Final HIPAA Rule on Breach Notification - A Breach Is Now Something Different

Final HIPAA Rule on Breach Notification - A Breach Is Now Something Different

PR Newswire

PHILADELPHIA, Jan. 18, 2013

PHILADELPHIA, Jan. 18, 2013 /PRNewswire/ -- A key change to the notification
requirements for breaches involving protected health information (PHI) could
make a significant difference to healthcare providers, health plans and their
vendors, increasing the risks of their failing to notify affected individuals.

Katherine Keefe, head of Beazley Breach Response Services, a dedicated unit
within specialist insurer Beazley that helps clients manage data breaches,

"The long awaited final HIPAA rule readdresses the breach notification
requirements first enacted under the Health Information Technology for
Economic and Clinical Health Act (HITECH) and changes the game fairly

Under the current interim rule, a breach is defined as an inappropriate use or
disclosure of PHI involving significant risk of financial, reputational or
other harm. The final rule changes this definition by stating that an
impermissible use or disclosure of PHI is presumed to be a breach, unless the
covered entity can demonstrate that there is a low probability that the PHI
has been compromised.

"In particular," Ms Keefe noted, "the final rule requires that four factors be
considered when determining if PHI has been compromised. First, the nature
and extent of the PHI involved. Second, the unauthorized person who used the
PHI or to whom the disclosure of PHI was made. Third, whether the PHI was
actually viewed or acquired. And fourth, the extent to which the risk to the
PHI has been mitigated. The government makes very clear that that each of
these factors must be considered when evaluating impermissible uses or
disclosures of PHI, and that compliance policies need to include these

Ms Keefe said that the final rule would likely make healthcare providers and
health plans (and their business associates, which are also covered by the
rule) even more wary about failing to notify affected individuals of
inappropriate uses or disclosures of PHI. Even under the interim rule, in
force since 2009, more than 21 million victims of "large" healthcare breaches
(affecting 500 people or more) have received notifications. While the final
rule is slated to take effect on March 26^th, compliance by covered entities
and business associates is required by September 23, 2013.

Note to editors:
In 2010 Beazley launched Beazley Breach Response (BBR), a unique insurance,
loss control and risk mitigation service for privacy and data breaches. In
less than two years BBR has become recognised as the most comprehensive
solution available to the challenge of data breaches. BBR brings together
expert forensic, legal, notification and credit monitoring services to satisfy
all legal requirements and maintain customer confidence.

Beazley plc (BEZ.L), is the parent company of specialist insurance businesses
with operations in Europe, the US, Asia and Australia. Beazley manages five
Lloyd's syndicates and, in 2011, underwrote gross premiums worldwide of
$1,712.5 million. All Lloyd's syndicates are rated A by A.M. Best.

Beazley's underwriters in the United States focus on writing a range of
specialist insurance products. In the admitted market, coverage is provided
by Beazley Insurance Company, Inc., an A.M. Best A rated carrier licensed in
all 50 states. In the surplus lines market, coverage is provided by the
Beazley syndicates at Lloyd's.

Beazley is a market leader in many of its chosen lines, whichinclude
professional indemnity, property, marine, reinsurance, accident and life, and
political risks and contingency business.

For more information please go to:

Information referenced is from the US Department of Health & Human Services.

SOURCE Beazley Group plc

Contact: Beazley Group: Katherine Keefe, +1-215-446 8421
Press spacebar to pause and continue. Press esc to stop.