The US Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released final rules on January 17, 2013 governing the privacy and security of protected health information under HIPAA and the HITECH Act. The new rules take effect March 26, 2013; compliance is expected by September 23, 2013. This post will focus on the changes to the requirements for notifications following a data breach. Future posts will address changes to Business Associate Agreements, Notices of Privacy Practices, and other key provisions of the new rules.
Reporting to HHS and Affected Individuals
Under the HITECH Act, providers are required to notify HHS and affected individuals of breaches of protected health information. Since 2009, the OCR has received only 537 reports of breaches affecting 500 or more individuals. This is a noticeably low number. Reasons for this include (1) lack of knowledge of the reporting requirements, (2) failure to adequately investigate breaches, and (3) an aggressive approach to risk assessments of breach issues. The first two are clearly compliance issues that providers should address immediately – there is no excuse for not having a current policy, or failing to investigate an issue, especially as OCR steps up HIPAA enforcement.
For the third, under the old HITECH breach notification rule the majority of breaches were determined by providers to be non-reportable. The risk assessment was based upon whether the breach posed a significant risk of harm (financial, reputational, or other) to the affected individuals. Most providers who conducted these assessments determined that there were no significant risks and therefore no requirements to report specific breaches.
New Rules, New Considerations
Under the new rules, “an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” Risk assessments will now use the following factors: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.
While this still leaves room for the judgment of the provider, it will not be as easy to document that a particular breach is not reportable. OCR has stated that the old criteria were misinterpreted by providers as setting a higher threshold for reporting than was intended.
In the coming months, providers will need to revisit and update their privacy policies to reflect the new rules. Privacy officers and their organizations will need to rethink their risk assessments of data breaches, and get used to the fact that they may need to report breaches to HHS and affected individuals more frequently.