The Breach Notification Rule, 45 CFR §§ 164.400-414, originally published in August 2009, is an extremely important but often overlooked provision of the Health Insurance Portability and Accountability Act (“HIPAA”). A breach (or compromise) to the security or privacy of protected health information (“PHI”) is defined by the U.S. Department of Health & Human Services (“HHS”) as acquisition, access, use or disclosure that “poses a significant risk of financial, reputational, or other harm to the individual.”
Among other things, the Breach Notification Rule requires health care providers (“Providers”) to demonstrate to HHS that the Provider has taken appropriate remedial measures following the discovery of breach or disclosure of unsecured PHI. Providers who can demonstrate such may avoid or limit their liability related to the alleged breach. Remedial measures include notice to patients and others of the impermissible use or disclosure that compromised the security or privacy of the PHI.
Attorneys at Chapman Law Group provide legal services to entities that handle healthcare and other personal data. Our attorneys are experienced with counseling clients on potential data breaches under HIPAA and other privacy and security laws, and in developing and executing a data breach response plan, including reporting to federal, state, and local governmental agencies and responding to formal agency investigations.
For providers already familiar with the Breach Notification Rule, it is important to recognize that the rule recently underwent significant changes. In January 2013, HHS published a final rule, including modifications to HIPAA’s Privacy and Security Rules. A main area affected by this update was the addition of obligations on Providers and their business associates to identify and report breaches of PHI. Under the previous “harm standard” Providers had discretion as to whether a breach was reportable, based on whether that breach would result in a significant risk of financial or reputational harm. But, HHS decided to change the “harm standard” due to its inconsistent application by Providers.
The new standard, as announced in the final rule, presumes that any unauthorized use or disclosure of unsecured PHI is a reportable breach. Providers can rebut that presumption only by determining there is a low probability that the PHI has been compromised.
There are many nuances to the Breach Notification Rule, and Providers must know whether they are required to notify: (1) the individual affected by the breach of unsecured PHI, (2) the Secretary of HHS, and/or (3) in certain circumstances, the media. In addition, Providers must know when their business associates are required to notify them if a breach occurs at or by the business associate.
If you believe that a breach of PHI may have occurred, you should immediately seek legal assistance from an attorney qualified in these matters.
Health care providers frequently contact our attorneys because they are worried that a breach of patient privacy occurred. Providers should consult with an attorney to determine if there is enough time for them to investigate the breach and send out notifications in a timely manner. Further, Chapman Law Group can help Providers understand what the timeframe is to report breaches.
Chapman Law Group can help you address these five (5) critical questions:
You should strongly consider representation by an attorney while you are dealing with the Breach Notification Rule process. You should definitely obtain competent representation if you expect to incur liability due to your breach of PHI.
Chapman Law Group regularly advises and represents all types of Providers including doctors, pharmacists and other practitioners who suspect that a breach has occurred. We urge you not to wait until an HHS investigation against you has begun, because your career and your practice could be in serious jeopardy. You should immediately contact a health law attorney for assistance when you learn that there are problems with your PHI.