The new data breach notification rules for covered entities and PCHR Platform providers go into effect on September 23 (for covered entities) and September 24 (PCHR Platforms and providers). There’s a nice wrap-up here.
One big change from the prior environment is that the business associates of a HIPAA covered entity are now directly covered by the rule. Previously, protections were extended by contract with the original CE. Practically, I don’t think this makes a huge difference, since the Covered Entities would have just gone back and renegotiated the existing agreements to share the notification burden. Extending those requirements through regulation probably even saves some money and lawyer time, since there’s now no need to go and revisit all of those agreements.
The final rule does, however, have a pretty substantial loophole. Notification is required only when there is a chance of substantial harm to the person whose data was released. And that determination is made by the covered entity. Obviously, there is a huge opportunity for things to go wrong here. But the opposite extreme – mandating disclosure at all times – would be overly burdensome and would also have the very negative side effect of scaring consumers who receive breach notifications for trivial things – their city and phone number were accidentally released to a contractor, who then had a laptop stolen while on vacation in Guatemala. Odds of harm to the patient are pretty close to zero, and putting the burden on them to worry about sophisticated identity thieves is not particularly fair.
So I don’t think they got this one entirely right. A public audit process might be the solution – all breaches need to be disclosed, and outside groups can choose to make a stink about situations where individual notifications should have occurred but didn’t. I suspect this would get behavior into line pretty quickly.