Monday, April 1, 2013
More on the Final HIPAA Omnibus Rule
New “Breach” Standard
Previously, breach was defined as the “acquisition, access, use, or disclosure of protected health information (“PHI”) in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the PHI.” Compromising the security or privacy of PHI meant “posing a significant risk of financial, reputational, or other harm to the individual.” 45 CFR §164.402 (emphasis added). The problem, according to HHS, was that some covered entities interpreted the “risk of harm” standard as higher than HHS intended.
The revised Breach Notification Rule does not change the essential definition of a security breach, but does redefine the test for when breach notification is required. Basically a breach notification is now necessary in all situations with three exceptions unless a covered entity or business associate can demonstrate there is low probability that the PHI was compromised. To determine if the probability is low enough to make notification unnecessary, a covered entity must perform a four-part risk assessment that involves looking at the following factors:
(i) The nature and extent of the PHI involved; including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the PHI or to whom the disclosure was made;
(iii) Whether the protected PHI was actually acquired or viewed; and,
(iv) The extent to which the risk to the PHI has been mitigated.
78 Fed.Reg. 17 at 5695, modifying 45 CFR §164.402(2).
The replacement of the “risk of harm” standard with the low probability standard for compromised PHI is a drastic departure. HHS expects these changes will create “a more objective and uniform” test for identifying when notification of a breach is required. 78 Fed.Reg. 17 §(D)(2) at 5683. HHS hopes the new standard will be easier to apply and will make breach notification more consistent. 78 Fed.Reg. 17 §(D)(2), at 5683. The likely result of this new standard will be an increased number of actual breach notifications.
Covered entities and business associates must make the new risk assessments in good faith with detailed documentation. They also bear the burden of proving that all necessary notifications were made after a security breach or the impermissible use/disclosure of PHI did not constitute a breach.
The Rule also removes from the definition of “breach” the exception for limited data sets that do not contain dates of birth and zip codes. Now, the four-part risk assessment must be used to assess the probability that a data set without direct identifiers has been compromised.
There were some technical changes to the definition of “unsecured protected information” that should be reviewed. Further, the Rule made a few substantive changes to the notice requirements. For example, a Covered Entity must notify HHS of all breaches of unsecured PHI affecting less than 500 individuals within 60 days of the end of the calendar year in which the breaches were “discovered,” instead of when breaches “occurred”.
Keep in mind the Breach Notification Rule is just the tip of the iceberg: the Rule has extensive provisions affecting various subjects related to the transmission of health information. Don’t let your ship sink—we can help you navigate through the rough waters of change. McBrayer, McGinnis, Leslie & Kirkland, PLLC’s attorneys can provide covered entities with the training and education about the changes and requirements of the Final Rule, as well as review and revise BA agreements, policies, and procedures to bring them into compliance by September 23, 2013.
Emily M. Hord
McBrayer, McGinnis, Leslie & Kirkland, PLLC