When the final HIPAA Omnibus Rule was published on Jan. 17, my first impression was that the biggest change from the interim rule involved breach notification. Previously, in the case of a breach, covered entities were supposed to determine whether the breach caused “significant risk of financial, reputational, or other harm to an individual.” If not, the person did not have to be informed. In the final rule HHS reversed course to say that providers should basically assume that any impermissible disclosure is a breach requiring notification unless they can demonstrate that there is a low probability that protected health information was disclosed — for instance, in the case of a fax sent to the wrong doctor’s office.
Since then, I have attended a Jan. 25 American Bar Association webinar, “Cutting Through the HIPAA Hype: What You Need to Know About the HITECH Act” and interviewed Deborah Wolf, an executive advisor to Booz Allen Hamilton in cyber health privacy. I don’t think that what I heard changed my initial impression of the most important change, but I did get a more complete and nuanced view of how significant some of the provisions could be for individual patients, providers, business associates and subcontractors.
Sue McAndrew, deputy director of the Office for Civil Rights in the U.S. Department of Health & Human Services, led off the ABA webinar by reminding listeners that the rule goes into effect on March 26, 2013 and covered entities and business associates will have until Sept. 23, 2013, to comply with the new regulations. “We are happy to have the rule out and able to get on with the implementation of requirements,” she said. “The core provisions put into place a lot of changes that improve rights for individuals under the HIPAA privacy rule.”
McAndrew said the expanded right of access, which ensures that individuals can get a copy of electronic health information in electronic form or have it sent directly to a designated third party, lays the groundwork for individuals to be more involved in managing their health information electronically. Regarding genetic information, the rule requires that genetic information be treated as protected health information. It prohibits health plans from using or disclosing genetic information for underwriting purposes and prohibits discrimination in provision of health insurance based on genetic information.
Changes in Breach Notification
Regarding the changes in breach notification, Kirk J. Nahra, a partner at Washington, D.C., law firm Wiley Rein LLP, said that basically the change in regulation reflects what providers have been doing in practice. That is, the presumption has been that notification is required unless they demonstrate low probability that protected health information has been compromised. This clarifies that you have that obligation unless you can document low probability after conducting a risk assessment.
That risk assessment might look at:
• The nature and extent of the protected health information involved, including types of identifiers and likelihood of re-identification.
• The unauthorized person who used the protected health information or to whom the disclosure was made. (Sending information to the wrong doctor is different from sending it to a stranger or a newspaper.)
• Whether the protected health information was actually acquired or viewed.
• The extent to which the risk to the protected health information has been mitigated.
Nahra noted that the current rule is in effect until Sept. 23, 2013. He encouraged listeners to evaluate any potential breach under both standards, and spend some time figuring out if any results are different, but to think twice before deciding not to notify patients.
New for Business Associates
With the new rule, the definition of who is a business associate of a provider has expanded to include health information organizations, e-prescribing gateways, and PHR vendors that provide services to covered entities. These business associates of providers must comply with the technical, administrative, and physical safeguard requirements under the Security Rule; and are liable for Security Rule violations.
The rule reflects a new, post-HITECH Act reality that business associates are directly regulated by the Office of Civil Rights, said W. Andrew Gant III, a partner in the Washington, D.C., law firm Cooley LLP. “As a practical matter, the new reality is that government can come after business associates as well as covered entities.”
Also, subcontractors of a business associate are now defined as business associates themselves, clarifying that liability flows to all subcontractors. “This is a big issue,” Gant added. Many business associates use subcontractors that are small entities that are not primarily in the healthcare industry and that don’t want the obligation that compliance entails, he said.
Also important to understand is the exceptions for “conduits” of protected health information. The exceptionis limited to transmission services, including any temporary storage of transmitted data. However, as Gant explained, an entity that maintains PHI on behalf of a covered entity (e.g., a document storage company) is a business associate and not a conduit, even if the entity does not actually view the PHI. The transient versus persistent nature of opportunity to view data is relevant.