HIPAA Omnibus: Impact on Breach NoticesExperts Assess What the Final Rule Means
Revised breach notification guidance and new requirements for business associates are among the key provisions in the HIPAA omnibus final rule released Jan. 17, experts say (see: HIPAA Omnibus Rule Released).
The rule from the Department of Health and Human Services also officially increases penalties for failing to comply with HIPAA, as called for under the HITECH Act. Penalties, which are based on the level of negligence, now can go as high as $1.5 million per violation.
The final omnibus rule will be effective on March 26, but covered entities and business associates have until Sept. 23 to comply.
Breach Notification: Big Changes
The omnibus package removes the so-called "harm standard" in the interim final version of the breach notification rule and replaces it with clearer guidance about when a breach must be reported to authorities.
Under the harm standard, a decision on whether to notify federal authorities of a breach was tied to assessing the risk of financial, reputational or other harm to the individuals whose information was breached. But the new rule calls for covered entities, as well as business associates and their subcontractors, to use more objective standards in assessing the probability that the protected health information has been compromised, says Bob Chaput, CEO and founder of Clearwater Compliance, a consulting firm focused on HIPAA compliance.
The final rule says a risk assessment for determining the probability that PHI was compromised should consider at least four factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
In the final breach rule, HHS notes: "We have added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised."
In explaining why the harm standard was replaced, HHS explains: "We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised."
Will Breach Reports Rise or Fall?
Deven McGraw, chair of the Privacy and Security Tiger Team of the HIT Policy Committee that advises federal regulators, says its too soon to tell for certain whether the new breach notification rule will result in an increase or decrease in breach notifications.
"The significant harm standard was too subjective," McGraw says. "Now it's much more logical. It gets rid of over-notification," says McGraw, who is also director of the health privacy project at the Center for Democracy and Technology, a consumer advocacy group.
"A lot of institutions were erring on the side of notification, assuming that if we had a theft of loss, it would cause harm," she says. "Instead of asking covered entities to make a judgment call on whether a breach would cause harm, the issue is whether PHI is likely to be compromised," she says. The revised breach notification rule offers "a set of factors to take into consideration" when determining whether breach notification is required, she adds.
Chaput says he's glad the harm standard was replaced because it required "too much of a judgment call." But while the new rule is less subjective - with the four factors to consider in the assessment - it also leaves wiggle room for covered entities and others determining whether a breach notification is required, he says. "Unfortunately I'm not sure if there will be a new set of hoops for people to play games," he adds.
Harry Rhodes, director of HIM solutions at the American Health Information Management Association, predicts that the new breach notification rule provisions will change the way covered entities and their business associates go about assessing breaches. "Instead of looking at whether there is old information on a lost tape that could cause individuals financial or reputational harm, the assessment would look at the likelihood that the information could even be accessed or whether it was found in a timely manner," he says.
The new standard will help clear up uncertainty regarding breach notifications for some organizations, says Kate Borten, president of the IT security consulting firm The Marblehead Group. "This is expected to aid compliance since many organizations were very unclear about the [interim] breach rule," she says. "For organizations that already 'get it,' the bottom line probably won't change in terms of what qualifies as a breach requiring notification.
Borten notes that the change in the breach notification guidance in the rule represents somewhat of a compromise because certain members of Congress wanted stricter language requiring virtually all breaches to be reported. "But it attempts to balance appropriate notice with overkill," she says.
As expected, the HIPAA omnibus rule finally makes it official: Many HIPAA security and privacy requirements apply to business associates and their subcontractors.
"When looking at the scope of organizations now covered by HIPAA, the big expansion is more likely to be in the new definition of business associate and the number of downstream subcontractors who will become subject to HIPAA regulations," Borten says.
The rule expands the definition of business associate to include, for example, organizations that provide data transmission services and have routine access to PHI.
Consultant Rebecca Herold, CEO of The Privacy Professor and partner at Compliance Helper, notes: "Now close to 1 million covered entities, and millions of their business associates, can stop hoping that they will not have any new actions to take with regard to safeguarding PHI and implementing all the accompanying controls and administrative actions necessary for compliance, and they can get down to actually doing them."
Herold adds: "It is very important that covered entities identify their business associates and then notify them that the new rules are here, and that they need to get into compliance. Most business associates will not take any actions unless their covered entities tell them they need to."
Clarifying business associate's responsibilities under HIPAA was an important move, Chaput says. "If covered entities thought they could outsource responsibility to their business associates, and the business associates thought they could outsource that to subcontractors, they're wrong," he says. "Business associates and subcontractors are now obligated to comply."
Another significant change in the final rule is related to the use or disclosure of PHI for future research, says Adam Greene, a partner at the law firm Davis Wright Tremaine LLP and former official at HHS' Office for Civil Rights.
Modifications in the final rule allow individuals to provide authorization for their PHI to be used or disclosed in future research. That means research authorizations don't have to be tied to a specific study. "This is a change welcomed by researchers," he says.