When a breach occurs, HHS must be notified within certain prescribed time parameters. For breaches involving over 500 people (large breaches as defined by HHS), the breach must be reported contemporaneously with the notice being provided to the affected patient. For breaches involving under 500 people, the breach must be reported to HHS within sixty (60) days of the last day of the preceding calendar year in which the breach was discovered. After breaches are reported, the reporting healthcare organization usually receives voluminous "voluntary" requests for information about the breach from Office for Civil Rights (OCR), because OCR has enforcement authority of both the Privacy and Security Rules of HIPAA. OCR has been quite active in its enforcement and investigative activity against covered entities such as hospitals, health plans, hospices, physician practices, and health systems; however, BAs have been virtually left alone.
It is anticipated that OCR's approach to investigations will change dramatically when a BA is involved because of the new rules imposing direct liability. BAs should be expecting the type of voluminous requests and detailed investigations that CEs have been involved in since HITECH went into effect in 2009.
The biggest change for everyone is probably the definition of a breach. Prior to the final rule, and up until March 26, a HIPAA/HITECH breach was defined as a use or disclosure that caused a "significant risk of financial, reputational, or other harm." This standard provided CEs with an opportunity to consider the type of harm the affected patient was exposed to as a result of the use or disclosure. For example, a hospital could conclude in most circumstances that disclosure of a patient's tonsillitis diagnosis did not pose a significant risk of any harm. However, disclosure of a patient's HIV status likely did pose a threat of significant harm.
The final rule has changed the definition of a breach. An impermissible use or disclosure of PHI or ePHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI or ePHI has been compromised. HHS reminds us that the burden of proof is on the CE or BA to make this showing. HHS also tells us that this change was made because it believes that breaches were being unreported even though breaches impacting tens of millions of patients have been reported since HITECH.
Reputational harm continues to be a fact-specific inquiry and does not arise solely from the sensitivity of the diagnosis. OCR will look at whether the impermissible use or disclosure adversely affected the patient's employment, standing in the community, or personal relationships.
The final rule specifically requires the probability of harm be assessed by considering at least:
1. The nature and extent of PHI involved.
2. The unauthorized person who used the PHI or to whom the disclosure was made.
3. Whether PHI was actually acquired or viewed.
4. The extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed).