FierceHealthIT is running my commentary on the HIPAA Breach Notification Rule. Here's an excerpt, highlighting the final regulation text, and the shift from the harm standard in the interim final rule (IFR). Please follow the link to read the rest of the post.
The IFR required a risk assessment to be done in order to determine whether the risk of harm was present. The feds observe in the commentary to the final rule that some folks "may have interpreted the risk of harm standard in the [IFR] as setting a much higher threshold for breach notification than we intended to set." Hence the "clarification" in the final rule that:
an acquisition, access, use, or disclosure of protected health information in a manner not [otherwise] permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated.
45 CFR 164.402 (emphasis added).
This revision is intended to provide a more objective standard, in response to comments filed in connection with the IFR.