Healthcare breach risk assessment requirement

The Department of Health and Human Services issued its Interim Final Rule on August 19, 2009 outlining the obligations of healthcare organizations regarding data breach incident notification as directed by the HITECH Act passed earlier this year.

This rule clarifies the defintion of data breach as the “unauthorized acquisition, access, use or disclosure of  protected health information (PHI)” where it “compromises the security of the PHI” this occuring if there is a “significant risk of financial, reputational, or other harm to the individual whose PHI has been compromised.

As a result of this interpretation of the HITECH Act, HHS has established a harm threshold for determining whether a data security incident is in fact a “breach”. Because of this, something that needs to be noted by privacy and information security officers in healthcare, is that HHS requires that a “risk assessment” be carried out for every incident in order to determine whether it is a breach or not.

Healthcare organizations must determine the practices for carrying out such risk assessments and carefully document the process and conclusions for every incident. Something to consider is to have risk assessments carried out by third parties in order to remove any perceptual issues as to the independence of the risk assessment results.

Since all breach incidents must be reported to Health and Human Services, and become public information, it will be essential to maintain documentation on incidents that were assessed to be breaches as well as incidents where the assessment concluded that it did not exceed the harm threshold. Unfortunately, their is substantial room for interpretation as to what constitutes risk of financial, reputational, or other harm to individuals whose PHI has been exposed.