HIPAA’s New Rules: Expanding Scope, Clarifying Uncertainties, and Reinforcing Fundamentals
advertisement
February 25, 2013 Practice Group: Health Care HIPAA’s New Rules: Expanding Scope, Clarifying Uncertainties, and Reinforcing Fundamentals Breaches of Unsecured Protected Health Information By Patricia C. Shea On January 25, 2013, the Secretary for the United States Department of Health and Human Services, Office for Civil Rights (the “Department”) officially published the long-awaited final regulations (the “Final Rule”) implementing extensive and sweeping changes to the regulations for the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Final Rule increases compliance obligations for covered entities and business associates regarding when, how, why, and in some cases “if” they may receive, maintain, transmit, create, use or disclose the health information HIPAA protects. Quite simply, the Final Rule significantly affects all covered entities and business associates. This is the second alert in a series that discusses significant changes to HIPAA compliance obligations and discusses how the Final Rule has changed the analysis for determining whether a breach of unsecured protected health information has occurred. Future alerts will address changes to requirements for notices of privacy practices, marketing and sales of protected health information, and access rights for individuals as well as enforcement and the impact of the Final Rule on research. Covered entities and business associates should consult with their legal counsel to determine the extent of the impact the Final Rule has with respect to them. Important Dates The Final Rule is effective on March 26, 2013, but compliance with the new provisions will not be enforced until September 23, 2013.1 Breaches of Unsecured Protected Health Information: No More Harm Threshold In February 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), included as a part of the Affordable Care Act. The HITECH Act made material modifications to HIPAA including requiring covered entities (i.e., health care providers, health care clearinghouses, and health plans) to notify individuals of breaches of their protected health information in certain situations. Later that year, the Department issued interim regulations to implement the breach notification requirements (called the “Breach Notification Rule”). 1 See 78 Fed. Reg. 5566, 5669 (Jan. 25, 2013) (hereinafter the “Final Rule”). The Final Rule also “make[s] clear to the industry our expectation that going forward we will provide a 180-day compliance date for future modifications to the HIPAA Rules.” Id.; see also id. at 5689 (to be codified at 45 CFR § 160.105). HIPAA’s New Rules: Expanding Scope, Clarifying Uncertainties, and Reinforcing Fundamentals From the start, the Breach Notification Rule was controversial because it modified the definition of “breach” in the HITECH Act to include a harm threshold. BEFORE THE FINAL RULE: The concept of “unsecured” protected health information was introduced in 2009 with the HITECH Act, as was the requirement for notification of breaches of unsecured protected health information. The HITECH Act defines “unsecured” protected health information as protected health information that is not secured in a manner specified by the Department.2 The HITECH Act requires covered entities to notify each individual in cases where his unsecured protected health information has, or is believed to have, been accessed, acquired, or disclosed as a result of a breach.3 “Breach” was defined generally as an “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information …”4 The interim final rule implementing the notification requirements further defined “compromises the security or privacy of protected health information” to mean “pose a significant risk of financial, reputational, or other harm.”5 By defining the phrase in this manner, it was unclear whether an entity could presume no breach occurred unless facts otherwise suggested that individuals who were the subject of the protected health information would be harmed.6 The Department received significant opposition to the introduction of a harm threshold from, among others, members of Congress and consumer advocacy groups, which they viewed as being far too subjective.7 Under the Breach Notification Rule, the assessment of whether a breach occurred was not presumed. To the contrary, if unsecured protected health information was acquired or accessed inappropriately, there was no breach unless the covered entity or business associate made a finding that there was a threat of financial, reputational, or other harm to the individual whose information was obtained or disclosed. Depending on the circumstances, it was very plausible that a covered entity or business associate could find no harm existed and therefore no breach. If there was a finding of no breach, then the notification requirements in the Breach Notification Rule did not apply. The Final Rule eliminates the harm threshold and replaces it with a focus on whether the protected health information itself has been compromised.8 The Final Rule explains that a breach is presumed unless there is a low probability that the protected health information has been compromised.9 The Final Rule does not define “compromise” per se but identifies the following factors as those that, at a minimum, must be evaluated when making a determination of whether there is a “low probability” that the information has been compromised:10 • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2 42 U.S.C. § 17932(h). Id. at § 17932(a). 4 Id. at §17921(1) (emphasis added). The definition includes three exceptions not applicable to this discussion. 5 45 CFR 164.402. 6 Final Rule at 5641. 7 Id. at 5641, 5642. 8 Id. at 5641. 9 Id. at 5695 (to be codified at 45 CFR 164.402(2)). 10 Id. at 5641- 5643. “We emphasize … that a covered entity must evaluate all factors … before making a determination about the probability of risk that the protected health information has been compromised.” Id. at 5643. 3 2 HIPAA’s New Rules: Expanding Scope, Clarifying Uncertainties, and Reinforcing Fundamentals • The unauthorized person who used the protected health information or to whom the disclosure was made; • Whether the protected health information was actually acquired or viewed; and • The extent to which the risk to the protected health information has been mitigated. All assessments of whether there is a low probability that the protected health information has been compromised must be documented and retained in order to meet the burden of proof requirements in the Breach Notification Rule.11 Additionally, the Department “expect[s] these risk assessments [will] be thorough, completed in good faith, and for the conclusions reached to be reasonable.”12 The Department plans to “issue additional guidance to aid covered entities and business associates in performing risk assessments with respect to frequently occurring scenarios.”13 Now, a breach of unsecured protected health information automatically triggers the notification obligations in the Breach Notification Rule unless you can objectively determine and document a low probability of compromise to the protected health information that was breached. These notification obligations can be costly. First, because the Breach Notification Rule requires individual notice to all affected individuals, the costs of preparing and mailing such notifications can be expensive. If 500 or more individuals are affected by the breach, notice must also be provided to prominent local media outlets. The repercussions of the notification itself can also be significant in both time and money since the notification frequently causes concerned individuals to contact the entity reporting the breach to learn more. Responding to these inquiries requires establishing a toll-free number and staffing it with individuals who are provided training to respond. Often, the entity responsible for the breach incurs additional expense related to credit monitoring services for affected individuals. All of these costs take a toll on the reputation and resources of the entity, but in addition, there are the costs associated with notifying the Secretary of Health and Human Services. Any breach of unsecured protected health information must be reported to the Department. If the breach involves more than 500 individuals it must be reported immediately rather than annually. The Department will investigate the breach and depending on the circumstances, the entity that experienced the breach may incur fines for violations of HIPAA requirements. The modification to the analysis of a breach of unsecured protected health information is designed to eliminate subjectivity and may make it easier to conclude that a breach occurred than existed under the previous analysis. The Final Rule shifts the focus from one of harm to the individual to one focused on the likelihood that the information has been compromised. It may mean that covered entities are more likely to conclude that a breach has occurred than under the previous harm threshold analysis. Covered entities and business associates should update their policies and procedures accordingly. Putting it All Together The Final Rule has materially changed the way covered entities and business associates will operate going forward with respect to HIPAA compliance generally and the evaluation of breaches of 11 45 CFR 164.414(b). Final Rule at 5643. “We do note, however, that a covered entity or business associate has the discretion to provide the required notifications following an impermissible use or disclosure of protected health information without performing a risk assessment.” Id. 13 Id. 12 3 HIPAA’s New Rules: Expanding Scope, Clarifying Uncertainties, and Reinforcing Fundamentals unsecured protected health information specifically. Privacy and Security Officers should work with legal counsel to review policies and procedures related to breaches of unsecured protected health information and update them to reflect the new standard for determining whether a breach of unsecured protected health information has occurred under HIPAA. Members of the workforce should also receive training on the new standard. Author: Patricia C. Shea patricia.shea@klgates.com +1.717.231.5870 Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris Perth Pittsburgh Portland Raleigh Research Triangle Park San Diego San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane Sydney Taipei Tokyo Warsaw Washington, D.C. K&L Gates practices out of 47 fully integrated offices located in the United States, Asia, Australia, Europe, the Middle East and South America and represents leading global corporations, growth and middle-market companies, capital markets participants and entrepreneurs in every major industry group as well as public sector entities, educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations, practices and registrations, visit www.klgates.com. This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. ©2013 K&L Gates LLP. All Rights Reserved. 4
