Proof of harm no longer required for a reportable HIPAA data breach
The release of the HIPAA Omnibus package of regulations removes proof of ‘harm’ as a HIPAA data breach standard, now making it harder for a covered entity or business associate to avoid reporting a data breach. This was based on the previous guidance for the interim data breach rule by the US Department of Health and Human Services (HHS) that a HIPAA data breach was only reportable if the unauthorized release of protected health information caused harm— “a use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.”
This allowed covered entities to claim that— even though they acknowledged that protected data was lost or released— there was no harm to any individual and therefore the breach was not reportable. According to guidance released by HHS prior to the publication of the new final rules, the ‘harm’ exclusion set a higher threshold for HIPAA data breach notification than the agency had intended.