HHS Issues Final HIPAA Regulations and Eliminates Risk of Harm Standard

On January 17, 2013, the Department of Health and Human Services (HHS) issued a long-awaited final rule addressing modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules.  The regulations contain fundamental changes to the Interim Final Rule (IFR), the most notable of which is the  elimination of the previous "risk of harm" standard and the implementation of a more objective risk assessment standard for security breach notification.  Covered Entities (CE) and Business Associates (BA) must comply with these new provisions by September 2013.

The final rule defines breach to mean the improper acquisition, access, use, or disclosure of protected health information "which compromises the security or privacy of the protected health information."  Previously, HHS required notification based on the risk of harm standard defined as the "significant risk of financial, reputational, or other harm to the individual." The final rule, however, establishes a presumption that any impermissible use or disclosure is a breach that compromises the security or privacy of the information.  The CE or BA bears the burden of proof to demonstrate that there is a low probability that the PHI has been "compromised" and thus that there is no need for notification.  HHS characterized the previous risk of harm standard as too subjective, leading to non-uniform decisions regarding the need for notification.  The new risk assessment standard focuses on whether unauthorized recipients have accessed or had the opportunity to access PHI, rather than the risk of harm to an individual.

The final rule establishes four specific factors entities must consider when determining whether to notify individuals:

(1) the nature and extent of the PHI involved including the types of identifiers and the likelihood of re-identification (e.g., there may be more concern if the information includes direct identifiers, credit card numbers, SSNs, and other information that increases the risk of fraud, or other sensitive data such as clinical information). 

(2) the unauthorized person who used the PHI or to whom the disclosure was made (e.g., there may be a lower probability of "compromise" if the receiving entity is independently obligated to protect the information under HIPAA, the Privacy Act, or other similarly stringent laws).

(3) whether the PHI was actually acquired or viewed (e.g., there is a lower probability of "compromise" if the covered entity can document through forensic or other means that the PHI was not accessed).

(4) the extent to which the risk to the PHI has been mitigated (e.g., there may be a lower probability of "compromise" if the receiving entity is reliable and has entered into a confidentiality agreement or provided similar assurances).

Despite the clear intent of HHS to eliminate the risk of harm standard and shift the burden of proof, the foregoing factors are strikingly similar to those previously established in the IFR to assess risk of harm. 

HHS plans to issue additional guidance to aid covered entities and business associates in performing risk assessments with respect to frequently occurring scenarios.

Crowell & Moring will issue further analysis regarding key aspects of the final rule—such as enforcement and penalties, applicability to business associates and subcontractors, and other various implementation specifications.