Final Rule Removes Harm Standard

The Final Rule for HIPAA Privacy, Security and Enforcement Rules is scheduled to be effective on March 26 of this year.  One of the many changes applicable to the privacy and security rules is a change regarding the breach notification requirement for unsecured protected health data of individuals.  The Final Rule requires a risk assessment, and sets out guidelines for it, in order to avoid notifying of affected individuals of a breach.  Notification of a breach can now only be avoided if the risk assessment shows there is very little chance that the protected health info has been compromised.  Previously, if it was determined that the breach posed no significant risk of harm to the individual, then notification was not mandatory.

The Department of Health and Human Services (HHS) suggests this change to the notification requirement for notifying affected individuals will not have a major impact on the number of notifications reported to it but will allow for a more objective analysis of whether or not to notify affected individuals.  HHS is projecting it will receive about 1,580 breach notifications per month affecting, on average, around 350 individuals per breach. 

We previously reported the cost for a data breach declined in 2011; however, the healthcare industry experienced an increase in data breaches and an increase in organizational cost from 2010 to 2011.  Read more about data breaches and security issues on the Security section of our blog.