Data Breach Notification (DBN) has been one of the most contentious issues of HIPAA regulations. Presently breach of unsecured protected information either at the Covered Entity or at the Business Associate entity needs to be reported to the affected individuals, the HHS and the media by the Covered Entity. While public want such a disclosure, business organizations were vary of the disclosure because of the possibility of loss of reputation and creation of panic on account of innocuous and accidental breaches.
Taking into consideration both sides of the arguments the Final rule has made the following suggestion.
“Breach notification is not required if the covered entity/Business Associate can demonstrate through a risk assessment that there is a low probability that the PHI has been compromised”
The final rule has also provided some guidelines for the risk assessment to state that the following aspects need to be considered along with any other relevant matters,
(1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(2) the unauthorized person who used the protected health information or to whom the disclosure was made;
(3) whether the protected health information was actually acquired or viewed; and
(4) the extent to which the risk to the protected health information has been mitigated.
As a corollary, covered entities and business associates should examine their policies to ensure that when evaluating the risk of an impermissible use or disclosure they consider all of the required factors.
Such risk assessment must be conducted following both impermissible uses and disclosures (that do not otherwise fall within the other enumerated exceptions to breach).
Covered entities and business associates need to investigate an impermissible use or disclosure to determine if the protected health information was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed.
Further, Covered entities and business associates should attempt to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed, and should consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised.
A “post suspected breach audit” is therefore mandatory.
It is also clarified that for determining the time when the notice is to sent, the period is to be calculated “from the date of discovery” and not from the date of occurrence. However it is reiterated that the 60 day limit is only an outer limit and the notice has to be provided within a reasonable time at the earliest.