ALM Properties, Inc.
Page printed from: Law Technology News
Select 'Print' in your browser menu to print this document.
The HIPAA Final Rule Is a Game-Changer for Breach Notification
Law Technology News
Your email inboxes have likely been flooded with updates regarding the U.S. Department of Health and Human Services' final rule to strengthen the privacy and security protections of health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Final Rule, among other things, enhances a patient's privacy protections, provides individuals new rights to access their health information, and strengthens the government's ability to enforce the law. The final rule was released on January 17 and becomes effective March 26, but an organization covered by the act, i.e., a "covered entity" (CE) or "business associate" (BA) will have 180 days beyond the effective date (or September 22, 2013) to come into compliance.
Although many aspects of the breach notification rule originally mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) remain the same (including the timing of notification to the Department of Health and Human Services (HHS) and the content of the notification), there are significant changes that healthcare organizations and those that do business with them need to consider.
HIPAA refers to vendors who have access to protected health information (PHI) and electronic protected health information (ePHI) as business associates. There are many examples of BAs: lawyers, consultants, medical transcriptionists, benefits managers, etc. The definition of a BA has not changed, but their liability has. BAs are now directly liable for compliance breaches for:
When a breach occurs, HHS must be notified within certain prescribed time parameters. For breaches involving over 500 people (large breaches as defined by HHS), the breach must be reported contemporaneously with the notice being provided to the affected patient. For breaches involving under 500 people, the breach must be reported to HHS within sixty (60) days of the last day of the preceding calendar year in which the breach was discovered. After breaches are reported, the reporting healthcare organization usually receives voluminous "voluntary" requests for information about the breach from Office for Civil Rights (OCR), because OCR has enforcement authority of both the Privacy and Security Rules of HIPAA. OCR has been quite active in its enforcement and investigative activity against covered entities such as hospitals, health plans, hospices, physician practices, and health systems; however, BAs have been virtually left alone.
It is anticipated that OCR's approach to investigations will change dramatically when a BA is involved because of the new rules imposing direct liability. BAs should be expecting the type of voluminous requests and detailed investigations that CEs have been involved in since HITECH went into effect in 2009.
The biggest change for everyone is probably the definition of a breach. Prior to the final rule, and up until March 26, a HIPAA/HITECH breach was defined as a use or disclosure that caused a "significant risk of financial, reputational, or other harm." This standard provided CEs with an opportunity to consider the type of harm the affected patient was exposed to as a result of the use or disclosure. For example, a hospital could conclude in most circumstances that disclosure of a patient's tonsillitis diagnosis did not pose a significant risk of any harm. However, disclosure of a patient's HIV status likely did pose a threat of significant harm.
The final rule has changed the definition of a breach. An impermissible use or disclosure of PHI or ePHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI or ePHI has been compromised. HHS reminds us that the burden of proof is on the CE or BA to make this showing. HHS also tells us that this change was made because it believes that breaches were being unreported even though breaches impacting tens of millions of patients have been reported since HITECH.
Reputational harm continues to be a fact-specific inquiry and does not arise solely from the sensitivity of the diagnosis. OCR will look at whether the impermissible use or disclosure adversely affected the patient's employment, standing in the community, or personal relationships.
The final rule specifically requires the probability of harm be assessed by considering at least:
Most of these factors were likely considered previously by CEs, but they were considered in a different context. If a CE or BA concludes that a breach has not occurred, documentation sufficient to meet this burden of proof must be maintained. A decision to notify does not require an analysis of risk because the occurrence of a breach is presumed.
There are also a few requirements that remain the same, even if there was some clarification.
PRE-EMPTION OF STATE LAW
HHS has reminded CEs and BAs that HITECH only pre-empts state law to the extent HITECH is more strict. If a state law is more strict, then the CE and BA must follow the requirements of the state law as HHS considers the regulation to be the federal floor of privacy protection. Depending on the scope of the breach, a state may have more strict requirements involving timeliness of notification, notification to state agencies, and content of the notification letter. Some states such as Florida, Vermont, and Wisconsin for example require notification within 45 days. Other states expect notification within several weeks to 30 days even though the state law does not specify an exact time period. Knowledgeable privacy counsel is critical to advise organizations about these issues because the state statutes (and how they are applied) can be confusing.
HHS has made clear that the ability to deliver high-quality care must be balanced with compliance issues because each organization is unique and presented with different challenges. This does not mean that compliance takes a backseat to patient care issues, but it does mean that healthcare organizations can continue to document their decision-making process when accepting and addressing risks.
For example, the use of encryption continues to be an addressable standard. This means that it is not required to be adopted by healthcare organizations and vendors. There are several advantages, however, if the technology is implemented. These include safe harbors for breach notification and the ability to show clear compliance with certain HIPAA Security Rule requirements. If an organization decides not to deploy encryption technology, a documented risk assessment is required which details the decisions made by the organization and what other protections are in place to address the safeguarding of ePHI. OCR may disagree with your assessment.Recently, HHS provided guidance for the protection of mobile devices. Some of the protections that should be considered include:
OCR has been quite vocal recently about its enforcement efforts. The results of the KPMG audit program, as well as the information OCR has learned while investigating reported breaches, have educated OCR about the existing gaps in compliance at CEs and BAs. With the new requirements in the final rule, as well as the prior requirements that continue to be in place, it is important for CEs and BAs to rework compliance programs, amend breach response plans and associated documentation, revise contracts with vendors, update educational programs, and to explore insurance options to cover these risks.
Ted Kobus is national co-leader of the Privacy and Data Protection Team at Baker & Hostetler and focuses his practice in the areas of privacy, data breaches and intellectual property. Email: email@example.com