From: Bloomberg/BNA
The elimination of a risk of harm threshold for when breach notice is required under the Health Insurance Portability and Accountability Act, announced with the Jan. 25 publication of the long-anticipated final omnibus HIPAA rule (78 Fed. Reg. 5565, 1/25/13), is perhaps the most significant change from interim final rules implementing the 2009 Health Information Technology for Economic and Clinical Health Act, attorneys recently told BNA.
The breach notice change “likely will not have a significant impact on the situations in which notice is provided,” Kirk Nahra, partner at Wiley Rein LLP, Washington, told BNA Jan. 23.
In addition, the omnibus rule’s broad requirements for business associates and their contractors that do business with health care companies to comply with many of the HIPAA Privacy Rule, Security Rule, and Data Breach Rule obligations will be an ongoing challenge, attorneys and others said.
The omnibus rule also made modifications to the Privacy Rule as required in the Genetic Information Nondiscrimination Act.
The experts said the breadth of the Department of Health and Human Services omnibus rule alone was a significant development, even though covered entities and business associates have already been required to comply with most of the provisions because they were set forth in previously published interim final rules.
Covered entities and business associates have until Sept. 23 to comply with most provisions. In the case of existing business associate agreements, covered entities have until September 2014 to make changes.
“The big news is that the starting gun is sounded now, and business associates will be scrambling to get into compliance by September this year,” Reece Hirsch, a partner with Morgan, Lewis & Bockius LLP, in San Francisco, told BNA Jan. 18.
“That’s a big shift in the regulatory landscape. We’ve seen it coming, but the clock is ticking.”
Lisa J. Sotto, a partner at Hunton & Williams LLP, in New York City, called the enormity of the regulations a significant administrative burden for covered entities and business associates to absorb.
In addition to finalizing changes to the HIPAA Privacy Rule, Security Rule, and Data Breach Rule, the omnibus rule finalized changes to the HIPAA Enforcement Rule (see related report in this issue).
Hirsch and Sotto agreed that removal of the risk of significant harm standard that was present in the interim final breach notification rule is highly significant.
Under the interim final rule, which was made public in August 2009 (8 PVLR 1227, 8/24/09), covered entities were required to conduct an assessment of whether the risk of financial, reputational, or other harm to an individual or individuals was insignificant. If so, no breach notification was required.
Also in August 2009, the Federal Trade Commission issued parallel breach notification regulations for personal health record vendors and others not covered by HIPAA that did not contain a risk of harm standard.
In its comments on the final omnibus rule HHS said that although a majority of public comments on the HHS Data Breach Rule supported the risk of harm standard, some raised concerns that the standard was too subjective and gave covered entities, in some instances, too much latitude to avoid notification.
Some members of Congress told HHS that including a risk of harm standard was contrary to congressional intent expressed in the HITECH Act (8 PVLR 1524, 10/26/09).
Just as HHS was nearing completion of the Data Breach Rule, it withdrew the rule from the pre-release Office of Management and Budget approval process (9 PVLR 1120, 8/2/10).
HHS eventually added the Data Breach Rule to the omnibus package and replaced the risk of significant harm standard with a provision in the final omnibus rule that requires covered entities and business associates to notify individuals of a breach unless a risk assessment determines a “low probability” that the breached data were compromised.
OCR also described four factors that risk assessments must consider:
• the nature and extent of the protected health information (PHI) involved, including the likelihood data could be reidentified;
• the unauthorized person who used the PHI or to whom an improper disclosure was made;
• whether the PHI was actually acquired or viewed; and
• the extent to which the risk to the PHI was mitigated.
Hirsch said the new standard is more concrete and leaves less wiggle room for when a notification must be made.
“HHS was concerned there were some who were abusing the latitude [in the interim rule],” he explained.
Hirsch described the shift as a “big change, but not a radical departure,” from the interim rule, adding that the ultimate determination for notifications under the interim and now final rules was always meant to be based on a risk assessment.
However, Sotto said the shift to the presumption that a breach has occurred unless there is a demonstration of low probability of compromised PHI poses a “significant administrative burden” for covered entities and business associates.
“It’s a dramatic shift away from [the focus on] injury to the individual,” she said.
The significance, she explained, is that HHS is now requiring a formal risk assessment for breach notifications even if an entity does not believe a breach rises to a notifiable event.
“While removing the risk threshold, HHS also clearly and explicitly recognized that the HITECH law does not require notification any time a breach possibility exists, and correctly flags the negatives, both in costs to covered entities and unfounded concerns for individuals, from notification without a purpose,” Nahra said.
Under the lower risk of harm standard “it is likely that most breaches will end up with the same result–notification to individuals where there is a good reason to think that some kind of reasonable harm can come to the individual from the particular situation,” he said.
Leave a Reply