Your email inboxes have likely been flooded with updates regarding the U.S. Department of Health and Human Services’ final rule to strengthen the privacy and security protections of health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The final rule, among other things, enhances a patient’s privacy protections, provides individuals new rights to access their health information and strengthens the government’s ability to enforce the law. The final rule was released on Jan. 17 and becomes effective March 26, but an organization covered by the act, i.e., a “covered entity” (CE) or “business associate” (BA) will have 180 days beyond the effective date (or Sept. 22, 2013) to come into compliance.
Although many aspects of the breach-notification rule originally mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) remain the same (including the timing of notification to the Department of Health and Human Services (HHS) and the content of the notification), there are significant changes that healthcare organizations and those that do business with them need to consider.
HIPAA refers to vendors who have access to protected health information (PHI) and electronic protected health information (ePHI) as business associates. There are many examples of BAs: lawyers, consultants, medical transcriptionists, benefits managers, etc. The definition of a BA has not changed, but their liability has. BAs are now directly liable for compliance breaches for:
1. Impermissible uses and disclosures;
2. Failure to provide breach notification to the covered entity;
3. Failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual’s designee;
4. Failure to disclose PHI where required by the secretary of HHS to investigate or determine the business associate’s compliance with the HIPAA rules;
5. Failure to provide an accounting of disclosures; and
6. Failure to comply with the requirements of the security rule.
When a breach occurs, HHS must be notified within certain prescribed time parameters. For breaches involving over 500 people (large breaches as defined by HHS), the breach must be reported contemporaneously with the notice being provided to the affected patient. For breaches involving under 500 people, the breach must be reported to HHS within 60 days of the last day of the preceding calendar year in which the breach was discovered. After breaches are reported, the reporting healthcare organization usually receives voluminous “voluntary” requests for information about the breach from Office for Civil Rights (OCR), because OCR has enforcement authority of both the Privacy and Security Rules of HIPAA. OCR has been quite active in its enforcement and investigative activity against covered entities such as hospitals, health plans, hospices, physician practices and health systems; however, BAs have been virtually left alone.
It is anticipated that OCR’s approach to investigations will change dramatically when a BA is involved because of the new rules imposing direct liability. BAs should be expecting the type of voluminous requests and detailed investigations that CEs have been involved in since HITECH went into effect in 2009.
The biggest change for everyone is probably the definition of a breach. Prior to the final rule, and up until March 26, a HIPAA/HITECH breach was defined as a use or disclosure that caused a “significant risk of financial, reputational, or other harm.” This standard provided CEs with an opportunity to consider the type of harm the affected patient was exposed to as a result of the use or disclosure. For example, a hospital could conclude in most circumstances that disclosure of a patient’s tonsillitis diagnosis did not pose a significant risk of any harm. However, disclosure of a patient’s HIV status likely did pose a threat of significant harm.
The final rule has changed the definition of a breach. An impermissible use or disclosure of PHI or ePHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI or ePHI has been compromised. HHS reminds us that the burden of proof is on the CE or BA to make this showing. HHS also tells us that this change was made because it believes that breaches were being unreported even though breaches impacting tens of millions of patients have been reported since HITECH.
Reputational harm continues to be a fact-specific inquiry and does not arise solely from the sensitivity of the diagnosis. OCR will look at whether the impermissible use or disclosure adversely affected the patient’s employment, standing in the community, or personal relationships.
The final rule specifically requires the probability of harm be assessed by considering at least:
1. The nature and extent of PHI involved;
2. The unauthorized person who used the PHI or to whom the disclosure was made;
3. Whether PHI was actually acquired or viewed; and
4. The extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed).
Most of these factors were likely considered previously by CEs, but they were considered in a different context. If a CE or BA concludes that a breach has not occurred, documentation sufficient to meet this burden of proof must be maintained. A decision to notify does not require an analysis of risk because the occurrence of a breach is presumed.
There are also a few requirements that remain the same, even if there was some clarification.
Pre-Emption of State Law
HHS has reminded CEs and BAs that HITECH only pre-empts state law to the extent HITECH is stricter. If a state law is stricter, then the CE and BA must follow the requirements of the state law as HHS considers the regulation to be the federal floor of privacy protection. Depending on the scope of the breach, a state may have more strict requirements involving timeliness of notification, notification to state agencies, and content of the notification letter. Some states such as Florida, Vermont, and Wisconsin for example require notification within 45 days. Other states expect notification within several weeks to 30 days even though the state law does not specify an exact time period. Knowledgeable privacy counsel is critical to advise organizations about these issues because the state statutes (and how they are applied) can be confusing.
HHS has made clear that the ability to deliver high-quality care must be balanced with compliance issues because each organization is unique and presented with different challenges. This does not mean that compliance takes a backseat to patient care issues, but it does mean that healthcare organizations can continue to document their decision-making process when accepting and addressing risks.
For example, the use of encryption continues to be an addressable standard. This means that it is not required to be adopted by health-care organizations and vendors. There are several advantages, however, if the technology is implemented. These include safe harbors for breach notification and the ability to show clear compliance with certain HIPAA security rule requirements. If an organization decides not to deploy encryption technology, a documented risk assessment is required which details the decisions made by the organization and what other protections are in place to address the safeguarding of ePHI. OCR may disagree with your assessment. Recently, HHS provided guidance for the protection of mobile devices. Some of the protections that should be considered include:
1. Use a password or other user authentication;
2. Install and enable encryption;
3. Install and activate wiping and/or remote disabling;
4. Disable and do not install file-sharing applications;
5. Install and enable a firewall;
6. Install and enable security software;
7. Keep security software up to date;
8. Research mobile applications (apps) before downloading;
9. Maintain physical control of your mobile device;
10. Use adequate security to send or receive health information over public Wi-Fi networks; and
11. Delete all stored health information before discarding or reusing the mobile device.
OCR has been quite vocal recently about its enforcement efforts. The results of the KPMG audit program, as well as the information OCR has learned while investigating reported breaches, have educated OCR about the existing gaps in compliance at CEs and BAs. With the new requirements in the final rule, as well as the prior requirements that continue to be in place, it is important for CEs and BAs to rework compliance programs, amend breach response plans and associated documentation, revise contracts with vendors, update educational programs, and to explore insurance options to cover these risks.