Breach Notification: Now It’s Your Burden of Proof

As of September 23, 2013, all covered entities, including dentists, are required to follow new HIPAA rules regarding the security of patient data. Among the most significant changes brought about by these rules are changes to when a covered entity must notify patients and the Department of Health and Human Services (HHS) that protected health information has been improperly lost or accessed.

You probably know by now that when the protected health information of patients (PHI) is breached, HIPAA regulations require the covered entity to engage in an extensive and costly notification process depending on how many patients have been affected. This may require the covered entity to notify each individual, the news media, and HHS. Suffice it to say that covered entities are often reluctant to engage in this process because it can lead to angry patients, bad PR, and an audit from the Federal government. While this notification process is nothing new, the method for determining whether the notification process is required has changed.

Under the old rule, a covered entity was required to notify patients and HHS if there was a “significant risk of financial, reputational or other harm for the individual.” Notably, the old rule made no assumptions and did not place any specific burden of proof on the covered entity.

The new rule, however, states that there is a presumption that a breach requiring notification has occurred if there has been improper access to or loss of PHI. Under the law, a “presumption” is a rule of evidence that demands a certain result unless that adversely affected party over comes it. (See BLACK’S LAW DICTIONARY 1223 (8th Ed.)). Thus, the new rule presumes that notification is required for any unauthorized acquisition, access, use, or disclosure of protected health information. (See 45 C.F.R. § 164.402). What this means is that when a breach event occurs a covered entity who does not complete the notification process will have the burden of demonstrating that there is a low probability that the PHI has been compromised based on a risk assessment. The practical problem for most covered entities is that they are ill-equipped to engage in a meaningful risk assessment process. If this type of risk assessment is performed, then it must be thoroughly documented and include supporting evidence. It is highly advisable to retain the services of an attorney to assist in this process.

But all this raises another important question: What happens if you fail to notify patients and HHS when you are required by HIPAA to do so? HHS may fine you up to $1.5 million for violations and the covered entity may be sued by patients.  If you think that will not happen to your business, then take a look at the HHS website, which publicly announces case resolutions and civil monetary penalties:

By: Nathan Gaffney, Esq.