Final Rule: Modified Definition of Breach

(1) Breach excludes:

(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.

(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.

(iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

(2) Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of a least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted as part of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, and Section 13402 provided statutory authority for Notification in the Case of Breach. [123 STAT. 260-263] After publishing a notice of proposed rule making (NPRM) in the Federal Register on April 27, 2009, for public comment, the Department of Health and Human Services (HHS) published an Interim Final Rule (IFR) for breach notification for unsecured protected health information on August 24, 2009. [74 Federal Register 42740-42770]  The effective date of the IFR was September 23, 2009, and enforcement of breach notification for breaches on or after that date began on February 22, 2010.

As required by the HITECH Act, the Secretary of HHS published as part of the April 27, 2009, NPRM Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. This was included in the IFR and is in force currently.  “Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information—that is, the information is not considered ‘unsecured’ in such cases.” [78 Federal Register 5639] “[O]nly encryption and destruction, consistent with National Institute of Standards and Technology (NIST) guidelines, renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals such that notification is not required in the event of a breach of such information.” [78 Federal Register 5647] According to the Final Rule:  “We encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the [Guidance].  If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use of disclosure of the information.” [78 Federal Register 5644]

In the event of a breach of an “impermissible use or disclosure” of unsecured protected health information that does not fall under one of the exclusions in the definition above, the language of which did not change from the IFR to the Final Rule, then a covered entity or business associate, as applicable, is obligated to conduct a risk assessment.  The burden of proof is on the covered entity or business associate, as applicable, to document and demonstrate why an impermissible use of disclosure would fall under one of the breach exclusions.  Based on the definition in the IFR, the risk assessment was to determine whether “’compromises the security or privacy of the protected health information’ [meant] poses a significant risk of financial, reputational, or other harm to the individual.”  [78 Federal Register 5639]  Under the Final Rule, which modified and clarified the definition of breach and risk assessment, the purpose of the risk assessment changed to that outlined in paragraph (2) in the definition of breach above, namely, to demonstrate that there has been “a low probability that the protected health information has been compromised” based on consideration of the specified factors in (2)(i)-(2)(iv).

The Final Rule elaborates on the change from the requirement in the IFR [78 Federal Register 5641, 5643]:

“First, we have added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised….  As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised (or one of the other exceptions to the definition of breach applies).” [emphasis added] There was an exception for breach notification in the IFR for “limited data sets that do not contain any dates of birth and zip codes” that has been removed in the Final Rule.  A risk assessment is required for all situations involving an impermissible use or disclosure of protected health information to determine whether a breach notification is not necessary.  The Final Rule does note that “a covered entity or business associate has the discretion to provide the required notifications following an impermissible use or disclosure of protected health information without performing a risk assessment.  Because the final rule clarifies the presumption that a breach has occurred following every impermissible use or disclosure of protected health information, entities may decide to notify without evaluation of the probability that the protected health information has been compromised.” [ emphasis added]

“Second, to further ensure that [the definition of breach and the risk assessment approach] is applied uniformly and objectively by covered entities and business associates, we have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.  Thus, breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant harm to the individual as was provided under the interim final rule.  The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary.” [emphasis added]

Tomorrow’s posting will discuss the four  factors that must be addressed as part of the risk assessment of the probability of protected health information being compromised.