Looking at the HIPAA Final Omnibus Rule: An Attorney's Perspective

Next, let’s say that if they’re a hospital, hospitals and medical providers should be aware that one big change that came via the HITECH Act, and one that maybe most CIOs are not aware of, is that the individual has the right to request a restriction on the disclosure of any medical service for which they’ve paid out of pocket. And this can cause problems sometimes, because the hospital doesn’t really let the individual know that if they pay out of pocket, that the insurance company can probably still determine from additional tests that are made, what the diagnosis was. So they may have to pay for an entire panel of tests; and they may want to every test. They don’t realize it doesn’t apply to follow-up tests. And let’s say there’s an electronic prescription, that diagnosis could be released to the pharmacy, and they probably need to go to the pharmacy first and get it restricted there first. And if a patient asks for a restriction, that has to take place at the outset.

What is the most difficult element of this, when attorneys are called in to address a breach that has occurred?

Probably the most difficult element is the forensics of this. For instance, maybe you had 40 laptops that were stolen from a facility, and they all had protected health information on them. Let’s say you recover those laptops, but they’ve been in someone’s possession for a while. And maybe they didn’t yet get out of the building, but you have to figure out whether someone looked at the PHI. In many cases, you can prove that nobody looked at them, in many cases, and then you don’t have to give any notice of breach. So it’s worth engaging a computer forensics expert, in that case. Now, you must actually document this information. So the lack of documentation is the biggest problem from the legal point of view, I find. If the CIO wants to protect the hospital or provider, they need to have a process in place for documenting what has occurred. It’s easy to say the information wasn’t compromised, but if you can’t prove it, you’re still going to have to give notice of breach.

Another thing that is difficult sometimes, is that vendors of personal health records are now responsible for reporting security breaches; and I think a lot of CIOs may not know that. So the vendor of personal health records may not be a covered of entity; and since they’re not a covered entity, they’ll report any breach to the Federal Trade Commission; that is an element of the HITECH Act now in effect under the Final Omnibus Rule.

But you, the provider, would have to report it to HHS?

Here’s the thing these hospitals may have personal health records that are actually distributed to patients. So if they’ve outsourced that to a vendor, the vendor would have to report it to the FTC [Federal Trade Commission]; but if the vendor is a business associate of the hospital and is distributing it on behalf of the hospital, then the vendor is a business associate of the hospital, and the hospital would have to report to HHS, and the vendor would have to report it to the hospital or clearinghouse. But there is independent liability on the part of the vendor for notice of breach.

That’s why I think it’s very important when you draft these business associate agreements, that the CIO read them and see who will pay for these breaches, if they do occur.

It seems that the number of breaches is growing significantly.

Oh yes, it’s dreadful. That’s why encryption is so important. And federal officials are very open about the fact that these heavy penalties are intended to promote encryption. And they don’t refer to any specific type of encryption; they do refer to the NIST [National Institute of Standards and Technology] standard.