Main Menu
Changes to HIPAA Breach Notification Requirements

HIPAA breach notificationAfter two and a half years of regulatory uncertainty, the Office for Civil Rights of the Department of Health and Human Services issued the final rule amending the HIPAA privacy, security, enforcement and breach notification requirements, signaling the most expansive change to HIPAA in more than a decade. The publication of the final rule now establishes the OCR’s positions on changes to the privacy, security, enforcement and breach notification requirements.

The final rule changes the risk analysis requirements for determining when a breach has occurred. Previously, a risk of harm threshold was considered in determining whether a breach had occurred. The OCR’s changes in the final rule create almost a presumption of a “breach,” which will seemingly make it more likely that a business will be required to notify those individuals whose personal health information has been affected, HHS and possibly the media.

In addition to the changes already noted, the final rule made various changes to the research authorization, marketing, fundraising and sale of personal health information requirements. Expansion of the “minimum necessary” standard to business associates was included in the final rule, and new enforcement efforts and increased civil penalties were also in the final rule.

The final rule signals the largest expansion of the HIPAA privacy, security, enforcement and breach notification efforts in at least a decade. Not only do traditional health care providers need to review and implement a variety of changes, but any entity that works with a health care provider or a business associate of a health care provider must now determine whether these changes will also affect their business relationships. The time to make these determinations and adapt to this regulatory framework is now.

The final rule notes that compliance with these requirements should be in place by September 2013.

If you have questions about how these expanded HIPAA regulations may affect you or your business, please contact Bingham Greenebaum Doll LLP attorneys Alan J. Dansker or Daniel E. Fisher.



Recent Posts




Back to Page