New HIPAA Rules Expand Breach Notification Requirements

If your company is subject to HIPAA, new rules published by the Department of Health and Human Services (“HHS”) will require changes in your policies and practices regarding data breaches.

Among other things, the new rules implementing the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) have introduced a stricter standard for determining when notification is required and have broadened the group of entities to which it applies.  Here are the highlights:

  1. The “Significant Harm” Standard has been Replaced by a “Risk of Compromise” Standard.  Under the previous rule, the unauthorized disclosure of unsecured protected health information (“PHI”) was considered a breach requiring notification only if a covered entity or business associate determined that there was a “significant risk of financial, reputational, or other harm” to affected individuals.  Under the new rule, such a disclosure is presumed to be a breach unless a risk assessment reasonably concludes that there is only a “low probability” that PHI has been “compromised.”  In order to make that determination, covered entities, business associates, and their subcontractors must now engage in a four-factor analysis that considers the nature of the information involved, the person to whom the information was disclosed, whether the PHI was actually viewed, and mitigation measures, if any.  This assessment must be documented and producible in court.  We expect further guidance from HHS on the new standard in the next couple of months.

  2. Data Breach Requirements Now Extend to Subcontractors.  The final rule now extends data breach notification requirements to all subcontractors that handle PHI on behalf of business associates.  Business associates will need to ensure that these requirements are being followed by their subcontractors, while subcontractors will need to implement new policies and ensure that these requirements are being followed by their own subcontractors.  An upcoming client alert will provide further information on how the new rules apply to subcontractors.

  3. The “Limited Data Set” Exception has been Eliminated.  Under the previous rule, there was an exception to the notification requirement for certain “limited data sets” that had been cleaned of certain types of information.  That exception has been removed, and a risk assessment is now required for breaches of this type of PHI.

  4. Individuals Must be Notified of a Company’s Data Security Breach Obligations.  The new rule now requires a covered entity to include a statement in its Notice of Privacy Practices that it is required by law to notify affected individuals following a breach of unsecured PHI. 

Among other things, covered entities, business associates, and subcontractors will need to update their internal policies and procedures and provide additional training to employees to ensure compliance.  We’ll have more client alerts on other material changes to the HIPAA rules in the coming months.

If you have questions about the new rules, the HITECH Act, or HIPAA generally, please contact Peter Guffin (, Kris Eimicke (, or Kyle Glover ( of Pierce Atwood LLP’s Privacy and Data Security Group.