HITECH Final Rule – Impact on Breach Notification Rule

On January 25, 2013, the Department of Health and Human Services (“HHS”) formally published its Omnibus Final Rule (“Final Rule”), which includes modifications to the HIPAA Privacy and Security Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”).  Because the Final Rule covers a broad range of topics, we will be issuing a series of articles in our HIPAA Impact Series to provide further analysis on these topics.  This article focuses on the impact of the Final Rule on covered entities’ and business associates’ obligations to identify and report a breach of Protected Health Information (“PHI”).

Background

The breach notification requirement arose from the HITECH Act provisions within the American Recovery and Reinvestment Act of 2009 (“ARRA”). HHS issued an Interim Final Rule on August 24, 2009 that implemented those requirements (“Interim Final Rule”).  The Interim Final Rule established that a covered entity is required to notify affected individuals and HHS in the event of a breach of unsecured PHI that compromises the security or privacy of the PHI, unless an exception applies.  Accordingly, in order to determine if notice is required under the existing standard, a covered entity is required to make the following four determinations: (1) whether there was a use or disclosure of PHI in violation of the HIPAA Privacy Rule; (2) whether the PHI was unsecured (i.e., neither encrypted nor destroyed); (3) whether the impermissible use or disclosure posed a significant risk of financial, reputational or other harm to the individual; and (4) whether an exception applies.  Those requirements have been in effect since September 23, 2009.

Harm Threshold Restructured

As indicated above, under the existing standard, a covered entity would only conclude that a breach had occurred if the harm threshold was met (i.e., the impermissible use or disclosure of PHI poses a significant risk of financial, reputational or other harm to the individual).  Soon after the Interim Final Rule was issued, however, questions arose regarding whether the risk of harm threshold was too subjective in nature and thus inconsistent with Congressional intent. HHS apparently took those questions to heart, since the most significant change made by the Final Rule with respect to breach notification was to fundamentally restructure the risk of harm threshold.  Accordingly, under the Final Rule, rather than assessing harm to determine if a breach occurred, a covered entity must presume each impermissible use or disclosure of PHI is a breach unless an exception applies or there is a low probability that PHI has been compromised, as determined through a risk assessment.

The exceptions that could apply in a given circumstance are the same exceptions as existed under the Interim Final Rule: (1) unintentional, good faith acquisition, access or use of PHI by a workforce member within the scope of authority; (2) inadvertent disclosure by an authorized person to another authorized person within the same entity or organized health care arrangement; and (3) disclosure to an unauthorized person where the person would not reasonably have been able to retain the information.

With respect to the risk assessment, the Final Rule explains that it should include at least the following four factors:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification.  To assess this factor, the covered entity or business associate, as applicable, should consider the “sensitivity” of the PHI.  Sensitive information can include financial information such as a credit card number or a social security number, as well as clinical information such as a treatment plan or medication list.
2. The unauthorized person who used the PHI or to whom the disclosure was made.  For this factor, the covered entity or business associate, as applicable, should consider whether the person who received the PHI has an obligation to protect the privacy and security of the information.  For example, information disclosed to another covered entity may result in a lower probability that the PHI was compromised.
3. Whether the PHI was actually acquired or viewed.  With respect to this factor, the covered entity or business associate, as applicable, will need to assess the extent to which the PHI was acquired or viewed. For example, a forensic analysis of a stolen laptop may indicate that the PHI was never accessed or viewed.
4. The extent to which the risk to the PHI has been mitigated. The final factor requires a covered entity or business associate, as applicable, to consider the extent to which the risk to the PHI has been mitigated.  Risk mitigation strategies may include obtaining the recipient’s satisfactory assurances that the information will not be further disclosed or will be destroyed.

HHS expects covered entities or business associates, as applicable, to conduct risk assessments reasonably and in good faith.  These factors are similar in nature to the factors a covered entity or business associate would have considered under the Interim Final Rule, so the analysis of those factors should be familiar to most covered entities and business associates.  Even so, in the Final Rule, HHS indicated that it would make available additional risk assessment guidance in the future with respect to common breach scenarios.  It is unclear whether HHS will publish this guidance prior to the September 23, 2013 Final Rule effective date.

Other Provisions Remain Unchanged

The Final Rule’s impact on the breach notification process is minimal, and the Interim Final Rule breach notification requirements remain largely unchanged. Requirements relating to when breaches are considered to be discovered, the timelines for notification, content of notifications, methods of notification, and media and HHS notification were not materially changed by the Final Rule.  For details on those requirements, see our previous article regarding the Interim Final Rule.

Practical Takeaways

The Final Rule changes become effective on March 23, 2013.  However, HHS is giving providers until September 23, 2013 to comply with most of the changes, including those relating to the breach notification requirements.  In order to be prepared for compliance by September 23, 2013, covered entities and business associates should undertake the following steps as soon as possible:

• Update breach notification policies and procedures to reflect the changes to the risk of harm determination;
• Identify which types of PHI are “unsecured” and evaluate whether unsecured PHI can be made secure using approved technologies and methodologies (e.g., encryption);
• Consider the impact that state laws may impose with respect to breach notification;
• Ensure that business associate agreements include clear language regarding responsibility and liability for breach notification obligations; and
• Train workforce members on the revised policies and procedures.

For more information, please contact:

• Mark Swearingen at 317-977-1458 or mswearingen@hallrender.com;
• Ammon Fillmore at  317-977-1492 or afillmore@hallrender.com; or
• Your regular Hall Render attorney.

Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH.  View our HIPAA Impact Series and sign up to receive updates by visiting www.hallrender.com/impact.