Q: And what about those patients? Are they likely to appreciate that alteration to the rule?

A: It will be interesting to see what, if anything, the patient reaction is. Right now patients shouldn’t be getting fundraising solicitation that they can see they’ve been targeted based on the nature of the services they got. And I don’t know whether patients will have a negative reaction to getting solicitations that indicate fundraisers have looked at their data in more detail. They do have the right to opt-out and hospitals will have to include a notice on all fundraising communications that the patient has the right to opt-out of solicitations, so it may be that more patients exercise that right when they see that their information is being looked at more carefully for fundraising purposes.  

[See also: New HIPAA rule seen as tougher.]

Q: You mentioned that the burden of determining whether the information has actually been compromised is now on covered entities. How can they prove that?

A: It’s a somewhat ambiguous concept about what it means for information to be compromised. What the government has in mind, the focus is supposed to be on the risk that the information will be misused in some way or used for improper purpose, rather than focusing on what the impact of that would be on the patient. One of the challenges in the risk of harm standard and why there’s been so much concern about it is that whatever the nature is of your risk assessment, whether you’re evaluating risk of harm to the patient or risk that the data has been compromised, these are all judgment calls and there are factors the rule identifies that you’re supposed to consider in making that determination like the nature of the information that was disclosed, who received it, what your capacity to mitigate the improper disclosure. But at the end of the day there’s no bright line test so there is still going to be a need for privacy officers and lawyers and other people involved in the breach notification process to make difficult judgment calls about whether there’s enough information to conclude that the probability is low that the information will be compromised. The rule provides an example that would fall into that category where someone faxes information to the wrong doctor and they contact the covered entity and say ‘this isn’t my patient, I’m sending this back to you.’ At that point you can probably conclude that the risk that the information could be misused or has been misused is very, very low. But those are the easy cases. There are a fair number of more ambiguous situations where reaching the conclusion that there’s a low probability of risk is a difficult thing and reasonable people might differ about that.

Q: So the lost laptop or other portable media containing thousands or millions of patient records that we keep seeing — that particular scenario is not going to get easier, is it?

A: I don’t think there’s a rule that’s going to change that situation. If you can retrieve the laptop or the device and assess forensically that nobody has accessed the information, I think you can probably conclude that there’s no breach, both under the prior rule and the new rule, but if you can’t get the laptop back you’re pretty much stuck having to treat it as a breach. So I don’t think that’s going to change and the best defense against breaches involving portable devices continues to be encryption, which still is a basis for not having to do breach notification.