HIPAA Notification of Breaches | As Amended by the Final Omnibus Ruling | January, 2013

Regarding HIPAA notification of breaches, on January 17, 2013, the U.S. Department of Health and Human Services (HHS) put forth the final omnibus rule, effectively amending various provisions of the original 1996 HIPAA legislation signed into law by President Bill Clinton. Specifically, in accordance with the HITECH Act of 2009, amendments were put forth in the final omnibus ruling that supplemented and modified the original HIPAA Security and Privacy Rules, and the breach notification requirements.

What’s important to note about the issue of “breaches” in the context of HIPAA - and specifically in accordance with the final omnibus ruling in January, 2013, are the following:

  • The final omnibus ruling effectively modified The “Breach Notification Rule” of 2009.
  • Clarifies the definition of what a “breach” is.
  • New risk assessment requirements put into place requiring documentation of such practices and consideration of the following four (4) factors:
    1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
    2. The unauthorized person who used the protected health information or to whom the disclosure was made.
    3. Whether the protected health information was actually acquired or viewed.
    4. The extent to which the risk to the protected health information has been mitigated.
  • Business Associates (BA) and their relevant third-party providers are also in scope for the breach notification changes under the final omnibus ruling.

Other important considers regarding the enhanced breach notification rule are the following:

  • Requires a covered entity to notify an individual when unsecured PHI has been improperly disclosed
  • The Department of Health and Human Services (HHS) is to be notified regarding confirmed breaches, either through an annual report or sooner, depending on the number of individuals affected.
  • The definition of a breach, according to HHS, is the following: "acquisition, access, use, or disclosure" of PHI in violation of the Privacy Rule that "compromises the security or privacy" of the PHI”. Thus, an impermissible use or disclosure of PHI is presumed to be a "breach”.
  • There are exceptions to a “breach”, which consist of the following:
    1. Any unintentional acquisition, access or use of protected health information by a workforce member (including volunteer or trainee) or person acting under the authority of a covered entity or business associate, if the acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the Privacy Rule.
    2. Inadvertent disclosures of protected health information from a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity, business associate or organized health care arrangement in which the covered entity participates.
    3. Where a covered entity or a business associate has a good-faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Download HIPAA Policies and Compliance Toolkits Today
hipaapoliciesandprocedures.com also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.