January 22, 2013
This is the first in a series of articles regarding the HIPAA Omnibus Final Rule recently released by HHS. For a comprehensive list of other articles on HIPAA by McGuireWoods, click here.
On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the Omnibus Final Rule (Final Rule) interpreting and implementing various provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and the Genetic Information Nondiscrimination Act of 2008 (GINA). In the Final Rule, HHS modified the standard that HIPAA-covered entities, including healthcare providers and health plans, and their business associates must use to determine if a breach of protected health information (PHI) has occurred. Specifically, HHS replaced the previous standard, which required analysis of the risk of financial, reputational or other harm to an individual, with a standard that presumes that a breach has occurred unless, through the analysis of a series of specific factors, it is determined that there is a low probability that PHI has been compromised by the unauthorized use or disclosure. In the Final Rule, HHS reaffirms that it is the obligation of the covered entity or the business associate to reach this determination, to document the basis for the determination and to provide all required notifications if a determination is made that a breach has occurred.
Risk of Harm Standard Replaced with More Objective Test
The HITECH Act requires notice to affected individuals, HHS and, in certain circumstances, the media when HIPAA-covered entities and their business associates discover a breach of unsecured PHI. HHS defines “breach” as the “acquisition, access, use, or disclosure” of PHI in violation of the Privacy Rule that “compromises the security or privacy” of the PHI. In the Breach Notification for Unsecured Protected Health Information Interim Final Rule, effective Sept. 23, 2009, HHS defined the phrase “compromises the security or privacy of the PHI” to mean that the acquisition, access, use or disclosure “poses a significant risk of financial, reputational, or other harm to the individual.” The inclusion of this second level of analysis, the so-called risk of harm standard, created a subjective aspect to an entity’s evaluation of whether an unauthorized acquisition, access, use or disclosure of PHI rises to the level of a breach.
After considering public comments to the Interim Final Rule, HHS determined that the risk of harm standard could be construed and implemented in a manner it had not intended. Accordingly, in the Final Rule, HHS revised the definition of a “breach” to state that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. Further, to determine whether there is a low probability that the PHI has been compromised and whether breach notification is necessary, the covered entity or business associate, as applicable, must conduct a risk assessment that considers, at a minimum, each of the following factors:
Following analysis of each of the factors above, covered entities and business associates must evaluate the overall possibility that the PHI has been compromised by considering all the above, and any other relevant factors, in combination. HHS expects that risk assessments will be thorough and completed in good faith and, further, that the conclusions will be reasonable.
Safe Harbor and Certain Other Exceptions Still Apply
The Final Rule retained a critical safe harbor initially established by the Interim Final Rule. Specifically, an unauthorized disclosure only rises to the level of a breach and only triggers the notification requirements of the HITECH Act if the PHI disclosed is “unsecured.” Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of the technology or methodology specified by the secretary through published guidance. The secretary issued guidance on April 17, 2009, and later published in the Federal Register on April 27, 2009 (74 FR 19006), specifying two methods for rendering PHI unusable, unreadable or indecipherable: (1) encryption; and (2) destruction effectuated in accordance with certain industry best practices.
The other regulatory exceptions to the definition “breach” that were implemented through the Interim Final Rule remain unchanged. These include: (1) acquisition, access or use of PHI by a workforce member, in good faith, and without further use or disclosure not permitted by the Privacy Rule; (2) inadvertent disclosure to a person authorized to access PHI, without further use or disclosure not permitted by the Privacy Rule; and (3) where there is a good faith belief that the unauthorized person would not be able to retain the information.
Limited Data Set Exception Removed
The Final Rule eliminated the exception to the definition of breach where the PHI used or disclosed constitutes a limited data set that does not contain any dates of birth or ZIP Codes. Accordingly, breaches of limited data sets, regardless of their content, must be handled like all other breaches of PHI.
Notification Requirements Remain Unchanged
Under both the Interim Final Rule and the Final Rule, if a covered entity determines that a breach has occurred, the following breach notification obligations apply:
Burden of Proof Rests with Covered Entities and Business Associates
The Final Rule reaffirms that, in the case of an impermissible use or disclosure of PHI, it is the covered entity or the business associate, as applicable, that has the burden of demonstrating that all notifications were provided or, in the alternative, that an impermissible use or disclosure did not constitute a breach, and of maintaining documentation as necessary to meet this burden. It is critically important that covered entities and business associates have appropriate policies and procedures in place to detect and respond to a potential breach. Following a breach, covered entities and business associates should conduct employee training to prevent recurrence.