HealthBlawg

David Harlow's Health Care Law Blog

  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Final HIPAA Breach Notification Rule

January 29, 2013

FierceHealthIT is running my commentary on the HIPAA Breach Notification Rule. Here's an excerpt, highlighting the final regulation text, and the shift from the harm standard in the interim final rule (IFR). Please follow the link to read the rest of the post. 

The IFR required a risk assessment to be done in order to determine whether the risk of harm was present. The feds observe in the commentary to the final rule that some folks "may have interpreted the risk of harm standard in the [IFR] as setting a much higher threshold for breach notification than we intended to set." Hence the "clarification" in the final rule that:

an acquisition, access, use, or disclosure of protected health information in a manner not [otherwise] permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

45 CFR 164.402 (emphasis added).

This revision is intended to provide a more objective standard, in response to comments filed in connection with the IFR.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

 

Related Posts

  • For want of a breach notification....

    To ring in 2017, OCR announced its first HIPAA settlement based on late reporting of…

  • HIPAA Final Rule on Privacy, Security, Breach Notification and Enforcement Issued, Finally

    The HIPAA omnibus regulation is finally out as a final reg. The HIPAA Privacy, Security, Enforcement,…

  • Son of HIPAA Breach Notification Rules

    Health care providers: If your patient records aren't already stored digitally, they are likely to…

Filed Under: Health care policy, Health Law, HIPAA, HIT, Privacy, Security

« HIPAA Omnibus Rule – Google+ Hangout
HIPAA Omnibus Final Rule – What’s in it for Patients? »

Threads

Follow me on: Threads

Mastodon

Follow me on: Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2025
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]