine the probability that PHI has been compromised, maintaining appropriate documentation, and considering any remedial steps the entity should put in place.
It would be prudent for covered entities and business associates to review and familiarize themselves with HHS’s expectations relating to breach determination and notification. However, as the guidance notes, in the event an unauthorized use or disclosure of PHI occurs, each step should involve legal counsel, any risk management team, and designated privacy and security offices to ensure compliance with all legal requirements and internal HIPAA policies and procedures. Meanwhile, companies that are covered entities and/or business associates should ensure that their incident response and risk assessment plans are up to date and consistent with the new requirements.