The final HIPAA Omnibus Rule, delayed for almost a year, was finally released on Jan. 17.
The rule actually combines four separate rulemakings, including the changes to HIPAA privacy and security rules required under the HITECH Act; data breach enforcement and penalty requirements; regulations related to the HITECH Act's breach notification rule; and changes to HIPAA to incorporate the Genetic Information Nondiscrimination Act.
The document is 563 pages long. Compliance officers, attorneys and privacy experts will be poring over it for the next several weeks to analyze its likely impact. But I zeroed in on one thing that had been problematic for Health & Human Services all along: the definition of a data breach and the risk assessment approach required. And HHS did indeed make a big change from the interim rule. Initially HHS had established a harm standard that a breach does not occur unless the access, use or disclosure poses "a significant risk of financial, reputational, or other harm to an individual." In the event of a breach, HHS' rule requires HIPAA-covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the health providers are not required to tell their patients that their health information was breached. This approach was widely criticized as a “fox guarding the henhouse” approach.
Well, in the final rule HHS reversed course to say that providers should basically assume that any impermissible disclosure is a breach requiring notification unless they can demonstrate that there is a low probability that protected health information was disclosed. That is a big difference! Here is the relevant passage:
“We recognize that the language used in the interim final rule and its preamble could be construed and implemented in manners we had not intended….We have added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised (or one of the other exceptions to the definition of breach applies).
HHS has modified the risk assessment to focus on the risk that the PHI has been compromised. Thus, breach notification is not required under the final rule if a provider demonstrates through a risk assessment that there is a low probability that the PHI has been compromised, rather than having to demonstrate that there is no significant risk of harm to the individual, as was provided under the interim final rule.
As I said, this is just one aspect of the lengthy document. The final rule deals with many other aspects of privacy and security, including:
- Require modifications to, and redistribution of, a covered entity's notice of privacy practices;
- Modify individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to decedent information by family members or others;
- Enhance the enforcement rule, adding provisions addressing enforcement of noncompliance with the HIPAA rules due to willful neglect and incorporating the increased and tiered civil money penalty structure required under the HITECH Act.
I will check in with health IT privacy and security experts once they have had a chance to digest it and report back on what they think of the final rule.