HIPAA Final Rule: Breach Notification Guidance Safe Harbor


Department of Health and Human Services of USA has brought in significant changes to HIPAA Security, Privacy, Enforcement and Breach in the form of HIPAA Omnibus Rule (also known as Final Rule). Some of these changes are very relevant to Business Associates working out of India. The final Omnibus Rule became effective on March 26, 2013 and business associates and covered entities should be complying with Omnibus Rule not later than September 26, 2013

Breach Notification: The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

1. The nature and of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

2. The unauthorized person who used the protected health information or to whom the disclosure was made;

3. Whether the protected health information was actually acquired or viewed; and

4. The extent to which the risk to the protected health information has been mitigated.

There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Breach Notification Requirements

Following a breach of unsecured protected health information, covered entities or business associate must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. As per HIPAA Omnibus Rule, the onus of break notification rests with the Business Associate if the breach occurs when the data is in the possession of the Business Associate.

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction generally in the form of a press release. In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information.  If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.

Secretary of HHS (US department of Health and Human Services) issued guidance in 2009 [74 Federal Register42742-42743] on safe harbor guidance for Breach Notification. ”Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information–that is, the information is not considered ‘unsecured’ in such cases. ”  [78 Federal Register5639]  Finally, “we encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the Guidance.  If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.”   [78 Federal Register 5644]

Thus encrypting data at rest gives us the insurance against theft and data loss.


Please contact sales@futurecalls.com to get a demo of encryption tools which satisfy HIPAA disclosure norms.