Changes to the HIPAA Breach Notification Rule -

Background: The HITECH Act required Covered Entities to notify individuals, HHS, and in some cases, the media, of a Breach of Unsecured PHI. A Business Associate is required to notify the Covered Entity of any such Breaches so that the Covered Entity may make the notifications listed above. In response to the HITECH Act, OCR issued an interim final Breach Notification Rule effective on September 23, 2009 incorporating the requirements of the HITECH Act.

In the interim final Breach Notification Rule, a Breach was defined as, subject to certain exceptions, the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom the information is disclosed would not reasonably have been able to retain such information. An unauthorized acquisition, access, use, or disclosure of PHI compromised the security or privacy of the PHI if it posed a significant risk of financial, reputational, or other harm to the individual. In other words, to determine if a Breach occurred as a result of an impermissible use or disclosure of PHI, a Covered Entity was required to perform a risk assessment to determine if there was a significant risk of harm to the individual.