HHS Changes Up Standard for HIPAA Breach Notifications

Wednesday, January 23, 2013, by Justin Mann

On January 17, 2013, the Department of Health and Human Services released a final omnibus rule based on amendments to the HITECH Act.   HHS Director Leon Rodriguez heralded the 562 page document as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”  In addition to expanding the scope of responsible persons to business associates and some subcontractors, the rule completely changed the standard used for determining when patients need to be notified of a potential breach of PHI (protected health information).

Analysis under the new rule begins with the presumption that a breach has occurred, unless the business associate or entity is able to demonstrate, to a “low probability,” that the incident would qualify as compromising.  Rather than assessing the probability of breach in terms of the potential harm to the patient, the new rule sets out four objective factors: (1) type of PHI at issue (e.g., social security number or just height/weight), (2) who had unauthorized access to the PHI (e.g., another physician or an ex-wife), (3) whether the PHI was actually accessed (e.g., was it with a stack of other documents or simply in the body of an email), and (4) mitigation of risk (e.g., fax immediately destroyed without being read or unable to locate destination).

After making a good faith and reasonable risk assessment, the entity or business associate must maintain documentation that either the PHI owner was notified or that their risk assessment resulted in a low probability that the PHI was compromised.  It should be noted that beyond over coming this presumption, an entity also has the option of adopting one of the safe harbor provisions (e.g., encrypting datasets according to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals).

Prior to this final rule, entities had operated under a “significant risk of harm” standard.  Many acknowledged it was too subjective, and HHS explained it was interpreted as a higher threshold than had been intended.  The question now is what will be the practical implications of this change?  As Harry Rhodes of the American Health Information Management Association has noted, the new factors will change entities’ approaches to risk assessment.  In this same vein, entities will have to ensure that they update their policies and train their employees on the new standards, if for no other reason than to encourage them to use the right terminology.  Deven McGraw, Director of the Health Privacy Project at the Center for Democracy & Technology, wonders if this middle of the road approach will have any real impact at all on the number of breaches reported.  She pointed out that risk averse institutions were already operating under self-imposed lower standards, preferring to err on the side of caution.  Even HHS, in the final rule, recognized that entities were already implementing some form of the risk assessment it was calling for.  Regardless of the overall effect on breach notifications, the change has certainly added to the to-do lists of compliance officers across the country.