Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
While HIPAA’s recently enhanced penalty provisions and newly enacted security breach notification requirements have each received a significant amount of attention, the connection between them and its significant implications for employers and health care providers subject to HIPAA have not. Most significantly, because of the enhanced penalties, it is critical that covered entities conduct a careful and documented risk assessment before deciding not to provide notice of a security incident.
HIPAA’s recently promulgated security breach notification regulations require notice only if (a) there has been access to, or acquisition, use or disclosure of, protected health information (PHI) in violation of the HIPAA Privacy Rule; and (b) that violation “poses a significant risk of financial, reputational or other harm” to the subjects of the PHI. In the preamble to the security breach regulations, the U.S. Department of Health and Human Services (HHS) takes the position that a covered entity “will need to perform a risk assessment” to determine whether the second element of the notification standard has been satisfied. Besides identifying four factors that covered entities might consider in conducting this risk assessment, HHS provides no other guidance on how to assess risk. HHS does emphasize, however, that “[c]overed entities and business associates must document their risk assessments, so their they can demonstrate, if necessary, that no breach notification was required.” In other words, covered entities should expect that if HHS ever challenges a decision not to provide notice of a security breach, HHS’ first request will be for production of the covered entity’s risk assessment that decision. Continue reading on Littler's Workplace Privacy Counsel blog.