On January 25, 2013, the Department of Health and Human Services (“HHS”) published its final modifications to the HIPAA Privacy, Security, and Enforcement Rules as mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. These final rules have been called the Final Omnibus Rule (the “Final Rule”). The Final Rule becomes effective on March 26, 2013 with a compliance deadline of September 23, 2013 to allow sufficient time for Covered Entities and Business Associates to come into compliance with most of the Final Rule’s provisions.
Although the Final Rule will require Covered Entities and Business Associates to make a number of changes to their privacy practices, policies and Business Associate Agreements, one of the most significant changes mandated by the Final Rule is the elimination of the Risk of Harm analysis for breach notification. By way of background, the HITECH Act marked the first time that Covered Entities were required to notify individuals when their protected health information (“PHI”) was the subject of a breach. Under the Interim Final Breach Notification Rule:
Entities are required to provide notice of breaches which resulted in unauthorized access to PHI where the breach posed a significant risk of financial, reputational or other harm to the affected individual;
Where a breach is discovered, the affected individuals must be notified of the breach within 60 days of discovery;
HHS must be notified annually of all breaches that occurred in the prior calendar year;
In the event that a breach affects more than 500 individuals, the local media and HHS must also be notified within 60 days of discovery.
Although the above requirements remain in effect, in response to concerns that the Risk of Harm analysis was too subjective, the Final Rule now requires notification any time there is a breach unless the Covered Entity or Business Associate can demonstrate only a “low probability” that the information has been compromised. Specifically, in accordance with the Final Rule, any acquisition, access, use and/or disclosure of Protected Health Information that is not permitted under the Privacy Rule is deemed to be a breach unless the Covered Entity or Business Associate can demonstrate, using a four factor assessment, that there is a low probability that the affected PHI has been compromised. These four factors include: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the PHI was disclosed; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.
In addition to the four factor analysis above, Covered Entities and, if applicable, Business Associates must also evaluate the overall probability that the PHI was compromised by considering all factors in combination, as well as any other relevant facts and circumstances surrounding the breach. The Final Rule also provides that a Covered Entity may choose to provide notification in all cases following an impermissible use or disclosure of PHI without performing a risk assessment to determine if notification is necessary.
The Final Rule also removed the exception whereby an impermissible use or disclosure of PHI that meets the definition of a limited data set, but excluded the individuals’ date of birth and zip code, was not considered a “breach” requiring notification. Under the new requirements, Covered Entities or Business Associates will now need to conduct a risk assessment to determine if the PHI in the limited data set has been compromised, even where the date of birth and zip code are excluded.
Lastly, the Final Rule requires that Covered Entities include in their Notice of Privacy Practices a statement of the right of an affected individual to be notified following a breach of unsecured PHI. Furthermore, Business Associate Agreements must now include provisions detailing how a Business Associate and Covered Entity will coordinate their response to a discovered breach of PHI.
Jessica Ellel, Esq. is a senior attorney at Houston Harbaugh, P.C. Ellel concentrates her practice in Health Law and Compliance for hospitals and physician practices. For more information, visit www.hh-law.com.