Also, the HIPAA Final Rule revises the definition of privacy “breach” and modifies elements contained within the risk-assessment test used to determine whether a breach of protected health information has occurred. HHS has removed the harm standard and altered its risk assessment to focus more objectively on the risk that a patient’s protected health information has been compromised. Notification of a breach is no longer necessary if a HIPAA covered entity or business associate demonstrates through a risk assessment that there is a low probability that the protected health information has been comproised. In addition, HHS has broadened the list of those who may be liable for HIPAA Privacy Rule violations to include subcontractors employed by a covered entity's business associates, while also setting a four-tier financial penalty structure for breaches deemed serious enough to warrant a federally imposed penalty. Fines will range from $100 to $50,000 per violation, with a $1.5 million annual cap.
To access a short or long summary of the HIPAA Final Privacy Rule prepared by APA’s regulatory staff, click here. The text of the rule is to be published in tomorrow's Federal Register.
(image: lisa s/shutterstock.com)