By Quarles & Brady LLP – Jennifer L. Rathburn, Kevin J. Eldridge and Jennifer J. Hennessy for Lexology
As we have annoyingly reminded you in previous publications, on January 17, 2013 the moment much anticipated by the health care industry finally arrived: The United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR), issued a Final Rule implementing changes to the HIPAA regulations mandated by the Health Information Technology for Economic and Clinical Health Act of 2009 (the HITECH Act). The Final Rule was issued in an “omnibus” package and addresses not only privacy and security but also enforcement, breach notification, and the genetic privacy provisions of the Genetic Information Nondiscrimination Act as they apply to protected health information (PHI).
This document analyzes the Final Rule’s changes to the breach notification regulations and their impact on covered entities and their business associates. (Note: This alert is not for beginners and assumes the reader has a working knowledge of HIPAA’s current breach notification requirements.)
Changes to the Breach Notification Requirements
The existing breach notification regulations contain a harm threshold, meaning that only those breaches posing a significant risk of financial, reputational, or other harm are reportable. Fortunately, the changes reflected in the Final Rule aren’t quite as draconian as many (including us) feared. Prior to issuance of the Final Rule, rumors had abounded that HHS was going to revise the regulations to require reporting of all incidents constituting an impermissible acquisition, access, use, or disclosure of unsecured PHI, regardless of the potential for harm. While the Final Rule did remove the harm threshold standard, the good news is that HHS did not impose a bright-line standard that made the rumors a reality; rather, the Final Rule replaced the harm threshold standard with a new “rebuttable presumption” standard. HHS indicated that it modified the current harm standard because it was too subjective in its focus on “harm to the individual” and resulted in inconsistent interpretations.
Like many others, we clutched at our hair in dismay upon our initial read of this new standard, imagining a significant jump in the number of incidents that would constitute reportable breaches under this new standard. We thought so because, under this standard an impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach unless the covered entity or business associates demonstrates that there is a low probability that the protected health information has been compromised. Determining what constitutes “low probability” is something only a sadistic law professor would find enjoyable, giving us a case of the cold sweats, but HHS helpfully provided a risk analysis defining four factors, which are discussed below. Thus, upon further consideration, it is possible that the changes may potentially not be as profound as they initially appear, at least for those of you who have taken a more conservative approach to risk assessments under the existing regulations.
What is the Nature and Extent of the PHI?
Covered entities and business associates need to analyze the types of PHI involved in the potential breach. Clearly, risk increases when a potential breach involves sensitive financial information, such as credit card numbers, social security numbers, or other information that increases the risk of identity theft. In addition, if clinical information is involved in a potential breach, covered entities and business associates should consider the nature of the services or other information (e.g., more sensitive information such as mental health or AODA information would increase risk), the amount of detailed clinical information exposed in the breach or, if the PHI involves only limited identifiers, whether the PHI can be re-identified based on context and other available information.
Who is the Unauthorized Person to Whom PHI Was Disclosed?
The recipient of impermissibly disclosed PHI is still relevant to the risk assessment. For example, if the recipient is another entity constrained by HIPAA Privacy and Security Rules, the Privacy Act of 1974, or other PHI privacy laws, the risk is lower. On the other hand, if the PHI is used by or disclosed to a wrongdoer, such as the notorious and conniving Swiper on Dora the Explorer, it’s more likely that the use or disclosure would constitute a breach. (Okay, we’ve been watching way too much TV with our kids, but you get the point.)
Was the PHI Actually Acquired or Viewed, or Simply Exposed to a Potential Breach?
Like the others, this factor is simply repackaged from the previous version of the breach notification rule. Covered entities must determine whether the PHI was actually acquired or viewed, or whether there was only an opportunity for the information to be acquired or viewed. For instance, if a laptop is lost or stolen and later recovered, and a forensic analysis shows that the PHI on it was never accessed, it is less likely that a breach has occurred.
To What Extent Was the Risk to the PHI Mitigated?
By quickly mitigating any risk to PHI that was improperly used or disclosed, covered entities and business associates may lower the risk that the use or disclosure will constitute a breach. For example, the covered entity may mitigate risk by having a recipient of impermissibly disclosed PHI provide assurances (e.g., a confidentiality agreement) that the PHI will be destroyed or will not be further used or disclosed.
The HHS discussion of the revised breach notification rule makes clear that the four factors cannot be analyzed in isolation, and HHS provided many examples of how analysis of the factors together may show increased or decreased risk that PHI was compromised. As an illustration, HHS noted that a covered entity may be more able to rely on reasonable assurances of employees, business associates, or other covered entities than it would on assurances provided by a patient who received a misdirected communication, combining the second and fourth factors to reach its risk probability conclusion.
Essentially, in defending a breach of privacy, covered entities and business associates must conduct a risk assessment that considers each one of the four factors, as applicable; however, HHS indicated that additional factors may also be considered where necessary. Ultimately, all available factors will be considered in determining the overall probability that the PHI has been compromised. In any event, HHS dictates that such risk assessments must be thorough, completed in good faith, and conclusions must be reasonable. If an evaluation of the factors fails to demonstrate a low probability that PHI has been compromised, notification is required.
Many of you may have read the four factors listed above and thought, “Haven’t I seen these before?” That may be because these factors were previously cited by HHS in providing guidance to the existing breach notification regulations. As a result, a risk assessment conducted under either the current regulations or under the Final Rule may result in the same determination as to whether an incident constitutes a reportable breach.
Of course, those who have taken a less conservative approach in the risk analysis process may experience a significant increase in their reportable breaches when vetted through the four factors; however, HHS appears to believe any general increases will be offset by a decrease in over-reporting of breaches under the current harm threshold standard. In its discussion of the impact of the Final Rule’s changes on breach notification costs, HHS observed that there may have been under-reporting of breaches under the current harm threshold standard, but it had also received breach notifications that were unnecessary. HHS further stated it does not believe removal of the harm standard will “have a significant effect on the number of breaches reported to HHS or on the number of individuals affected,” reasoning that certain types of incidents will almost always constitute a reportable breach under either standard, while the four-factor analysis should help limit future notifications to those that are actually necessary.
The ultimate impact on the number of reportable breaches under the Final Rule remains to be seen. What we do know is that all covered entities and business associates will need to revise their policies and procedures to incorporate the new risk assessment and other changes made by the Final Rule.
Imputing a Business Associate’s Discovery to the Covered Entity
The Final Rule also addresses the imputation of a business associate’s discovery of a breach onto the covered entity for purposes of commencing the notification time clock if the business associate is acting as an agent of the covered entity. The breach notification regulations indicated that the agency relationship would be determined by principles of federal common law. This left many us with unanswered questions. . . .
Fortunately, the Final Rule provided some further guidance on when a business associate is an agent of a covered entity, which depends on the covered entity’s authority to control the business associate’s conduct in performing a service. HHS also outlined several factors to assist in analyzing potential agency relationships — see our update on the Enforcement Rule for full details.
Other Provisions in the Final Rule
The Final Rule removes the exception to notification if the PHI at issue consists of a limited data set that excludes dates of birth and zip codes. However, the Final Rule retains the other exceptions to the definition of a breach and corresponding notification obligations, including the exceptions related to unintentional acquisition, access, or use of PHI by a workforce member acting under the authority of the covered entity; the inadvertent disclosure of PHI by one authorized person to another, also authorized to access PHI at the same covered entity, business associate, or organized health care arrangement; and unauthorized disclosures in which the person receiving the information would not reasonably have been able to retain it. The timing requirements and the content of the notices also were not changed.
Just when you thought you understood the new Final Rule, there may be other laws to consider when handling a security breach. The Final Rule reiterates that it does not preempt all state breach notification laws; as a result, in addition to the breach notification obligations under the Final Rule, organizations will also need to check if there are any additional notification requirements under state breach laws. Moreover, for breaches involving credit or debit card data, organizations will also have to comply with the Payment Card Industry Data Security Standards (PCI-DSS) contractual breach reporting obligations. For breaches affecting non-U.S. operations or involving data received from or transmitted to other countries, organizations will also need to investigate whether international breach laws apply.
So What Exactly Should You Do?
First, if you’re not sure where you stand on the protection of your information, call us — nobody knows better than health care organizations that an ounce of prevention is worth a pound of cure. Beyond that, there are a number of steps you can take to protect yourself from the wrath of HIPAA:
- The most important thing your organization should do is implement strong security protections for PHI and other personally identifiable information.
- Implement encryption technology and password protection mechanisms.
- Evaluate your mobile devices, data destruction, and data transmission practices; and
- Generally review your security policies and procedures — the first step in avoiding a trap is knowing of its existence.
- Review vendor contracts.
- Be sure they adequately protect your information;
- Make sure your organization has some recourse in the even they do not, especially since your organization will have imputed liability for the actions of vendors who are agents.
- Evaluate and limit, to the extent possible, the type of information your organization receives, uses, discloses, and retains to only the minimum necessary amount of information that is needed — the less identifiable information your organization has, the lower risk of a security breach.
- Proactively develop a security incident response plan — assemble a breach team and review your breach notification policies and procedures to help guide your organization through handling breaches.
These proactive steps will help prevent breaches and reduce the stress of analyzing the myriad breach requirements, especially when breaches need to be handled under duress, in a short period of time. We also recommend having red wine or tequila (or both) on hand.