HIPAA Breach Notification Rules and its new version

Let us begin at the beginning: What is breach notification? The term is pretty simple to understand. It means notifying the authorities whenever there is a breach of Protected Health Information (PHI). Covered Entities (CE's) and Business Associates (BA's), who are closely associated with PHI, and individuals whose PHI data are breached, are required to bring such data breaches to the notice of the authorities, whenever there is one.

A breach notification is a mechanism that is aimed at ensuring that BA's and CE's meet requirements in the HITECH Act in the American Recovery and Reinvestment Act of 2009 (ARRA).

To whom should the affected individuals and CE's and BA's complain?

Whenever there is a breach of PHI by a CE or a BA, or if there is violation of the Privacy, Security, or Breach Notification Rules, the affected individual can complain to the Office for Civil Rights (OCR), which will initiate investigation into these complaints.

Whenever a CE or a BA detects a breach, it can complain to the Secretary of Health and Human Services (HHS). In addition, the HIPAA breach notification rules have clear guidelines on how to report breaches in the following classifications:


HIPAA's definition of a breach

A breach of PHI is said to have taken place when any unpermitted use or disclosure that compromises the security of the data in the PHI takes place. Any such action, resulting in the breach of any kind of data contained in a PHI, big or small, is considered a breach, unless the CE or BA can explain that the data that got breached into was not serious enough, from its risk assessment point of view, to warrant immediate intervention.

The new HIPAA breach notification rules

The HHS embarked on a new HIPAA breach notification program, the HIPAA Privacy, Security, and Breach Notification Audit Program, with which it seeks to bring a few changes into the existing HIPAA breach notification rules.

  • This new Audit Program is part of the new HIPAA Breach Notification Rule. The most prominent amendment that has been introduced into the HIPAA Privacy, Security, and Breach Notification Audit Program is that while audits were earlier on carried out only for entities against whom a complaint had been filed; now, audits need to be carried out, regardless of whether that entity has faced a complaint or not. The new Audit Program gives authority to the Office for Civil Rights (OCR) to nearly gatecrash into any healthcare organization at almost any time and get it to carry out audits at very short notice.
  • It has also made performing periodic audits of compliance with the HIPAA Privacy and Security Rules mandatory.
  • Finally, these new HIPAA breach notification rules have increased the penalties for HIPAA regulations violations from willful negligence at a starting slab of $10,000.