Omnibus HIPAA Package ProgressesHIPAA Modifications, Final Breach Rule Move Forward
Susan McAndrew of the HHS Office for Civil Rights has provided insights about an omnibus package of regulations - including a revised version of the HIPAA breach notification rule - that's now in the final stages of review.
The final version of the breach notification rule will include clarification of how to determine whether a breach must be reported to federal authorities, says McAndrew, OCR's deputy director of health information privacy. The interim final version of the breach rule, now in effect, contains a controversial harm standard that requires healthcare organizations to conduct a risk assessment to determine if a breach represents a significant risk of harm and thus must be reported.
"We are hopeful that the standards [in the final rule] will be sufficiently clear for how to determine if a breach is reportable, McAndrew says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below). "We're working on some additional guidance which will help entities, particularly smaller entities that may encounter breaches, to help them identify what the proper steps are to a risk assessment."
After a lengthy delay, HHS submitted the package of regulations, including a final version of extensive HIPAA modifications, which have been pending since 2010, to the Office of Management and Budget on March 24. OMB reviews regulations as the last step before they're published.
OMB is likely to complete its review within 90 days, paving the way for publishing the regulations in the Federal Register, McAndrew says.
In the interview, McAndrew also points out:
- In addition to the final version of the breach notification rule, the omnibus package includes modifications to the Health Insurance Portability and Accountability Act's privacy, security and enforcement rules, as required under the HITECH Act. Those include, for example, applying many security and privacy provisions to business associates as well as their subcontractors.
- The omnibus package also will include a measure spelling out that using genetic information for insurance underwriting purposes is a privacy violation as well as discriminatory under the Genetic Information Non-Discrimination Act.
- OCR soon will issue guidance on how to de-identify protected health information for use in research;
- The office also will offer model contract language for business associates at the same time the omnibus package is released. It will also provide guidance on what constitutes "minimum necessary" patient data. The HITECH Act specifies that healthcare organizations should limit uses and disclosures of protected health information to the "minimum necessary" to conduct a particular function.
- In the months ahead, OCR likely will announce other post-breach settlements, with financial penalties, along the lines of its recent settlement with BlueCross BlueShield of Tennessee regarding a breach that affected more than 1 million individuals.
As the HHS Office for Civil Rights' deputy director, McAndrew has responsibility for implementing and enforcing the HIPAA privacy rule. She has more than 20 years of federal government experience. Before joining HHS, she practiced law in the District of Columbia.
HOWARD ANDERSON: In your presentation here at the National HIPAA Summit, you talked about the omnibus package of regulations going to the Office of Management and Budget. ...
SUSAN MCANDREW: That's right. The regulations were posted and accepted by the Office for Management and Budget [March 24], which means they begin their review of the regulatory package both for its economic impact as well as sharing the regulations with other federal partners. They centralize all the federal feedback, so we're looking forward to getting comments back from OMB as well as our other federal partners on this, and this is really the final clearance lap for these regulations. And we're very happy that has happened and anxious to get these done and out so that people can begin to have their new rights and business associates can begin to be covered by the HIPAA security and privacy rules directly.
ANDERSON: You mentioned that typically the Office of Management and Budget review takes about 90 days. Could it take longer than that, or is that your expectation?
MCANDREW: Typically, they have 90 days. I know that they have a significant work load right now with regard to regulations, and I believe in a couple of cases they can ask for extensions of time to complete their review, but we're hopeful that these regulations will go no longer than the 90 days.
ANDERSON: What are the major components of the omnibus package?
MCANDREW: Basically there are four regulations that we're doing as part of this package. One is to finalize the HITECH notice of proposed rulemaking that was put out in July of 2010. I think the major piece of that is the business associate liability.
ANDERSON: That's the HIPAA modifications?
MCANDREW: All of these modify either the HIPAA privacy or security rules, the HIPAA enforcement rules and also one piece of the package is to finalize the breach notification rules. Two other components are a final version of the enforcement rule that was [issued as an] interim final rule back in 2009 and finalizing the Genetic Information Nondiscrimination Act privacy protections, and those were based on a notice of proposed rulemaking from 2009.
Risk of Harm Provision
ANDERSON: In your presentation you discussed a bit the risk of harm provision that's in the interim final breach notification rule. Can you describe how the final version of the breach notification rule will have more details about that?
MCANDREW: We did have in the interim final breach notification rules that the compromise of the privacy or security of information was to be assessed [to determine whether] there was a significant risk of harm to an individual from the impermissible disclosure of that information. We did get a number of comments on the harm standard, including comments that trying to determine harm to the individual was too subjective a standard, and we have been working with entities under the interim final rule in terms of how they've been dealing with the harm standard. We're taking all of that into consideration and we will be addressing, as part of the final rule, how to go forward with assessing what the risk is to the compromise of the privacy or security of the information from one of these breaches.
ANDERSON: Some folks were arguing to get rid of the harm standard all together and report all breaches. That's not the step you're taking?
MCANDREW: Because the statutory language does confine the breach to where there has been a compromise of the information as a result of the breach, it's really a matter of how best to define when a breach does result in the compromise of the data.
ANDERSON: So there will be much more clarity in the final version than in the interim final version?
MCANDREW: We're hopeful that the standards will be sufficiently clear. ... We're working on some additional guidance which will help entities, particularly smaller entities that may encounter breaches, to help them identify what the proper steps are to a risk assessment.
ANDERSON: In your presentation you mentioned a couple other pieces of guidance will be coming out in conjunction with these final rules. Is that right?
MCANDREW: We're working on a variety of guidance pieces. For instance, we're working to finalize the guidance on how to best de-identify health information, and we're hopeful that will be out [soon]. But most of the guidance pieces, for instance on minimum necessary, business-associate contract-model language and other information that will help with implementation, we're targeting to be issued at the same time that we issue the final regulation.
ANDERSON: And that appears to be on track for later this year.
MCANDREW: Yes, hopefully it will be whenever we get through the OMB clearance process.
ANDERSON: Can you shed any light on what the delay has been in getting this done?
MCANDREW: Oh, I don't think you want to know.
Recent Settlement Action
ANDERSON: Your office recently announced a resolution agreement with BlueCross BlueShield of Tennessee tied to a breach that affected about 1 million people. The settlement called for a $1.5 million payment plus a corrective action plan. Does this mean we can expect to see a number of similar settlements tied to other major breaches reported under the breach notification rule's requirements in the months ahead?
MCANDREW: Yes. We're using the breach reports as a way of identifying cases. It's not just that because you've had a breach that you'll automatically get a fine. It really is looking at the underlying or root cause of the breach and what actions the entity took either to prevent it from happening in the first place or remedying it after the vulnerability came to their attention through the occurrence of the breach. All of those activities will be assessed, and where there has been some problem or some non-compliance with the regulation, as in the BlueCross BlueShield case, I think we will be providing some enforcement activity as well as making sure there's adequate corrective action.
ANDERSON: Finally, are there particular lessons we can learn from the details of the BlueCross BlueShield breach uncovered by your investigation on how similar events can be prevented?
MCANDREW: I think one of the main takeaways is to make sure your security risk analysis is a living document. When you're facing a major change in conditions, you need to go back to your original risk assessment and see if those original protections that were put into place remain relevant given the change in circumstances. I think that's what BlueCross BlueShield failed to do; when they were changing locations and vacating the premises, they didn't deal adequately with the protected health information that was left in the vacated space and that left it vulnerable to the theft and the breach that occurred there. So it's making sure that you do take these changes of circumstances into account and then you update your risk assessment or risk analysis as necessary to ensure that all information is protected.