Skip to content Skip to navigation

HIPAA Final Rule Drops 'Risk of Harm' Standard

January 18, 2013
by David Raths
| Reprints
Breach is presumed unless risk assessment determines low probability that health information is compromised

The final HIPAA Omnibus Rule, delayed for almost a year, was finally released on Jan. 17.

The rule actually combines four separate rulemakings, including the changes to HIPAA privacy and security rules required under the HITECH Act; data breach enforcement and penalty requirements; regulations related to the HITECH Act's breach notification rule; and changes to HIPAA to incorporate the Genetic Information Nondiscrimination Act.

The document is 563 pages long. Compliance officers, attorneys and privacy experts will be poring over it for the next several weeks to analyze its likely impact. But I zeroed in on one thing that had been problematic for Health & Human Services all along: the definition of a data breach and the risk assessment approach required. And HHS did indeed make a big change from the interim rule. Initially HHS had established a harm standard that a breach does not occur unless the access, use or disclosure poses "a significant risk of financial, reputational, or other harm to an individual." In the event of a breach, HHS' rule requires HIPAA-covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the health providers are not required to tell their patients that their health information was breached. This approach was widely criticized as a “fox guarding the henhouse” approach.

Well, in the final rule HHS reversed course to say that providers should basically assume that any impermissible disclosure is a breach requiring notification unless they can demonstrate that there is a low probability that protected health information was disclosed. That is a big difference! Here is the relevant passage:

“We recognize that the language used in the interim final rule and its preamble could be construed and implemented in manners we had not intended….We have added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised (or one of the other exceptions to the definition of breach applies).

HHS has modified the risk assessment to focus on the risk that the PHI has been compromised. Thus, breach notification is not required under the final rule if a provider demonstrates through a risk assessment that there is a low probability that the PHI has been compromised, rather than having to demonstrate that there is no significant risk of harm to the individual, as was provided under the interim final rule.

As I said, this is just one aspect of the lengthy document. The final rule deals with many other aspects of privacy and security, including:



David Raths

Contributing Editor

David Raths


David Raths’ blog focuses on health IT policy issues ranging from patient privacy to health...