New HIPAA Rules Expand Breach Notification Requirements


If your company is subject to HIPAA, new rules published by the Department of Health and Human Services (“HHS”) will require changes in your policies and practices regarding data breaches.

Among other things, the new rules implementing the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) have introduced a stricter standard for determining when notification is required and have broadened the group of entities to which it applies.  Here are the highlights:

  1. The “Significant Harm” Standard has been Replaced by a “Risk of Compromise” Standard.  Under the previous rule, the unauthorized disclosure of unsecured protected health information (“PHI”) was considered a breach requiring notification only if a covered entity or business associate determined that there was a “significant risk of financial, reputational, or other harm” to affected individuals.  Under the new rule, such a disclosure is presumed to be a breach unless a risk assessment reasonably concludes that there is only a “low probability” that PHI has been “compromised.”  In order to make that determination, covered entities, business associates, and their subcontractors must now engage in a four-factor analysis that considers the nature of the information involved, the person to whom the information was disclosed, whether the PHI was actually viewed, and mitigation measures, if any.  This assessment must be documented and producible in court.  We expect further guidance from HHS on the new standard in the next couple of months.
  2. Data Breach Requirements Now Extend to Subcontractors.  The final rule now extends data breach notification requirements to all subcontractors that handle PHI on behalf of business associates.  Business associates will need to ensure that these requirements are being followed by their subcontractors, while subcontractors will need to implement new policies and ensure that these requirements are being followed by their own subcontractors.  An upcoming client alert will provide further information on how the new rules apply to subcontractors.
  3. The “Limited Data Set” Exception has been Eliminated.  Under the previous rule, there was an exception to the notification requirement for certain “limited data sets” that had been cleaned of certain types of information.  That exception has been removed, and a risk assessment is now required for breaches of this type of PHI.
  4. Individuals Must be Notified of a Company’s Data Security Breach Obligations.  The new rule now requires a covered entity to include a statement in its Notice of Privacy Practices that it is required by law to notify affected individuals following a breach of unsecured PHI. 

Among other things, covered entities, business associates, and subcontractors will need to update their internal policies and procedures and provide additional training to employees to ensure compliance.  We’ll have more client alerts on other material changes to the HIPAA rules in the coming months.

If you have questions about the new rules, the HITECH Act, or HIPAA generally, please contact Peter Guffin (, Kris Eimicke (, or Kyle Glover ( of Pierce Atwood LLP’s Privacy and Data Security Group.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pierce Atwood LLP | Attorney Advertising

Written by:


Pierce Atwood LLP on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.