Final Omnibus Rule modifies HIPAA Privacy, Security and Enforcement Rules


On January 25, 2013, the Final Rule modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules was published in the Federal Register. Among other things, the omnibus Final Rule revised the existing rule on breach notification for unsecured protected health information under the HITECH Act. The rule added language to the definition of a breach to identify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or Business Associate demonstrates that there is a low probability that the protected health information has been compromised. The rule also removed the harm standard and modified the risk assessment in order to focus objectively on the risk that the protected heath information has been compromised. The more objective factors that must be considered when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary are also identified in the Final Rule. The factors that must be considered as part of the risk assessment are: “(1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.” Depending on the circumstances, other factors may also be considered as part of the risk assessment. 78 Fed. Reg. 5566 (January 25, 2013).

For more information on the Final Rule and its effects, please contact Calvin Hayes.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Buchanan Ingersoll & Rooney PC | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.