HHS Official Explains HIPAA Omnibus OCR's Susan McAndrew on Breach Reporting, Other Details
HHS Official Explains HIPAA Omnibus

The HIPAA Omnibus Rule places greater responsibility on business associates to safeguard patient information, says Susan McAndrew of the HHS Office for Civil Rights.

"A major change is that we now are going to be able to extend the protection to the information not just when it's in the hands of the covered entity, but whenever that covered entity hires another company," McAndrew says in an interview with Information Security Media Group (transcript below).

And that protection continues down to subcontractors of the business associates, she explains.

"Under the omnibus, and as a result of statutory changes in the [HITECH Act], business associates for the first time will have some absolute obligations for how they can use and disclose protected health information that they have on behalf of the covered entity," McAndrew says.

Business associates can now be held accountable for any misuse or failure to safeguard patient information, she stresses.

As always under HIPAA, McAndrew explains, covered entities need to have a business associate agreement in place with their vendors that describes safeguards for patient information. "What has changed is that when these contractual arrangements are entered into, they now need to pay particular attention to the spelling out for the business associate of what exactly are the uses and disclosures of this PHI that they will have," McAndrew says.

Additionally, if information being handled by business associates is in electronic form, the adequacy of the safeguards the vendors are employing will be measured by the HIPAA Security Rule, McAndrew explains, "which is the same set of standards that we measure safeguards at the covered entity itself."

In the interview, McAndrew also discusses how the HIPAA Omnibus Rule:

  • Gives individuals the right to obtain a copy of their electronic records;
  • Enables a patient to request that information about treatment they paid for out of pocket not be sent to their insurer;
  • Prohibits covered entities from selling patient information, such as for marketing, without patient authorization;
  • Makes it easier for patients to stop fundraising communications from health entities;
  • Expands capacity for HIPAA enforcement activities.

As the HHS Office for Civil Rights' deputy director, McAndrew has responsibility for implementing and enforcing the HIPAA Privacy Rule, which she helped develop. She has more than 20 years of federal government experience. Before joining HHS, she practiced law in the District of Columbia.

HIPAA Omnibus Rule

MARIANNE KOLBASUK MCGEE: Briefly give us a framework of the major provisions in the HIPAA Omnibus Rule. What are the major components?

SUSAN MCANDREW: The omnibus rule actually combines a number of rulemakings, most of them based on statutory authority that we had gotten in the past couple of years. There's really a lot in the omnibus final rule that's going to be good for consumers of healthcare in the way that it strengthens the protections that are available for their private medical information. And it's really going to help the consumer in many ways to better control how their information is used and to become more active in controlling and being involved in their own care.

The rule does this in a variety of ways. Importantly, it now gives individuals the right to get their information from their electronic medical records in electronic form. I think this is going to pave the way for the growth of individuals having access to their information electronically so that they can go on their home computer at any time in the day and call up their medical records and get them in real time. I think it's going to be really something that the consumer is going to be thrilled about.

It also gives individuals the right to tell their healthcare providers not to send certain information to their health insurance companies when they have already paid for those services in cash with the provider. This gives them additional control to keep some of their treatment information confidential, and that gets shared with their insurance company only when the insurance company is actually going to be asked to pay for that service.

A major change is that we now are going to be able to extend the protection to the information not just when it's in the hands of the covered entity, but whenever that covered entity hires another company to do some part of the work for them. We call these entities business associates. The information will now be protected in the hands of the business associate in the same way it is with the covered entity. That would continue to flow if that business associate also contracts out part of those services. It establishes this chain of protection for the information, and those protections aren't lost simply because the covered entity has hired someone to do part of the work.

There's a new prohibition on the sale of protected health information. Now individuals have the choice. They get to authorize the covered entity to sell the information. If they don't want their information sold, they just don't authorize it and then the covered entity can't do it. Also, there are stricter limits now on when the covered entity can use the individual's information to market the goods and services of a third party. Whenever they're being paid by that third party to send those kinds of communications, the covered entity can only do so if they get the authorization from the individual to say that they want to receive those kinds of materials.

Finally, the rule makes it easier for individuals to put a stop to getting fundraising communications from a healthcare provider. When they say they don't want this information anymore, then the covered entity is obliged to cease sending these kinds of communications to the individual. We also, through this legislation and these new regulations, have expanded capacity to enforce these rules and to make these new rights for individuals very real for them. We're looking forward to the opportunities that will be presented to consumers when this new rule goes into effect.

Breach Reporting Requirements

MCGEE: The final version of the HIPAA breach notification rule removes the harm standard that was included in the interim final rule and replaces it with a more specific guidance about when to report a breach. Could you please compare and contrast what the original rule said about making a decision to report a breach versus what the final version says? Please explain why the change was needed.

MCANDREW: The original rule [was] used as a threshold for when the individual needed to be notified that a breach had occurred, and a breach is when the covered entity or its business associate has lost control of the PHI [protected health information]. There's been a disclosure of it in some manner that's not permitted by the rule. What we originally asked the covered entity to consider when the breach occurred was whether or not there was a significant risk of harm, and that could be reputational, financial or any other kind of harm to the individual. And if the breach and the loss of this information created such a risk for the individual, then the individual needed to be notified.

There was a lot of comment that we received that it was difficult for covered entities really to assess individual by individual what kind of risk was being posed, that some individuals may be more vulnerable than others; and particularly in things like reputational harm, it was very difficult for them to know, and it was considered to be too subjective.

In the final rule we have replaced ... what has become known as the harm standard with a more objective way to measure when a breach creates a situation of significant risk such that notification to the individual is warranted. What we ask the entity to consider is: Is it likely that the breach will result in the information itself, the data that was lost, being compromised in some way? Then we spelled out some particular factors which go to the nature and extent of the protected health information that was involved in the loss, in particular focusing on what types of identifiers were in that data and therefore how likely it is that someone who obtained the data in an impermissible way could re-identify that information and use it for some bad purpose.

We also asked them to consider who the unauthorized person was who obtained this data through the breach. Sometimes that's known. Sometimes, for instance in a hacking situation, you don't know exactly who the hacker was. But you can presume some malicious intent just from the hacking itself. Other times it may be more benign in that the information may just have been misdirected to a wrong individual, and that may not pose the same kind of risk that the theft or a hacking situation would.

We do ask them to consider whether or not it's likely that the information has actually been acquired or viewed again in some intrusion situations. Or even sometimes when there's been theft of a laptop and you do recover that laptop, you can do a forensic analysis to determine whether or not, as a result of that incident, any information was actually accessed.

Then finally, we ask them to consider the extent to which there's been some mitigation of the risk that the original breach caused. That can be something like recovery of the laptop, some limitation on how long a website portal may have been unsecure. If there's been some mitigation in place, that may also lower the risk.

In the end, once they consider all these factors - and this is not an exclusive list, so there may be other factors that the situation itself would make sense to consider that in the end - after all of this is looked at, the entity has to notify, unless they can say through an analysis of these factors that there's only a low probability that protected health information that was lost will be compromised as a result of that loss.

MCGEE: What's your feeling in terms of whether there will be more or fewer breaches being reported under the new rule?

MCANDREW: I think there may be marginally more breaches reported. I do think, by and large, from the breaches that we have been seeing reported, there are occasionally incidents that we do not think, even under the old standard, would have posed a risk worthy of notifying individuals. We're hoping that through these more objective standards and assessment, that entities will be able on a more uniform basis to come to a determination about whether or not notification is necessary. It's not so much whether we're expecting more or fewer reports so much as trying to achieve more uniformity in what gets reported.

Impact on Business Associates

MCGEE: Could you please explain how the omnibus rule impacts business associates and subcontractors? How has the definition of business associates broadened? How have their responsibilities changed under HIPAA?

MCANDREW: Under the omnibus and as a result of statutory changes in the Health Information Technology for Economic and Clinical Health Act, better known as HITECH Act, business associates for the first time will have some absolute obligations for how they can use and disclose the protected health information that they have on behalf of the covered entity; and if that information is electronic, the standards by which they must secure the information.

The change that was made really is in raising the bar for business associates in complying with what are essentially contractual requirements that they have today. It's not so much that those actual obligations have changed. It's just that under the HITECH Act, business associates can now be called to account for any misuse or failure to safeguard this information. Currently, covered entities that want to engage a business associate are required to have in place a business associate agreement that covers the obligations of the business associate with respect to the protected health information that they will get in the course of this work. It also basically requires the business associate to assure the covered entity that the protected health information in its possession, in the business associate's hands, will be adequately safeguarded.

What has changed is that when these contractual arrangements are entered into, they now need to pay particular attention to the spelling out for the business associate of what exactly are the uses and disclosures of this protected health information that they will have. The covered entity should be limiting the permissions to keep the uses and disclosures of that information within scope of what the business associate is doing for the covered entity.

For instance, if they're hiring someone to manage their billing function, they can define in the contract what information the covered entity will get in order to manage the bills and what they can do with that information in order to execute the bill and the payment structure. Much of that means that the business associate has no need for much clinical data, and certainly not total access to the medical record - which is going on the clinical side of the house. They wouldn't normally get the full panoply of uses and disclosures that the covered entity gets; it would be something structured to just that piece of business that the business associate is doing.

Then, if the business associate does something outside the scope of that contract and something that would violate the privacy rule, the business associate stands liable [and] OCR can now come in and investigate a complaint. Or, if we get a breach notification of something that happened at the business associate, we can directly investigate the business associate. And if they have violated the rule - and in this case it might be a use that's outside the contract - then the business associate could face penalties the same way the covered entity does.

More importantly, with regard to their general assurance of safeguards, if the information is in electronic form - which it will increasingly be - then the adequacy of the safeguards for that information will be measured at the business associate by the HIPAA security rule, which is the same set of standards that we measure safeguards at the covered entity itself. It assures that those same standards spelled out in the security rules are in place at the business associate. This holds true if the business associate then, in turn, contracts with others for some part of the business. Not only the limitation on uses and disclosures and the need to comply with the security rules flow downstream to those subcontractors, but the liability for any failures or violations of the contracts also puts the subcontractors in that same kind of jeopardy. They have an additional incentive to abide by the requirements in the same way the covered entity has to protect and keep confidential this information.

Enforcing the Rule

MCGEE: Could you please tell us when the new rule takes effect and when those affected by the new rule must comply? Does that mean that OCR won't enforce the rule until the compliance date?

MCANDREW: The new rule actually [was] published January 25. It becomes effective 60 days later, so March 26 is the effective date for these requirements. We do allow covered entities a reasonable amount of time to ensure that their policies and procedures are changed to reflect the new rule and they have their training in place with their employees. We give them six months to work through those compliance issues, and that would mean that we would really for the first time be measuring compliance Sept. 23, 2013.

That's not to say that entities can't begin to implement these requirements any time after the effective date, and we do expect some covered entities to start doing right away. But we do allow them a grace period in order to make sure that when we make these kinds of changes, they can be implemented in the right way.

Officially, to the extent it's a new requirement, we will not begin enforcing or issuing penalties for any failure to comply until after the compliance date has passed, but that doesn't mean that we won't be continuing to do enforcement actions as we have in the past. There's plenty of privacy requirements that are in place and that have not changed, and we will continue to ensure that those requirements, including if there's a current provision - for instance, our current marketing requirements - we will continue to enforce those. It's just the new portion of that - the new marketing rules - we would probably not enforce until after the compliance date has passed.

MCGEE: If a breach were to occur right now, would that breach be investigated under the interim final breach notification rule or the final rule in the omnibus package?

MCANDREW: It really would depend on what the covered entity had in place at the time of the breach. As I said, if they went ahead and implemented the change from the harm standard to the new standard, then we would investigate that breach under whatever standard they used. ... If they were still using the standard in the interim final rule, we would not say that they were out of compliance simply because they were not using the more objective standard. In general though, I think it's more important that the underlying causes of the breach, the actual loss of the information or the impermissible disclosure that caused the breach, those standards are not really affected by what we're doing in the omnibus rule. We would be fully able to look at the "whys" and "hows" at the covered entity or the business associate where the loss occurred [and] take action based on the loss itself.

Tips to Prepare for Compliance

MCGEE: What's your advice on the key steps that covered entities, business associates and subcontractors should be taking now to prepare for compliance?

MCANDREW: I think they need to be reviewing their current contracts. They will have some additional time. We're actually giving them until September of 2014 to do whatever contractual revisions are necessary, but they really should start now, and many have actually started, long before the omnibus rule was made public, to look at their contracting relationships, to make sure that the contracts are clear enough about what the business associate can and cannot do with the information. The business associate needs to be looking at how they're safeguarding, what their assurances of safeguards were based on, and measuring those against the security rule requirement. If they need to be upgraded, begin working on how to get those better protections in place.

[Make] sure that everyone understands what the new obligations are about. I think, in particular, the requirements are now going to be much more formalized between the business associate and subcontractors, and the subcontractors for the first time may be facing more accountability for how they're using and disclosing information. They really need to be aware. We had always required the limitation to be passed on down from a business associate to it subcontractors, but we recognize that this may be much more new territory for the subcontractor than it should be for the business associate itself. They now need to be totally aware of how they're getting protected health information, what it is they can do with it and cannot do with it, and if it's electronic, how they're going to implement the requirements of the security rule.

MCGEE: Lastly, can you provide any insight into why it took so long for this final rule to be released?

MCANDREW: I think the important thing is that the rule is about to be published in final form, and I think we really need to keep our eyes on the prize and keep moving forward with the implementation of this rule so that these new rights become a reality for the consumer. We're really excited that we're about to begin that part of the journey.




Around the Network