Benefits Law Update
        Practical advice from Verrill attorneys

        HHS Makes Significant Changes to HIPAA Breach Notification Rules

        by Eric D. Altholz on February 12, 2013

        Three years ago, almost to the day, we posted the first of a two part analysis of the Interim Final Rules published by the U.S. Department of Health and Human Services (“HHS”) governing the HIPAA privacy breach notification requirements. We now return to that subject in light of the recent publication (January 25, 2013 in the Federal Register) by HHS of a set of Final Omnibus Rules under HIPAA. The Final Rules cover four distinct areas: (1) privacy and security standards regarding protected health information (“PHI”); (2) enforcement and penalties; (3) breach notification requirements; and (4) final implementation of the Genetic Information Nondiscrimination Act of 2008 (“GINA”). The Final Rules take effect March 26, 2013, and covered entities and business associates have 180 days (until September 23, 2013) to comply. While the Final Rules make some substantial revisions to the prior rules in all four areas, the changes to the breach notification rules are perhaps the most significant.

        Presumption of Breach

        In the preamble to the Final Rule, HHS’s Office of Civil Rights explains that the Final Rule “modifies and clarifies the definition of breach and the risk assessment approach” contained in the 2010 Interim Final Rule. Most commentators agree that is a bit of an understatement.

        The 2010 Interim Final Rules provided a process for privacy officials to follow in order to determine whether an impermissible use or disclosure of PHI resulted in a “breach” that would have to be reported to the affected person(s) and HHS. That process involved a review of the facts and circumstances surrounding the impermissible use or disclosure, a determination of whether an exception to the notification requirement could apply, and (assuming no exception applied) a somewhat subjective assessment of whether impermissible use or disclosure posed a “significant risk of harm” to the affected person(s). The “harm” could be financial, reputational, or in some other form. But ultimately a privacy official could reasonably determine that a given breach might not be so damaging to the affected person(s) that a notification was required.

        It appears that the “significant risk of harm” standard set the bar for notification higher (or created more wiggle room) than the regulators intended, so the Final Rules do two things to lower the notification bar to the intended level. First, the Final Rules modify the definition of “breach” by providing that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate can demonstrate that there is a “low probability” that the PHI has been compromised. This means that a breach notice would have to be given in all cases unless the low probability standard can be met (or unless one of the available exceptions applies). Second, the Final Rule requires the probability of compromise to be determined through a prescribed risk assessment.

        Risk Assessment

        In order to determine the probability that PHI has been compromised, a covered entity or business associate must undertake a risk assessment that takes into account the following factors:

        • The nature and extent of PHI involved
        • The unauthorized person by whom (or to whom) the PHI was used (or disclosed)
        • Whether the PHI was actually viewed or obtained
        • Efforts made to mitigate the use or disclosure of the PHI

        Some residue of the “significant risk of harm” standard perhaps survives in the first of the factors. That is, if the PHI involved is not of a highly sensitive nature (e.g., a prescription for a high dose of Vitamin D) or minimal in extent (such that it would be difficult to identify an affected person), there is at least the possibility that the risk of compromise could be low. Still, the other three factors appear to focus directly on whether the PHI (regardless of the nature and extent) may actually have been accessed in an impermissible way. And to emphasize that point, the Final Rules specify that this risk assessment must be conducted even in cases where the impermissible use or disclosure occurs entirely within a covered entity or business associate, despite the fact that one would expect the probability that the PHI was compromised to be low.

        The abandonment of the “significant risk of harm” standard in favor of a presumption of breach effectively turns the prior rule on its head and is likely to require substantial changes in HIPAA privacy policies and the procedures followed by covered entities and business associates in dealing with potential breach situations.

        * * * * * * * *

        Future posts on the new Final Rules under HIPAA will examine changes affecting business associates and Business Associate Agreements and suggest steps that should be taken by sponsors of self-funded group health plans in order to comply with the new rules by the September 23, 2013 deadline.

        Benefits Law Update

        Verrill’s Benefits Law Update blog delivers timely insights and practical guidance on the ever-evolving landscape of employee benefits and executive compensation. Our blog provides up-to-date analysis and commentary on a wide range of topics, including timely updates on developments in law affecting employee benefit plans and executive compensation arrangements.

        Key Contacts

        Subscribe

        Looking for more great content? Subscribe for regular legal updates and information delivered right to your inbox.

        Firm Highlights

        Alerts and Newsletters

        Maine’s New Employer Surveillance Law, 26 M.R.S. § 620-A

        Effective July 14, 2026 Maine employers that electronically monitor employees must comply with a new disclosure law effective July 14, 2026. Under...
        Press Releases

        Verrill Recognized by U.S. News as One of the Best Law Firms to Work for in 2026

        BOSTON, Mass., BANGOR and PORTLAND, Maine, GREENWICH and WESTPORT, Conn., – Verrill has been featured on U.S. News’ 2026 Best Companies to Work...
        Blog

        SECURE 2.0 Roth Catch-Up Rules and the 403(b) 15-Year Catch-Up: What Tax-Exempt Employers Need to Know

        Tax-exempt employers whose 403(b) plans offer catch-up contributions for participants age 50 and above should be well on their way to compliance with...
        Media Mentions

        Robert Keach Quoted in Law360 on SIMAD Summer Camp Bankruptcy Sale

        Verrill attorney Robert Keach was recently quoted in a Law360 article examining the Chapter 11 bankruptcy proceedings involving SIMAD Holdings and...
        Media Mentions

        Chris Tsouros Featured in Law360’s Coverage of Sports Real Estate Deals

        Verrill Partner Chris Tsouros was recently recognized in a Law360 article highlighting law firms involved in significant sports real estate projects...
        Blog

        What Maine’s New Employer Surveillance Law Means for Maine Employers

        Maine employers who monitor their workforce, whether through productivity software, GPS, call recording, or cameras, have a new compliance obligation...
        Blog

        Run Don’t Walk: The Implication of “While Supplies Last” Prize Promotions

        This month a big-chain grocery store has been offering daily mystery boxes during specific timed drops on a first-come, first-served basis, to users...
        Blog

        Maine’s Noncompete Statute is Reshaped for Health Care Workers: What You Need to Know

        Employers of individuals who are licensed under state law to perform, or provide, health care services in the State of Maine should be prepared for...
        Media Mentions

        Steven Davis Featured in the Environmental Business Journal

        Steven Davis, President of Verrill Strategic Consulting, was recently interviewed and featured in the Environmental Business Journal, Volume 39...
        Blog

        What is a Bonus for Purposes of ERISA?

        An ongoing dispute about a Department of Labor advisory opinion published last September raises a basic but unanswered question under the ERISA: What...
        Media Mentions

        Verrill Recognized by WMTW for Partnership Supporting Hunger Relief in Maine

        Verrill was recently featured in coverage by WMTW News 8 for its role in a collaborative effort to combat food insecurity across southern...
        Press Releases

        33 Verrill Attorneys, Across Four Offices, Recognized in the 2026 Chambers USA Guide

        BOSTON, Massachusetts, PORTLAND, Maine, WESTPORT, Connecticut, and WASHINGTON, D.C. – Verrill has been recognized as a Leading Firm in 14...