The U.S. Department of Health and Human Services (HHS) has finally issued its omnibus HITECH Rules. Our firm will issue a comprehensive summary of the rules shortly (sign up here), but of immediate import is the change to the breach reporting harm threshold. The modification will make it much more difficult for covered entities and business associates to justify a decision not to notify when an incident occurs.
Under the interim rule, which remains in effect until September 23, 2013, a breach must be reported if it “poses a significant risk of financial, reputational, or other harm to the individual.” The final rule, released yesterday, eliminates that threshold and instead states:
"[A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated."
(Emphasis added).
In other words, if a use or disclosure of information is not permitted by the Privacy Rule (and is not subject to one of only three very narrow exceptions), that use or disclosure will be presumed to be a breach. Breaches must be reported to affected individuals, HHS and, in some cases, the media. To rebut the presumption that the incident constitutes a reportable breach, covered entities and business associates must conduct the above-described risk analysis and demonstrate that there is only a low probability the data will be compromised. If the probability is higher, breach notification is required regardless of whether harm to the individuals affected is likely. (Interestingly, this analysis means that if there is a low probability of compromise notice may not be required even if the potential harm is very high.)
What is the effect of this change? First, there will be many more breaches reported resulting in even greater costs and churn than the already staggering figures published by Ponemon which reports that 96% of health care entities have experienced a breach with average annual costs of $6.5 billion since 2010.
Second, enforcement will increase. Under the new rules, the agency is required (no discretion) to conduct compliance reviews when “a preliminary review of the facts” suggests a violation due to willful neglect. Any reported breach that suggests willful neglect would then appear to require agency follow-up. And it is of course free to investigate any breach reported to them. HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews? Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.
Third, covered entities and business associates can expect to spend a lot of time performing risk analyses. Every single incident that violates the Privacy Rule and does not fit into one of three narrow exceptions must be the subject of a risk analysis in order to defeat the presumption that it is a reportable breach. The agency requires that those risk analyses be documented, and they must include at least the factors listed above.
So why did the agency change the reporting standard? As it says in the rule issuance, “We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. . . .”
The agency may also have changed the standard because it was criticized for having initially included a harm threshold in the rule, with critics claiming that the HITECH Act did not provide the authority to insert such a standard. Although the new standard does, in essence, permit covered entities and business associates to engage in a risk-based analysis to determine whether notice is required, the agency takes the position that the new standard is not a “harm threshold.” As they put it, “[W]e have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.” So, the agency got their way in that they will not have to receive notice of every single event that violates the Privacy Rule and they have made a passable argument to satisfy critics that the “harm threshold” was removed.
The new rules are effective March 26, 2013 with a compliance deadline of September 23, 2013. Until then, the current breach notification rule with its “significant risk of harm” threshold is in effect. To prepare for compliance with this new rule, covered entities and business associates need to do the following:
- Create a risk analysis procedure to facilitate the types of analyses HHS now requires and prepare to apply it in virtually every situation where a use or disclosure of PHI violates the Privacy Rule.
- Revisit security incident response and breach notification procedures and modify them to adjust notification standards and the need to conduct the risk analysis.
- Revisit contracts with business associates and subcontractors to ensure that they are reporting appropriate incidents (the definition of a “breach” has now changed and may no longer be correct in your contracts, among other things).
- If you have not already, consider strong breach mitigation, cost coverage, and indemnification provisions in those contracts.
- Revisit your data security and breach insurance policies to evaluate coverage, or lack thereof, if applicable.
- Consider strengthening and reissuing training. With every Privacy Rule violation now a potentially reportable breach, it’s more important than ever to avoid mistakes by your workforce. And if they happen anyway, during a subsequent compliance review, it will be important to be able to show that your staff was appropriately trained.
- Update your policies to address in full these new HIPAA rules. The rules require it, and it will improve your compliance posture if HHS does conduct a review following a reported breach.
As noted above, our firm will issue a more comprehensive summary of these new HIPAA rules in coming days.