Main Menu
Changes to HIPAA Breach Notification Requirements

After two and a half years of regulatory uncertainty, the Office for Civil Rights of the Department of Health and Human Services issued the final rule amending the HIPAA privacy, security, enforcement and breach notification requirements, signaling the most expansive change to HIPAA in more than a decade. The publication of the final rule now establishes the OCR’s positions on changes to the privacy, security, enforcement and breach notification requirements.

HIPAA breach notification

The final rule changes the risk analysis requirements for determining when a breach has occurred. Previously, a risk of harm threshold was considered in determining whether a breach had occurred. The OCR’s changes in the final rule create almost a presumption of a “breach,” which will seemingly make it more likely that a business will be required to notify those individuals whose personal health information has been affected, HHS and possibly the media.

In addition to the changes already noted, the final rule made various changes to the research authorization, marketing, fundraising and sale of personal health information requirements. Expansion of the “minimum necessary” standard to business associates was included in the final rule, and new enforcement efforts and increased civil penalties were also in the final rule.

The final rule signals the largest expansion of the HIPAA privacy, security, enforcement and breach notification efforts in at least a decade. Not only do traditional health care providers need to review and implement a variety of changes, but any entity that works with a health care provider or a business associate of a health care provider must now determine whether these changes will also affect their business relationships. The time to make these determinations and adapt to this regulatory framework is now.

The final rule notes that compliance with these requirements should be in place by September 2013.

  • Partner

    With national, broad-based experience in a variety of industries, Dan focuses his practice on complex business and financial transactions including middle-market mergers and acquisitions, capital formation, debt financing ...



Recent Posts




Back to Page