In a final rule published in the Jan. 25, 2013, Federal Register, the U.S. Department of Health and Human Services (HHS) altered the definition of “breach” under the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules.
The rule implements the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which amended HIPAA.
The department jettisoned a so-called “harm standard” to define when there is a breach requiring notification and replaced it with a more objective four-part standard.
Section 13400(1) of the HITECH Act defined “breach” as the “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
In an interim final rule that took effect Sept. 23, 2009, HHS defined “compromises the security or privacy of the protected health information” as meaning “poses a significant risk of financial, reputational or other harm to the individual.” The interim final rule also included three statutory exceptions to the definition of breach.
The final rule kept the exceptions, but junked the harm standard, even though some health plans defended it, noting that the harm standard was consistent with many state breach notification laws.
But the harm standard is too subjective, other commenters on the interim final rule said. They urged HHS to come up with a new standard that focused on the risk that the protected health information was compromised instead of on the risk of harm to the individual.
That’s what HHS did. First, it added language to the definition of “breach” to clarify that “an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.”
Instead of assessing the risk of harm to the individual, covered entities must assess the probability that the protected health information has been compromised based on a risk assessment that considers at least the following four factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of reidentification.
- The unauthorized person who used the protected health information or to whom the disclosure was made.
- Whether the protected health information was actually acquired or viewed.
- The extent to which the risk to the protected health information has been mitigated.
HHS provided some examples to flesh out this standard. “In addition to the statutory exceptions that have been included in both the interim final rule and this final rule, there may be other similar situations that do not warrant breach notification,” it noted. “We agree with commenters that providing notification in such cases may cause the individuals unnecessary anxiety or eventual apathy if notifications of these types of incidents are sent routinely.”
So, if a covered entity misdirects a fax containing protected health information to the wrong physician, and upon receipt, the receiving doctor calls the covered entity to say he or she received it in error and has destroyed it, the employer may be able to demonstrate a low risk that the information has been compromised, the department said. But the employer still would have to perform a risk assessment, it noted.
What if a laptop is lost and recovered and a forensic analysis shows that the protected health information on the computer was accessed, one commenter asked, urging HHS not to require a risk assessment in that circumstance.
But HHS refused, saying such evidence is relevant, but employers still must document their risk assessments. “We also note, as we did in the interim final rule, if a computer is lost or stolen, we do not consider it reasonable to delay breach notification based on the hope that the computer will be recovered,” it added.
HHS did give employers flexibility in describing what is being done in response to a breach. If employees were disciplined because of the breach, an employer may choose to describe the sanctions generally, such as saying they have been appropriately disciplined. “Nothing in the rule would require that the notice include the names of the employees involved,” HHS stated.
Employers could be more specific, “such as indicating that an employee who improperly accessed and sold patient information was promptly terminated,” it added.
The final rule kept the three statutory exceptions to the definition of “breach”:
- A breach excludes any unintentional acquisition, access or use of protected health information by a workforce member (including volunteer or trainee) or person acting under the authority of a covered entity or business associate, if the acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the Privacy Rule. “The exception does not, however, cover situations involving snooping employees, because access as a result of such snooping would be neither unintentional nor done in good faith,” HHS clarified.
- A breach excludes inadvertent disclosures of protected health information from a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity, business associate or organized health care arrangement in which the covered entity participates.
- Also exempted are disclosures of protected health information where a covered entity or a business associate has a good-faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. “For example, if a covered entity, due to a lack of reasonable safeguards, sends a number of explanation of benefits (EOBs) to the wrong individuals and a few of the EOBs are returned by the post office, unopened, as undeliverable, the covered entity can conclude that the improper addresses could not reasonably have retained the information,” HHS stated. “The EOBs that were not returned as undeliverable, however, and that the covered entity knows were sent to the wrong individuals, should be treated as potential breaches.”
HHS added, “We emphasize the importance of ensuring that all workforce members are appropriately trained and knowledgeable about what constitutes a breach and on the policies and procedures for reporting, analyzing and documenting a possible breach of unsecured protected health information. We note that because this final rule modifies the definition of breach as stated in the interim final rule, covered entities will need to update their policies and procedures and retrain workforce members as necessary to reflect such modifications.”
Also, it recommended policies that require employees to return or destroy information to which they obtained unauthorized access.
Sometimes an employer needs protected health information to comply with workplace medical surveillance laws, such as Occupational Safety and Health Administration requirements. In those situations, HIPAA permits a covered entity to disclose an individual’s information, subject to certain conditions, to his or her employer if the entity is a covered health care provider “who is a member of the workforce of such employer or who provides health care to the individual at the request of the employer.”
Few employers “have reviewed and updated their privacy policies and conducted training in recent years,” Frank Palmieri, a benefits attorney with Palmieri & Eisenberg in Princeton, N.J., and Alexandria, Va., told SHRM Online. “HIPAA has teeth. Violations occur every day and training should be encouraged in 2013 and 2014.”
The final rule also requires modifications to and redistribution of a covered entity’s notice of privacy practices. The final rule is effective March 26, 2013, but covered entities have until Sept. 23, 2013, to comply with its requirements.
Allen Smith, J.D., manager, workplace law content, for SHRM. To read the original article on shrm.org, please click here.