On January 17, 2013, the Department of Health and Human Services ("HHS"), Office of Civil Rights issued its final rule modifying the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act ("HITECH").
HHS modified the definition of what constitutes a "breach" for purposes of the breach notification requirement. Previously, a "breach" had been defined as the "acquisition, access, use or disclosure" of protected health information ("PHI") in violation of the Privacy Rule that "compromises the security or privacy" of the PHI. The phrase "compromises the security or privacy" of the PHI meant that the acquisition, access, use or disclosure posed a "significant risk of financial, reputational, or other harm to the individual." Under the new final rule, HHS revised the definition of a breach to state that a breach is presumed to have occurred, unless the covered entity (or business associate) demonstrates that there is a low probability that PHI has been compromised based on a series of specific factors. In other words, the final rule makes it clear that notification is required for breaches, even if there is no "harm" to the individual.
HITECH made many of the HIPAA privacy and security requirements applicable directly to business associates. The final rule clarifies the manner in which some of HITECH's provisions will be applied. Finally, the final rule expanded individual rights, including, for example, an individual's right to receive electronic copies of his or her PHI.
The final rule becomes effective on March 26, 2013 and compliance is required by September 23, 2013.
If you have any questions about the final rule or need assistance with reviewing or revising your HIPAA policies and forms to ensure compliance with the final rule, please contact David C. Marshall at 717-620-2424.