January 31, 2013. Today, we briefly identify key changes or reminders regarding breach notification in the preamble of the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, published in the Federal Register on January 25, 2013. The Final Rule becomes effective March 26, 2013 and requires compliance by covered entities and business associates on September 23, 2013. Earlier this week, we have examined the changed definition of breach, the substitution of the “probability standard” for the current “harm standard” underpinning a risk assessment to determine if unsecured protected health information has been compromised by impermissible use or disclosure such that a breach notification is required, and the importance of the Guidance in securing protected health information.
Limited Data Sets. “In addition to the removal of the harm standard and the creation of more objective factors to evaluate the probability that protected health information has been compromised, we have removed the exception for limited data sets that do not contain any dates of birth and zip codes. In the final rule, following the impermissible use of disclosure of any limited data set, a covered entity or business associate must perform a risk assessment that evaluates the factors discussed [earlier this week] to determine if breach notification is not required.” [78 Federal Register 5644]
Notification to Individuals. Without modification, but the Final Rule makes this point with respect to implementation specification (d): Methods of individual notification–“In response to questions raised with respect to a breach at or by a business associate, we note that the covered entity ultimately maintains the obligation to notify affected individuals of the breach under Notification to Individuals, although a covered entity is free to delegate the responsibility to the business associate that suffered the breach or to another of its business associates…. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.” [78 Federal Register 5650-5651]
Notification to Media. With a minor change that aligns the definition of “State” [American Samoa and Northern Mariana Islands] with HIPAA Rules, and not germane herein for discussion, the Final Rule does point out this caution: “We also emphasize that posting a press release regarding a breach [involving 500 or more residents of a State or jurisdiction] of unsecured protected health information on the home page of the covered entity’s Web site will not fulfill the obligation to provide notice to the media (although covered entities are free to post a press release regarding a breach on their Web site). To fulfill this obligation, notification, which may be in the form of a press release, must be provided directly to prominent media outlets serving the State or jurisdiction where the affected individuals reside.” [78 Federal Register 5653]
Notification to the Secretary. There is one modification that focuses on breaches “discovered” in a calendar year as opposed to “occurred” in a calendar year. “The modification clarifies that covered entities are required to notify the Secretary of all breaches of unsecured protected health information affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breaches were ‘discovered,’ not in which the breaches ‘occurred.'” [78 Federal Register 5654]. Here is a reminder: “Although covered entities need only provide notification to the Secretary of breaches involving less than 500 individuals annually, they must still provide notification of such breaches to affected individuals without unreasonable delay and not later than 60 days after discovery of the breach pursuant to 45 CFR 164.404 [Notification to Individuals]. [78 Federal Register 5654] Finally, another Final Rule reminder for large breaches: “With respect to breaches involving 500 or more individuals, we interpreted the term ‘immediately’ in the statute to require notification be sent to the Secretary concurrently with the notification sent to the individual under 45 CFR 164.404 [Notification to Individuals] (i.e., without unreasonable delay but in no case later than 60 calendar days following discovery of a breach.)” [78 Federal Register 5653] For more on notification, visit the HHS Notification to the Secretary Web site: “Instructions for Submitting Notice of a Breach to the Secretary.”
Tomorrow, we wrap up discussion of the breach notification rule. Next week, HIPAA.com looks at the modifications to the Security Rule.