Breach Notification Rules Get a Makeover

Rules about notifying patients when their electronic protected health information (PHI) has been breached — that is, used or disclosed impermissibly — got stronger under HIPAA, while a new state law brought some relief.

The HIPAA omnibus rules bolsters federal breach requirements by clarifying when practices must report breaches of unsecured health information to the U.S. Health and Human Services Department.

Any breach is now presumed reportable unless, after completing a risk analysis, you are able to demonstrate there is a “low probability of PHI compromise.” Practices must consider these four factors in the risk analysis:

  1. Who obtained the unauthorized access to the PHI and whether that person has an independent obligation to protect its confidentiality;
  2. The nature and extent of the PHI involved, e.g, the level of financial or clinical sensitivity, and the potential ability for patients to be individually identified;
  3. Whether the PHI was actually viewed or accessed; and
  4. Whether the recipient took appropriate mitigating action.

 Texas Senate Bill 1610 amends the state law by:

  • Setting a single Texas standard for the elements of compliance with Texas’ breach notification law, regardless of the state of the patient’s residency; and
  • Allowing physicians to send a written notice to a patient’s last known address.

 Your goal is to keep your patients’ electronic PHI as secure as possible. Go to the TMA Education Center to find out about HIPAA CME courses.

Published Aug. 13, 2013

Last Updated On

May 30, 2019

Originally Published On

August 13, 2013