The Final Rule on HIPAA-HITECH Act released by HHS after a prolonged public discussion makes some changes in the way the Data Breach notification needs to be handled by Covered Entities and Business Associates.
The key points of the Final Rule are as follows:
1. Breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant harm to the individual as was provided under the interim final rule.
2. The onus of proving that an “Impermissible use or disclosure” of PHI is not a “breach” lies with the covered entity. In other words, all impermissible uses are “breaches” unless the entity “Demonstrates” that there is a low probability that the PHI has been compromised.
This essentially means that whenever an “Impermissible” use or disclosure is observed, the entity should initiate a “Data Breach Audit” process and document if the impermissible use is in fact a “Breach”. Such a “Data Breach Audit” will determine if there has been a breach and whether the probability of compromise is significant.