Government & Policy

4 risk factors to understand since HIPAA final rule on privacy and security

By Doug Pollack
February 06, 2013
07:48 AM

Few will mourn the loss of the ambiguous “harm threshold” requirement. Patient privacy advocates perceived the harm threshold to be subjective, which led “to inconsistent interpretations and results,” according to the HIPAA Final Omnibus Rule published by the U.S. Department of Health and Human Services (HHS).
Under the Breach Notification Interim Final Rule, a breach crossed the harm threshold if it “posed a significant risk of financial, reputational, or other harm to the individual.” The rule required healthcare organizations to perform an incident risk assessment to determine if a breach crossed the harm threshold standard and thus required notification. 

Opponents claimed that placing the burden of proof for determining this “risk of harm” on covered entities caused huge (subjective) variances in the definition of a notifiable breach, leaving affected individuals at risk for harm, while burdening HHS to judge if the assessments met the intent of the rule. It didn’t help that healthcare organizations lacked clear guidance on how to conduct such an assessment, even though the rule had the right intent by recognizing that there are real patients behind protected health information (PHI) and when PHI is compromised these patients can suffer real harm — medical, reputational and/or financial.

[See also: Final HIPAA rule brings changes to fundraising, marketing of PHI]

The HIPAA Final Omnibus Rule seeks to better protect patients by removing the harm threshold. Covered entities and their business associates must still conduct an incident risk assessment, for every data security incident that involves PHI. Rather than determine the risk of harm, the risk assessment determines the probability that PHI has been compromised, based on four factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed;
  4. The extent to which the risk to the protected health information has been mitigated.

These factors should be considered in combination and not in isolation when conducting a risk assessment. If an entity has an incident and its risk assessment concludes that there was a very low probability that the PHI was compromised, it may choose to not notify the affected individuals or the Department of Health and Human Services Office for Civil Rights (OCR). However, the Final Omnibus Rule requires that the entity maintain a “burden of proof” if its conclusions are called into question. If the OCR investigated the covered entity, it would be required to provide conclusive documentation of its incident risk assessment and analysis as to why the incident did not result in a “compromise” of PHI. If the entity doesn’t meet that burden of proof, it could be found to have been negligent in not notifying the affected individuals and subject to substantial fines, penalties, and corrective action.

Organizations still required to “mitigate” harm
Even though the HIPAA Final Omnibus Rule eliminates the “significant risk of harm” phrase and its application during breach risk assessment, it still requires covered entities and business associates to “mitigate harm to individuals” through individual notification. This makes it clear that notification should describe the steps the covered entity or business associate “is taking to mitigate potential harm to individuals resulting from the breach and that such harm is not limited to economic loss.”  In fact, some of the comments that HHS received suggested that the notification letter identify the level of potential harm to individuals so they could better protect themselves. So even though the harm threshold is no longer part of the risk assessment it should play an important role in how a breached entity responds to the breach.

Now harmonious: State and federal breach notification laws
Another key outcome of the revised breach definition and the risk assessment requirement in the HIPAA Final Omnibus Rule is that federal and state breach notification laws are more in sync.

Most states already require a risk assessment to determine the probability that PHI was compromised. The Final Omnibus Rule clarifies that only contrary state laws are to be preempted by the federal breach law. This should help covered entities and business associates create a consistent risk assessment approach to ensure compliance with HIPAA-HITECH and state breach laws.

Enforcement by the Office of Civil Rights
OCR will enforce of the final breach notification rule in accordance with the HIPAA Enforcement Rule. OCR may work with covered entities to achieve voluntary compliance through informal resolution or may impose a civil money penalty for a failure to comply with the breach notification rule. The rule provides an exception to voluntary resolution in the case of violation due to willful neglect. The OCR also has the authority to impose a civil money penalty for violation of the HIPAA Privacy Rule, even in cases where the entity made all required breach notifications.

What you should do
The Final Omnibus Rule is effective on March 26, 2013; covered entities and business associates must comply with the applicable rules of the final rule by September 23, 2013.

Despite the removal of the harm threshold as one of the factors in the risk assessment process, there’s good news for covered entities and business associates that already comply with the Breach Notification Interim Final Rule, which became effective on September 23, 2009. They are well positioned to comply with the final rule given the limited scope of changes in the final rule. For example, the final rule retained all the exceptions allowed by the interim final rule except the limited data set exception. In addition, the rules around incident discovery and notification timelines remained virtually unchanged.

[Q&A: On remaining ambiguities in the final HIPAA rule]

For those organizations that have yet to comply, however, the six-month window for compliance will be a challenge. They must put in place the appropriate operational mechanisms — policies, procedures, methodologies — for carrying out the incident risk assessments that are required in the Breach Notification Rule, and document their results in such as way as to maintain a burden of proof that will stand up to an audit or investigation by OCR.

There will be little tolerance for lack of compliance going forward if OCR makes good on the comments that the agency received for auditing and evaluation entities’ risk assessment and documentation process when carrying out compliance audits required by the ARRA.

Doug Pollack, CIPP, chief strategy officer at ID Experts, has over 25 years of experience in computer systems, software, and security concerns focusing on creating successful new products in new emerging markets.

Mahmood Sher-Jan, CHPC, vice president of product management at ID Experts, brings over 25 years of analytical solutions development and deployment across healthcare, financial, and retail industries. Sher-Jan holds patents in fraud prevention and secure ID solutions.
 

Related articles:

Omnibus HIPAA rule's impact on data breach notification

Not merely lost: What happens to stolen medical records

Are providers rips for a massive medical records heist?

Q&A: Predicting a HIPAA cloud, BAA 'tipping point' comes HIMSS13

Podcast: Probing the final HIPAA rule on privacy and security

Topics: 
Government & Policy

More regional news

Female doctor smiles and waves into a laptop during a telehealth visit

VA plans to end telehealth copays and fund virtual care access in rural areas

By
Andrea Fox
November 14, 2024
HIT professional reviews information on a laptop outside a server room

ASPR seeks feedback on public health orgs' cybersecurity needs

By
Andrea Fox
November 13, 2024
Gabriel Jones of Proprio on AI

Artificial intelligence is enabling big advances in surgery

By
Bill Siwicki
November 13, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Gabriel Jones of Proprio on AI
AI & ML Intelligence
Artificial intelligence is enabling big advances in surgery

Most Read

The Light Collective amplifies its call for patient data rights
Clinical IT leaders on meeting CMS' mandate for patient data access
Epic and Oracle Health sign on to Veteran Interoperability Pledge
Texas AG settles with clinical genAI company
Interoperability in healthcare moving forward despite challenges
What Loper Bright and the end of Chevron deference mean for HHS

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Valerie Rogers at HIMSS_Global Health Equity Week 2024
Technology and policy have a role to play in improving maternal health
Mike Relli at Knight Consulting_Global Health Equity Week 2024
New approaches to improving healthcare access for justice-impacted individuals
Jill Brewer at HIMSS_Healthcare Cybersecurity Forum 2024
What's the weakest link in organizational cybersecurity? Not what you might think
Richard Staynings at the University of Denver_Healthcare Cybersecurity Forum 2024
The challenges of safeguarding healthcare's 'data ocean'

More Stories

Marjorie Rosen at HIMSS_Global Health Equity Week 2024
HIMSS chapters offer a powerful channel for healthcare advocacy
Returning service member with daughter
HIMSS launches veterans health IT workforce program
Morgan L. Waller, RN, of Children's Mercy Kansas City on telemedicine
Deep dive: Exploring one of the most advanced telemedicine programs in the U.S.
Person on laptop at kitchen table with another who holds up prescription bottle for telehealth doctor
ATA calls on Congress to beat the telehealth deadline, as it preps for Trump's term
Anurag Mehta at Omega Healthcare_Physician working on laptop Photo by Dzonsli/E+/Getty Images
Clinician burnout can be reduced by virtual nursing
Healthcare worker and patient watching doctor on screen
Discover the potential ROI of bedside telehealth
HKUST Provost professor Guo Yike presenting their new health LLMs
Hong Kong university to test four genAI models in...
A doctor in a virtual consultation with a patient
China to pilot standards for virtual primary care