As we reported here, the U.S. Department of Health and Human Services (“HHS”) recently issued final regulations (the “Final Rule”) implementing changes to HIPAA mandated by the HITECH Act.  The long awaited Final Rule addresses a number of privacy and security topics, including breach notification.  With regard to breach notification requirements, the Final Rule replaces an Interim Rule issued by HHS in 2009 (the “Interim Rule”).  The Final Rule becomes effective March 26, 2013, and compliance with the Final Rule by HIPAA covered entities and business associates is required by September 23, 2013.  Significantly, the Final Rule substantially expands the definition of “breach” for purposes of breach notification requirements.

Pursuant to the Interim Rule currently in effect, covered entities must notify affected individuals, HHS, and in some cases, the media, in the event of a breach of protected health information (“PHI”).  In addition, business associates are required to notify covered entities of such a breach.  The Final Rule does not materially change the timing, manner or content of the required notices, but it does substantially expand the definition of “breach,” with the effect of broadening the circumstances that require notification.

Pursuant to the Interim Rule, a determination of whether a data security incident constitutes a “breach” requiring notification turns, in part, upon whether the incident “poses a significant risk of financial, reputational, or other harm to the individual” (the “Harm Threshold”).  In contrast, the Final Rule removes the Harm Threshold, and presumes an impermissible use or disclosure of PHI under certain circumstances to be a “breach” unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised.  The Final Rule specifies four factors that must be considered in a risk assessment regarding the probability that PHI was compromised, focusing on: (i) the nature and extent of the PHI involved; (ii) the unauthorized person who used the information or to whom the disclosure was made; (iii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk to the PHI has been mitigated.

As a result of this definitional change, after the Final Rule becomes effective, an incident involving unauthorized use or exposure of PHI by a covered entity or business associate will be more likely to constitute a “breach” requiring notice to affected individuals, HHS, and potentially the media.