The doctor runs into the coffee shop, leaving his laptop visible in the back seat of his car. When he returns, it’s gone; along with the unencrypted patient medical records contained on the hard drive. A nurse accesses medical record information from the hospital’s EMR system to obtain information for a friend about a family member. A billing clerk in a physician’s office sends medical records related to hundreds of patients to an audit company, but sends it to the wrong address. A home health nurse leaves her computer with patient information open and unguarded in a home while attending to a patient. A hospital employee pastes information about a patient on her Facebook page.
These are all real-life scenarios that require certain action to be taken pursuant to the requirements of the new HIPAA regulations (45 C.F.R. § 160 et seq.), adopted Jan. 25, with mandatory compliance slated for Sept. 23. Of significance are the revised Breach Notification Rules (45 C.F.R. § 164.400 et seq.). Covered entities need to understand and apply the new standards for determining whether disclosures of protected health information (PHI), as in the scenarios above, constitute breaches that require patient notification and reports to the Secretary of Health and Human Services (HHS), and possibly others.
The new regulations represent a seismic shift from the previous standard of review for HIPAA breaches and will result in more reported cases. Increased reporting will have consequences for covered entities beyond potential investigations by the Office of Civil Rights (OCR) and regulatory fines. Reporting HIPAA breaches may also cause reputational harm and further expose covered entities to civil suits for breaching the confidentiality of patient information.
A breach is defined to mean “the acquisition, access, use, or disclosure of [PHI] in a manner not permitted [under the HIPAA Privacy Rule] which compromises the security or privacy of the protected information.” 45 C.F.R. § 164.402. Excluded from the definition of a breach are: (i) disclosures of PHI by a workforce member that were unintentional, in good faith, within the scope of authority and do not result in a further disclosure not permitted under the rules; (ii) inadvertent disclosures by someone authorized to access PHI to another person who is part of the same workforce and the information is not further disclosed; or (iii) disclosures of PHI where the covered entity or business associate (BA) of the covered entity has a good-faith belief that the person to whom the PHI was disclosed would be unable to retain the information. 45 C.F.R. § 164.402(1).
Assuming none of the exceptions above applies, then, under 45 C.F.R. § 164.402(2), a disclosure of PHI is presumed to be a breach unless:
the covered entity or [BA], as applicable, demonstrates that there is a low probability that the protected health information has been compromised based upon a risk assessment of at least the following factors:
(i) The nature and extent of the [PHI] involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the [PHI] or to whom the disclosure was made;
(iii) Whether the [PHI] was actually acquired or viewed;
(iv) The extent to which the risk to the [PHI] has been mitigated.”
Under the previous regulations, an unauthorized disclosure was considered a breach (and therefore reportable) only where there was a significant risk of financial, reputational or other harm to the affected individual. Thus, the new regulations shifted the emphasis from reporting only when there was a significant risk of harm to the affected individual, to one where reporting is presumed unless you can prove that there is a low probability that the information has been compromised.
Applying the new standard of analysis to the scenarios above could result in reportable breaches, depending on the facts of the situation. For example, if the missing laptop was recovered, and a forensic analysis proved that patient information was not accessed, then, pursuant to the factors listed above: there was no unauthorized person with access, the PHI was not viewed and the recovery of the laptop mitigated the risk that further disclosure would occur. A different conclusion, however, may be reached where the nurse accesses information for a friend, the computer with PHI is left unguarded in the home or where an employee pastes information on their Facebook page about a patient. Each situation is fact sensitive. Thus, it is important that covered entities do a prompt and thorough investigation when an unauthorized disclosure occurs.
Determining whether a breach has occurred can be further complicated by the fact that a breach may be the result of action (or inaction) by a BA or by a subcontractor of the BA. Generally, a BA is someone who is engaged to perform a service on behalf of a covered entity, and PHI is an integral part of providing that service. (See, generally, 45 C.F.R. § 160.103 “Definitions.”) Under the new rules, the definition of a BA has also been expanded to include a subcontractor of the BA who creates, receives, maintains or transmits PHI on behalf of the BA. A covered entity must have a BA agreement with each of its BAs, and a BA must have a similar agreement with each of its subcontractors. If the BA becomes aware of an unauthorized disclosure of PHI, the BA must report the breach to the covered entity. The covered entity in turn must notify the affected individuals and make the required report to the secretary of HHS.
The question is: Who determines whether an unauthorized disclosure fits the definition of a breach that must be reported, when the breach is by the BA? There are two sides to the argument. On the one hand, if the disclosure of PHI was by the BA, and the BA determines pursuant to the regulations that it does not fit the definition of a reportable breach, then the covered entity should not be held accountable for reporting a breach it didn’t know existed. On the other hand, does the covered entity want to take that risk? Ultimately, the covered entity has exposure if there has been a breach by the BA. For one, if the BA’s analysis is wrong and the failure to report is uncovered, the covered entity may end up defending itself before the OCR anyway. Second, if the breach becomes known, the covered entity may suffer reputational harm with its patients, as well as possible civil suits for breach of confidentiality.
Thus, there is a compelling argument that a covered entity shouldn’t leave the analysis of whether a reportable breach has occurred to the BA. Rather, the better practice may be for a covered entity to require, within its BA agreements, that the BA (and any subcontractor of the BA) report any unauthorized disclosure of PHI immediately to the covered entity, so the covered entity can perform the analysis. It’s important that a BA report such potential breaches as soon as possible, since the covered entity is held to strict timelines in which to make the required notifications and reports.
More specifically, if there has been an unauthorized disclosure of PHI that meets the definition of a reportable breach, the covered entity must promptly (but in no event more than 60 calendar days from discovery) notify all of the affected individuals. 45 C.F.R. § 164.404(b). A breach is deemed discovered as of the first day on which the breach is known to the covered entity or should have been known by exercising reasonable diligence. 45 C.F.R. § 164.404(a)(2). If there are less than 500 affected individuals, the covered entity must file an annual report with the OCR of any breaches for the year within 60 days following the end of the calendar year. 45 C.F.R. § 164.408(c). If the breach involves 500 or more individuals, then the covered entity must notify the individuals as above, the secretary of HHS within 60 days and notify prominent media outlets serving the state or jurisdiction. 45 C.F.R. §§ 164.408(c); 406(a).
Reporting breaches pursuant to the above may trigger an investigation by the OCR with resultant penalties, if the covered entity had not adopted and effectively implemented HIPAA policies and procedures. For example, the OCR recently fined a hospice $50,000 for an unauthorized disclosure involving less than 500 individuals, in large part because the investigation revealed that the hospice did not have effective policies and procedures in place. Moreover, although there is no private cause of action under HIPAA, exposure to civil suits for breaching patient confidentiality (in which HIPAA sets the standard of care) are becoming more common. Recently, a jury returned a $1.44 million verdict against a pharmacist who accessed information regarding a patient and shared the information with another individual.
Unauthorized disclosures of PHI, constituting reportable breaches under the new rules, undoubtedly create significant exposure and therefore pose one of the greatest challenges to covered entities going forward. Covered entities that have not updated their policies and procedures to comply with the new rules need to take action now. •