HIPAA Regulations: Notification in the Case of Breach -- Administrative Requirements and Burden of Proof - § 164.414
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information
|
HHS Regulations |
(a) Administrative requirements. A covered entity is required to comply with the administrative requirements of §164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart.
(b) Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at §164.402.
| HHS Description and Commentary Administrative Requirements and Burden of Proof - § 164.414 |
Section 164.414(a) requires covered entities to comply with the administrative requirements of § 164.530(b), (d), (e), (g), (h), (i), and (j) of the Privacy Rule with respect to the breach notification provisions of this subpart. These provisions, for example, require covered entities and business associates to develop and document policies and procedures, train workforce members on and have sanctions for failure to comply with these policies and procedures, permit individuals to file complaints regarding these policies and procedures or a failure to comply with them, and require covered entities to refrain from intimidating or retaliatory acts. Thus, a covered entity is required to consider and incorporate the requirements of this subpart with respect to its administrative compliance and other obligations. In addition to §164.414(a), to make clear that these provisions apply to this subpart as well as subpart E, we have made conforming modifications in each of the above sections of the Privacy Rule to include a reference to this subpart D.
Consistent with § 13402(d)(2) of the Act, § 164.414(b) provides that, following an impermissible use or disclosure under the Privacy Rule, covered entities and business associates have the burden of demonstrating that all notifications were made as required by this subpart. Additionally, as part of demonstrating that all required notifications were made, we clarify in the regulatory text that a covered entity or business associate, as applicable, also must be able to demonstrate that an impermissible use or disclosure did not constitute a breach, as such term is defined at § 164.402, in cases where the covered entity or business associate determined that notifications were not required. We also make conforming changes to § 160.534 of the HIPAA Enforcement Rule to make clear that, during any administrative hearing, the covered entity has the burden of going forward and the burden of persuasion with respect to these issues.
Thus, when a covered entity or business associate knows of an impermissible use or disclosure of protected health information, it should maintain documentation that all required notifications were made, or, alternatively, of its risk assessment (discussed above in § 164.402) or the application of any exceptions to the definition of “breach” to demonstrate that notification was not required.