If you sponsor a group health plan that is subject to the HIPAA Privacy and Security Rules, it is time to review and revise your policies and procedures and re-train your employees regarding the proper procedures when Protected Health Information is impermissibly used or disclosed.

On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued significant new guidance on the rules that govern protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Omnibus Rule implements most of the privacy and security provisions of the Health Information Technology for Economic and Clinical health (HITECH) Act and extends the reach of HIPAA. Specifically, the Rule requires covered entities, including group health plans and their business associates, to make changes to their policies and procedures, Notices of Privacy Practices and business associate agreements. The purpose of this Advisory is to discuss the impact of the Omnibus Rule on employers sponsoring group health plans that are covered entities under HIPAA.

For these employers, the Omnibus Rule requires you to revise your breach notification policies and procedures. The new Rule applies to breaches discovered after Sept. 23, 2013.

Under the HITECH Act, group health plans and business associates are required to provide notification following the discovery of a breach of unsecured PHI. The Omnibus Rule revises the definition of “breach” in a manner that increases the likelihood that health plans will have to provide notification when PHI is impermissibly used or disclosed. The new definition of “breach” is that there is an unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of that PHI. Notification of the breach is required unless the covered entity plan or business associate demonstrates there is a low probability that the PHI has been compromised or that an exception to the notification rules applies. The new definition also creates a presumption that any unauthorized acquisition, access, use or disclosure of PHI is a breach and shifts the burden to the group health plan or business associate to demonstrate through a risk assessment that there is a low probability that the PHI has been compromised. Risk assessments must be thorough, completed in good faith, and the conclusions must be reasonable.

There are four factors that must be considered when assessing the probability that PHI has been compromised: 1) the nature and extent of the PHI involved; 2) the unauthorized person who used the PHI or to whom the disclosure was made; 3) whether the PHI actually was acquired or viewed; and, 4) the extent to which the risk to the PHI has been mitigated.

  1. What is the nature and extent of the PHI involved? When evaluating the nature and extent of the PHI involved, the guidance advises that entities should consider the type of PHI involved and whether the information that is was disclosed was of a more sensitive nature. For example, with respect to financial information, the disclosure of information that might increase the risk of identity theft is highly sensitive. For clinical information, the guidance suggests not just considering the nature of the services described in the information, but the amount of detailed clinical information involved (e.g. diagnosis, mediation, test results). The type of information involved will help entities determine the probability that the information may be used in a manner adverse to the individual.
  2. Who was the unauthorized person? When evaluating who impermissibly used the PHI or to whom the impermissible disclosure was made, entities should consider whether the unauthorized person has independent obligations to protect the privacy and security of the information. If the receiving entity has independent obligations to comply with HIPAA, the risk should be low that the PHI will be compromised by that entity.

    In addition, entities should determine whether the unauthorized person who received the PHI has the ability to re-identify the information. If they do not, the probability that the information will be compromised would also be considered low.
  3. Was the PHI was acquired and viewed? Covered entities and business associates should determine if the PHI was actually acquired or viewed or , if only the opportunity existed for the information to be acquired or viewed. For example, if information is mailed to the wrong individual, and that individual opens the envelope and informs the sender they have received the information in error, clearly as a result of the unauthorized disclosure, the information was actually viewed and acquired.
  4. Has the risk to the PHI been mitigated? Covered entities and business associates should consider the extent to which the risk to PHI has been mitigated. Examples of ways that a covered entity or business associate can mitigate the risk would be obtaining the recipient’s satisfactory assurance that the information will not be further used or disclosed, such as through a confidentiality agreement. The guidance provides that this factor, when considered in combination with the factor regarding the unauthorized recipient of the information, may lead to different results in terms of the risk to the protected health information. For example, a covered entity may be able to rely on assurances from some parties, but not others.

If an evaluation of these factors fails to demonstrate that there is a low probability that the PHI has been compromised, breach notification is required.

The rules governing the timing, the content and the methods for providing the notice, as previously set forth in interim breach notification regulations, have not been changed.

The changes under the Omnibus Rule will likely also impact the policies and procedures of group health plans mandated by the Privacy and Security Rules. This is a good time for employers to ensure ongoing Privacy and Security Rule compliance, update their policies and procedures for changes in their group health plan operations, and update training, as appropriate.

For a further discussion of the changes made by the Omnibus Rule, please see our related advisory.