Government & Policy

Commentary: Delving into HIPAA breach notification

By James M. Hofert
May 01, 2013
10:04 AM

The U.S. Department of Health and Human Services (HHS) recently issued its Final Rule designed to strengthen the privacy and security protections for individual health information. The Final Rule, among other things, modified the breach notification requirements and enforcement provisions to “improve the workability and effectiveness, and to increase flexibility for, and decrease burden on the regulated entities.” While the Final Rule’s effective date was March 26, 2013, Covered Entities and Business Associates have until September 23, 2013, to come into compliance with it.

This article will discuss the Final Rule’s breach notification requirements and HIPAA privacy and security enforcement provisions. Readers should note that these are but two of the important areas covered under the Final Rule, and that significant changes have been made to the notice of privacy practices under HIPAA, that there are new requirements for Business Associates and their subcontractors, and that other important modifications have been made to the Privacy Rule affecting marketing, fundraising, sale of protected health information (PHI), and other matters.

The Health Information Technology for Economic and Clinical Health Act (HITECH) amended the Health Insurance Portability and Accountability Act (HIPAA) to require that Covered Entities provide notification to affected individuals and to the U.S. Secretary of HHS following discovery of a breach of unsecured PHI. In some instances, a Covered Entity would be required to notify media in the case of breaches of unsecured PHI of more than 500 instances. HITECH also required that the Business Associates of Covered Entities notify the applicable Covered Entity of the breach.

Under the old HIPAA breach rules, there were three situations in which exceptions to the notification requirements applied:

(1) the PHI was unintentionally accepted by a workforce member performing his or her duties; (2) the PHI was inadvertently disclosed from one workforce member to another; and (3) the PHI was disclosed to a person who reasonably would not have been able to obtain that information. Under the third exception, Covered Entities were to perform a risk assessment to determine whether the impermissible use or disclosure posed a significant risk of financial, reputational or other harm to the individual. Thus, if a Covered Entity could show that it took immediate steps to mitigate an impermissible use or disclosure, such steps could be used to argue that the Covered Entity reduced the risk to less than a significant risk of financial, reputational or other harm.

Such remedial steps would include activities to ensure that information would not be further used or disclosed, including possibly having the inadvertent recipient of the PHI returning or destroying it. If such steps eliminated or reduced the risk of harm to an individual to less than a “significant risk,” then under the previous rule it could be interpreted that the security and privacy of the information was not compromised and, therefore, that no breach notification was required.

[Commentary: The litigation and risk-managmeent concerns meaningful use triggers.]

The Final Rule maintains two of the three statutory exceptions, and modifies the third. Under the Final Rule, a breach excludes any unintentional acquisition, access or use of PHI by a workforce member, or a person acting under the authority of a Covered Entity or Business Associate if such acquisition, access or use was made in good faith and was in the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule. The second exception indicates that a breach does not include inadvertent disclosures of PHI from a person who is authorized to access PHI of a Covered Entity or Business Associate to another person authorized to access PHI at the same Covered Entity or Business Associate.

As a result of significant comments obtained by HHS in the comment period, and after considering those public comments, HHS amended the third exception in its Final Rule. By modifying the risk assessment approach, HHS added language to clarify that an impermissible use or disclosure of PHI is presumed to be a breach unless the Covered Entity or Business Associate shows a low probability that the PHI has been compromised. This “low probability” standard replaces the “significant risk of financial, reputational or other harm” standard. Thus, under the new standard, a breach notification would be required in all situations, except where the Covered Entity or Business Associate could show that there was a low probability that the PHI had been compromised, or that the workforce exceptions discussed above apply. In order to show that there is a low probability of disclosure, the Final Rule identifies other factors that Covered Entities and Business Associates should consider when performing a risk assessment to determine if the PHI has been compromised and breach notification is required.

The Final Rule requires that the following four factors be considered when conducting the risk assessment. Covered Entities and Business Associates should modify their policies and procedures to ensure that when they evaluate the risk of an impermissible use or disclosure, all four are considered.

  1. The first factor to be considered when conducting the risk assessment concerns the nature and extent of the PHI involved, including the type of identifiers and likelihood of re-identification. When conducting a risk assessment, the nature and degree of any clinical information used or disclosed must be considered. Examples given in the Commentary to the Final Rule indicate that when assessing clinical information disclosed, the entity must consider not only the nature of the services or other information, but also the amount of detailed clinical information involved — for example, treatment plans, diagnosis, medication, medical history, etc. The consideration of the type of PHI involved in a possible breach should help Covered Entities or Business Associates determine the probability that the PHI could be used by an unauthorized recipient in a manner adverse to the individual. Additional factors that could be considered include whether there are direct identifiers in the impermissible used or disclosed information, and whether there was a likelihood that the PHI released could be re-identified based on context or ability to link up to other information.
  2. The second factor to be considered when conducting the risk assessment requires Covered Entities and Business Associates to determine the identity of the unauthorized person who impermissibly used the PHI, and to whom the impermissible disclosure was made. Thus, for example, if an impermissible disclosure of PHI was made to another Covered Entity obligated to comply with HIPAA, there may be a low probability that the PHI would be compromised since the recipient is also obligated to protect PHI. The Commentary to the Final Rule suggests that if the information that is impermissibly used or disclosed is not immediately identifiable, entities should determine whether the unauthorized person who received the PHI has the ability to re-identify the information.
  3. The third factor to be considered when conducting the risk assessment requires Covered Entities and Business Associates to investigate an impermissible use or disclosure to determine if the PHI was actually acquired or viewed or, alternatively, whether the opportunity existed for the information to be acquired or viewed. Consequently, if a laptop computer is stolen and later recovered, and a forensic analysis indicates that the PHI was never accessed, viewed, acquired, transferred or otherwise compromised, the Covered Entity would be able to determine if the information was not actually acquired by an unauthorized individual. Contrast that situation, however, with one where a Covered Entity mails information to the wrong individual, who opens it and calls the entity to say that he or she received the information. In such case, the unauthorized recipient viewed and acquired the information because he or she opened and read it.
  4. The fourth factor to be considered when conducting the risk assessment requires Covered Entities and Business Associates to consider the extent to which the risk has been mitigated. Covered Entities and Business Associates must attempt to mitigate risk following impermissible uses or disclosure. Such mitigation could include assurances that the information would not be further used or disclosed, through a confidentiality agreement or similar means, as previously suggested in the original rule, or that the information will be destroyed. Covered Entities and Business Associates should consider the extent and efficacy of the mitigation when determining the probability that the PHI has been compromised.

In the Commentary to the Final Rule, it is suggested that this last factor should be considered in combination with the other factors regarding the unauthorized recipient of the PHI disclosed. The Commentary indicates that a Covered Entity or Business Associate’s analysis of the probability of PHI being compromised must address each of the four factors. If, after evaluating in accordance with the above, the Covered Entity or Business Associate cannot determine that there was a low probability that the PHI has been compromised, then a breach notification is required.

[Q&A: On remaining ambiguities in the final HIPAA rule on privacy and security.]

The Final Rule maintains the provisions regarding when a breach is deemed discovered, and the timing and content of the required notification. It modifies the point by which Covered Entities are required to notify the Secretary of HHS of all breaches of unsecured PHI affecting fewer than 500 individuals to not later than 60 days after the end of the calendar year in which the breaches were discovered, rather than 60 days from the end of the calendar year. It should be noted that Covered Entities and Business Associates have the burden of proof to demonstrate that all notifications were provided, or that impermissible use or disclosures did not constitute a breach. Covered Entities must maintain documentation of their analysis. Thus, a risk assessment demonstrating that there was a low probability that PHI was compromised or that it was impermissibly used or disclosed should be documented and maintained and should show that the information fell within one of the exceptions.

The Final Rule also strengthened the enforcement provisions by increasing penalties for HIPAA and HITECH violations. HHS has established four categories of violations that reflect increased culpability. These levels of violation include: (1) did not know; (2) reasonable cause; (3) willful neglect corrected; and (4) willful neglect not corrected. For each of these categories there is a penalty for violation and a provision for a maximum for all violations of an identical provision in a calendar year.

Penalties apply to both Covered Entities and Business Associates, including subcontractors, and will be determined on a case-by-case basis, with the HHS Office for Civil Rights considering the nature and extent of the violation, the nature and extent of the resulting harm, and the entity’s history of non-compliance when determining penalties. HHS has also indicated that the entity’s financial position will be examined and that the agency will consider prior non-compliance, even if there has been no formal finding of a violation.

The Final Rule also provides that: (1) the Secretary of HHS is required to investigate any complaint if a preliminary review of facts indicates a possible violation due to willful neglect; (2) the Secretary is required to conduct a compliance review when a preliminary review indicates a possible violation due to willful neglect; and (3) the Secretary may attempt to resolve investigations or compliance review indicating non-compliance by informal means.

Finally, Covered Entities and Business Associates are liable for their Business Associate agents’ acts, even if the Covered Entity has a Business Associate agreement in place. Key questions to assess are: (1) whether the Business Associate engaged in a course of conduct subject to control by the Covered Entity; (2) whether the Business Associate’s conduct is commonly performed to accomplish the services performed on behalf of the Covered Entity; and (3) whether the Business Associate activity was reasonably expected by the Covered Entity. Thus, it is important to take steps to avoid agency relationships wherever possible, and to include clear indemnification provisions when Covered Entities contract with Business Associates. These increased enforcement activities and provisions require Covered Entities and Business Associates to review their policies and procedures to ensure that they incorporate necessary safeguards.
 

Related coverage:

Case study: The stark link between breaches and fraud

Not merely lost: A look at what happens to stolen medical records

Quick parse: 4 parts to the omnibus HIPAA rule

From Healthcare IT News: Texas Hospice group see HIPAA breach

Topics: 
Government & Policy

More regional news

Doctor smiles and waves into a laptop during a telehealth visit

VA plans to end telehealth copays and fund virtual care access in rural areas

By
Andrea Fox
November 14, 2024
HIT professional reviews information on a laptop outside a server room

ASPR seeks feedback on public health orgs' cybersecurity needs

By
Andrea Fox
November 13, 2024
Gabriel Jones of Proprio on AI

Artificial intelligence is enabling big advances in surgery

By
Bill Siwicki
November 13, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Doctor smiles and waves into a laptop during a telehealth visit
VA plans to end telehealth copays and fund virtual care access in rural areas

Most Read

The Light Collective amplifies its call for patient data rights
Clinical IT leaders on meeting CMS' mandate for patient data access
Epic and Oracle Health sign on to Veteran Interoperability Pledge
Texas AG settles with clinical genAI company
Interoperability in healthcare moving forward despite challenges
What Loper Bright and the end of Chevron deference mean for HHS

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Andrea Hsu at National Science and Technology Council_HIMSS24 APAC
Fostering health IT innovation through academic-industrial collaborations
Valerie Rogers at HIMSS_Global Health Equity Week 2024
Technology and policy have a role to play in improving maternal health
Mike Relli at Knight Consulting_Global Health Equity Week 2024
New approaches to improving healthcare access for justice-impacted individuals
Jill Brewer at HIMSS_Healthcare Cybersecurity Forum 2024
What's the weakest link in organizational cybersecurity? Not what you might think

More Stories

Bird's eye view of Nashville during the day
Oracle seeks to address health disparities with new collaborative
Marjorie Rosen at HIMSS_Global Health Equity Week 2024
HIMSS chapters offer a powerful channel for healthcare advocacy
Returning service member with daughter
HIMSS launches veterans health IT workforce program
Morgan L. Waller, RN, of Children's Mercy Kansas City on telemedicine
Deep dive: Exploring one of the most advanced telemedicine programs in the U.S.
Person on laptop at kitchen table with another who holds up prescription bottle for telehealth doctor
ATA calls on Congress to beat the telehealth deadline, as it preps for Trump's term
Anurag Mehta at Omega Healthcare_Physician working on laptop Photo by Dzonsli/E+/Getty Images
Clinician burnout can be reduced by virtual nursing
Healthcare worker and patient watching doctor on screen
Discover the potential ROI of bedside telehealth
HKUST Provost professor Guo Yike presenting their new health LLMs
Hong Kong university to test four genAI models in...