A pre-publication version of the much anticipated final Omnibus Health Insurance Portability and Accountability Act (HIPAA) rule (the Final Rule) was issued January 17, 2013 with publication in the Federal Register scheduled for January 25, 2013. While the Final Rule becomes effective March 26, 2013, covered entities and business associates have until September 23, 2013, to comply and, in the case of existing business associate agreements, covered entities have until September 2014 to make changes. The full breadth of the nearly 600-page rule will take some time to fully analyze. As we continue to analyze the complex regulations, however, here are a few highlights:
• Probably the most significant change in the Final Rule is a modification to the determination of what is a reportable breach. The Final Rule removes the risk of significant harm standard, which, in the interim final rule, limited breach notification obligations to breaches that a covered entity determined to pose a significant, financial, reputational or other harm to individuals affected by the breach. The Final Rule replaced the risk of significant harm standard with the provision that “an impermissible use or disclosure of protected health information (“PHI”) is presumed to be a breach unless the covered entity or business associate … demonstrates that there is a low probability that the PHI has been compromised.” In other words, the Final Rule now requires a covered entity to notify individuals about a breach unless it can demonstrate a low probability that PHI has been compromised. This presumption that all impermissible use of PHI is a breach is a significant departure from the risk of significant harm standard.
Please see full publication below for more information.