HIPAA Breach Notification Rule was enacted in 2009 as part of the HITECH Act. Upon discovery of a Breach of “Unsecured” PHI, covered entities, and their business associates as applicable, MUST make the proper notifications in accordance with HITECH, federal or state notification laws. The Omnibus 2013 Final Rule adopted much of the interim rule, however, there are some variations between the interim rule and the final rule.
A significant change is that all impermissible uses or disclosures of PHI are “presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” – Omnibus Final Rule page 306
Additionally, the focus has been changed from the “harm” standard to “the risk that the PHI has been compromised”. As such, IF the risk assessment demonstrates a low probability of PHI being compromised, then a breach notification is no longer required.
Penalties for breaches depend on several factors including the severity of the breach. For both privacy and security violations, they range from civil penalties of $100 per violation to criminal penalties of up to $1,500,000.00 per identical violation and/or 10 years imprisonment for knowing or willful disclosure or misuse of information. This penalty cap applies to even those who “did not know” the breach was taking place, UNLESS they correct the violation within 30 days from the “first date the person liable for the penalty knew, or by exercising reasonable diligence would have known”.
Due to numerous questions regarding the ‘fairness’ of issuing penalties when the entity did not know, the Omnibus Rule included clarification on this matter. The following affirmative defenses have been added:
Also included in the 30 day time for corrections is the provision “or during a period determined appropriate by the Secretary based upon the nature and extent of the entity’s failure to comply.”
- Penalties may be waived if the Secretary of HHS deems that it would be excessive given the specific situation.
- Providers who believe the amount is unfair have the right to appeal the decision.
What is a Breach?
A breach is the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of such information.
The Omnibus Rule revised two of the three exceptions to the definition of breach. They are now: