January 22, 2013
This is the first in a series of articles regarding the HIPAA Omnibus Final Rule recently released by HHS. For a comprehensive list of other articles on HIPAA by McGuireWoods, click here.
On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the Omnibus Final Rule (Final Rule) interpreting and implementing various provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and the Genetic Information Nondiscrimination Act of 2008 (GINA). In the Final Rule, HHS modified the standard that HIPAA-covered entities, including healthcare providers and health plans, and their business associates must use to determine if a breach of protected health information (PHI) has occurred. Specifically, HHS replaced the previous standard, which required analysis of the risk of financial, reputational or other harm to an individual, with a standard that presumes that a breach has occurred unless, through the analysis of a series of specific factors, it is determined that there is a low probability that PHI has been compromised by the unauthorized use or disclosure. In the Final Rule, HHS reaffirms that it is the obligation of the covered entity or the business associate to reach this determination, to document the basis for the determination and to provide all required notifications if a determination is made that a breach has occurred.
Risk of Harm Standard Replaced with More Objective Test
The HITECH Act requires notice to affected individuals, HHS and, in certain circumstances, the media when HIPAA-covered entities and their business associates discover a breach of unsecured PHI. HHS defines “breach” as the “acquisition, access, use, or disclosure” of PHI in violation of the Privacy Rule that “compromises the security or privacy” of the PHI. In the Breach Notification for Unsecured Protected Health Information Interim Final Rule, effective Sept. 23, 2009, HHS defined the phrase “compromises the security or privacy of the PHI” to mean that the acquisition, access, use or disclosure “poses a significant risk of financial, reputational, or other harm to the individual.” The inclusion of this second level of analysis, the so-called risk of harm standard, created a subjective aspect to an entity’s evaluation of whether an unauthorized acquisition, access, use or disclosure of PHI rises to the level of a breach.
After considering public comments to the Interim Final Rule, HHS determined that the risk of harm standard could be construed and implemented in a manner it had not intended. Accordingly, in the Final Rule, HHS revised the definition of a “breach” to state that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. Further, to determine whether there is a low probability that the PHI has been compromised and whether breach notification is necessary, the covered entity or business associate, as applicable, must conduct a risk assessment that considers, at a minimum, each of the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
Following analysis of each of the factors above, covered entities and business associates must evaluate the overall possibility that the PHI has been compromised by considering all the above, and any other relevant factors, in combination. HHS expects that risk assessments will be thorough and completed in good faith and, further, that the conclusions will be reasonable.
Safe Harbor and Certain Other Exceptions Still Apply
The Final Rule retained a critical safe harbor initially established by the Interim Final Rule. Specifically, an unauthorized disclosure only rises to the level of a breach and only triggers the notification requirements of the HITECH Act if the PHI disclosed is “unsecured.” Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of the technology or methodology specified by the secretary through published guidance. The secretary issued guidance on April 17, 2009, and later published in the Federal Register on April 27, 2009 (74 FR 19006), specifying two methods for rendering PHI unusable, unreadable or indecipherable: (1) encryption; and (2) destruction effectuated in accordance with certain industry best practices.
The other regulatory exceptions to the definition “breach” that were implemented through the Interim Final Rule remain unchanged. These include: (1) acquisition, access or use of PHI by a workforce member, in good faith, and without further use or disclosure not permitted by the Privacy Rule; (2) inadvertent disclosure to a person authorized to access PHI, without further use or disclosure not permitted by the Privacy Rule; and (3) where there is a good faith belief that the unauthorized person would not be able to retain the information.
Limited Data Set Exception Removed
The Final Rule eliminated the exception to the definition of breach where the PHI used or disclosed constitutes a limited data set that does not contain any dates of birth or ZIP Codes. Accordingly, breaches of limited data sets, regardless of their content, must be handled like all other breaches of PHI.
Notification Requirements Remain Unchanged
Under both the Interim Final Rule and the Final Rule, if a covered entity determines that a breach has occurred, the following breach notification obligations apply:
- Notice to Individuals: Affected individuals must be notified without unreasonable delay, but in no case later than 60 calendar days after discovery. The notices must be written in plain language and include basic information that is detailed in the Interim Final Rule. Under certain circumstances, a substitute notice may be used.
- Notice to Media: If a breach affects more than 500 residents of a state or smaller jurisdiction (such as a county, city or town), the covered entity or business associate must also notify a prominent media outlet that is appropriate for the size of the location with affected individuals.
- Notice to HHS: Information regarding breaches involving 500 or more individuals (regardless of location) must be submitted to HHS at the same time that notices to individuals are issued. If a particular breach involves 500 or fewer individuals, the covered entity is required to report the breach to HHS within 60 days after the end of the calendar year in which the breach occurs via the HHS web portal.
- Notice by Business Associates to Covered Entities: A business associate of a covered entity must notify the covered entity if the business associate discovers a breach of unsecured PHI. Notice must be provided without unreasonable delay and in no case later than 60 days after discovery of the breach.
Burden of Proof Rests with Covered Entities and Business Associates
The Final Rule reaffirms that, in the case of an impermissible use or disclosure of PHI, it is the covered entity or the business associate, as applicable, that has the burden of demonstrating that all notifications were provided or, in the alternative, that an impermissible use or disclosure did not constitute a breach, and of maintaining documentation as necessary to meet this burden. It is critically important that covered entities and business associates have appropriate policies and procedures in place to detect and respond to a potential breach. Following a breach, covered entities and business associates should conduct employee training to prevent recurrence.