Omnibus HIPAA Rule, Including Significant Breach Notification Rule Changes, Released by HHS
The long-awaited final rule modifying the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (the Rule) was released on January 17, 2013 by the Department of Health and Human Services (HHS). The Rule goes into effect on March 26, 2013, after which covered entities and business associates have until September 22, 2013 to transition to full compliance with its new requirements.
One of the most significant changes to the Breach Notification Rule relates to the replacement of the “harm threshold” standard with the new “low probability” standard with respect to notifications for breaches of patient information. This standard, which is used to determine whether a disclosure constitutes a breach, is of particular importance because covered entities and business associates are responsible for sending breach notification letters to all individuals whose information is compromised and reporting detailed, publicly reported information about the incident to the Office of Civil Rights (OCR). This change is not unexpected, given that various members of Congress have stated their opposition to the very concept of a “harm threshold.” Covered entities and business associates need to examine and update their current policies and procedures to ensure that they respond to potential data breaches in an appropriate and compliant manner. Some of the most significant changes in the Rule are highlighted below.
Impermissible uses and disclosures are presumed to be breaches
If protected health information (PHI) is used or disclosed in a way that is not permitted under HIPAA, covered entities and business associates now have the burden of showing that a breach has not occurred. In other words, covered entities and business associates must perform a risk assessment (or send breach notification letters, which typically must be done within 60 days for breaches involving less than 500 individuals) to analyze impermissible uses or disclosures. Certain other exceptions to the definition of a breach continue to apply, including: (1) good faith disclosures to workforce members acting within the scope of their authority; (2) inadvertent disclosures by workforce members authorized to disclose PHI to other workforce members at the same entity; and (3) disclosures where there is a good faith belief that the party receiving the PHI could not reasonably retain the PHI. If covered entities and business associates do not perform a risk assessment and none of the other exceptions apply, the incident is automatically presumed to be a breach.
"Low Probability" is in, “Harm Threshold” is out
In the course of performing a risk assessment, the covered entity or business associate can demonstrate that an impermissible use or disclosure is not a breach if it shows that there is a “low probability” that PHI was compromised. This concept replaces the old “harm threshold” analysis which exempted from the definition of a breach those incidents which posed an insignificant risk of reputational or financial harm. Exempting incidents which pose a very low risk of harm to individuals is intended to prevent undue alarm to individuals and oversaturation with breach notification letters relating to incidents that are unlikely to cause any harm. In its commentary to the Rule, HHS stated that “some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set.” Therefore, this “low probability” concept will yield covered entities and business associates less latitude in making internal determinations that exclude certain incidents from the definition of a breach and from the associated breach notification requirements.
The new four-factor risk assessment requirement
A consequence of the prior “harm threshold” system was that two different covered entities faced with the same set of facts could make different determinations as to whether a breach had occurred. HHS is shifting away from a system of subjective, non-uniform determinations towards a more objective system. In an attempt to begin this transition, HHS adopts a new risk assessment system that consists of a list of four required factors that must be included in any risk assessment. The four factors are:
The nature and extent of the PHI involved in the breach, including the types of identifiers and the likelihood of re-identification of the PHI involved in the breach (e.g., was the information of a type that is likely to identify the individual to an outsider?)
The unauthorized person who used the PHI or to whom the disclosure was made (e.g., was the disclosure was made to another covered entity subject to HIPAA obligations?)
Whether the PHI was actually acquired or viewed by the inappropriate recipient of the PHI
The extent to which the risk to PHI has been mitigated (e.g., has the disclosing entity received receipt of assurances from the recipient that the PHI has not been used inappropriately?)
Going forward, it is mandatory that risk assessments include analysis specifically addressing each of these four factors.
Penalties for failure to perform appropriate risk assessments are increasingly likely
In comparison to the “harm threshold” system, it is not clear that the new metric will result in more uniform determinations or more objective analyses of risk. The nature of data breaches is that they are each unique and any risk assessment determining the probability of compromise will be highly fact-dependent and will by necessity incorporate a fairly high degree of subjectivity. Further, the four factors are virtually identical to the types of factors that have been analyzed by covered entities and business associates in the past when they performed harm threshold analyses. Therefore, it appears that the new risk assessment system is unlikely to remove subjectivity from risk analyses.
Nevertheless, these new requirements are significant in that they provide a specific structure for the risk assessment which, if not adequately performed and documented, could provide a basis for imposition of penalties. In the course of a data breach investigation by the Office of Civil Rights (OCR), it is certain that OCR will request the risk assessment document and analyze whether it appropriately addresses each of the four factors listed above. These assessments need to be timely performed for all potential data breaches. Those assessments that clearly show analysis of all four factors and come to a reasonable conclusion will be sufficient, while those that do not demonstrate appropriate consideration of each of the four factors will be insufficient and may provide grounds for the imposition of penalties.
More guidance may be coming in the future
HHS will likely continue to attempt to make the breach determination process more uniform. HHS notes in the commentary to the Rule that it will be issuing additional guidance to “aid covered entities and business associates in performing risk assessments with respect to frequently occurring scenarios.” If such guidance is issued, there will be a significantly lower degree of subjectivity available to covered entities in performing their risk assessments. Until that further guidance is issued, it is crucial that covered entities and business associates update their policies and procedures ensuring that all potential data breaches are analyzed promptly and appropriately.
A comprehensive discussion of all substantive changes to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules will be forthcoming.
For additional information, please contact Stephen Page or any member of the Waller HIPAA team at 800.487.6380.
The opinions expressed in this bulletin are intended for general guidance only. They are not intended as recommendations for specific situations. As always, readers should consult a qualified attorney for specific legal guidance.