On January 17, 2013, the U.S. Department of Health and Human Services (HHS) announced a final omnibus rule amending the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with the HITECH Act of 2009. The 2013 amendments, which are effective on March 26, 2013, supplement and modify the HIPAA Privacy, Security, Breach Reporting and Enforcement Rules. The regulations modify the interim final rule (the "Breach Notification Rule") published in August 2009 that required notice to patients and others of a “breach,” or disclosure of unsecured protected health information (PHI), by covered entities and business associates (collectively referred to as "HIPAA-covered entities"). One of the most significant changes to the Breach Notification Rule modifies and clarifies the definition of "breach" and the risk-assessment approach required for breach notification. In light of this heightened standard, covered entities, business associates and downstream contractors should consider carefully reviewing their breach notification policies and procedures, training materials and contractual arrangements in an effort to avoid potential liability under the Breach Notification Rule.
Things Every Covered Entity and Business Associate Should Be Aware of About the Breach Notification Rule
Unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a "breach," unless the HIPAA-covered entity can demonstrate that there is a low probability that the PHI has been compromised based upon, at minimum, a four-part risk assessment.
The new risk assessment factors are significant in that they provide a specified structure for the risk assessment that if not adequately performed and documented could provide a basis for imposition of costly penalties.
The Breach Notification Rule extends to business associates and their downstream subcontractors.
In general, the Breach Notification Rule requires a covered entity to notify an individual when unsecured PHI has been improperly disclosed. The entity must also notify HHS regarding confirmed breaches, either through an annual report or sooner, depending on the number of individuals affected. In some instances, media must also be notified. Integral components of the Breach Notification Rule are definitions of "unsecured PHI" and "breach." In particular, HHS clarified that the impermissible use of disclosure of PHI is presumed to be a "breach," unless the HIPAA-covered entity demonstrates there is a low probability that the PHI has been compromised.
Significant Definitions and Analysis
"Unsecured PHI" is "protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance." HIPAA-covered entities that implement the specified technologies and methodologies with respect to PHI are not required to provide notifications in the event of a breach of such information—that is, the information is not considered "unsecured" in such cases.1
It is important to note that the data-protection standards recognized under the HIPAA Breach Notification Rule (encryption and destruction) are different from the data-protection standards articulated under the HIPAA Security Rule and the HIPAA Privacy Rule. The Security Rule requires covered entities to protect electronic PHI by satisfying a number of general standards. The Privacy Rule requires that covered entities apply reasonable safeguards to all PHI. Thus, even PHI that was protected in accordance with the Privacy and Security Rules, such as by use of firewalls, but was breached under the terms of the new Breach Notification Rule, would have to be reported. In addition, the HIPAA Security Rule requires "security incident reporting." A "security incident" means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Therefore, even though a "breach" as defined by the Breach Notification Rule has not occurred, security incident reporting may still be required under the HIPAA Security Rule or by contract.
The most significant change to the Breach Notification Rule is the definition of the term "breach." HHS defines "breach" as the "acquisition, access, use, or disclosure" of PHI in violation of the Privacy Rule that "compromises the security or privacy" of the PHI. Under the interim rule, HHS defined the phrase "compromises the security or privacy of the PHI" to mean the inappropriate use or disclosure of PHI involving significant risk of financial, reputational or other harm. The final rule changes this definition by stating that, unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a "breach," unless the HIPAA-covered entity can demonstrate there is a low probability that the PHI has been compromised based upon, at minimum, a four-part risk assessment. HHS also clarified that uses or disclosures that impermissibly involved more than the minimum necessary information may qualify as breaches. Therefore, such incidents should be evaluated as any other impermissible uses or disclosures to determine whether breach notification is not required.
"Risk of Harm" Analysis Replaced with "Low Probability"
HHS has shifted away from the subjective, non-uniform "risk of harm" analysis toward a system that focuses more objectively on the risk that the PHI has been compromised. The "low probability" risk assessment will provide HIPAA-covered entities with less latitude in making internal determinations that exclude certain incidents from the definition of "breach" and from the associated notification requirements.
HIPAA-covered entities now have the burden of showing that a breach has not occurred. The risk assessment must be performed following all impermissible uses and disclosures that do not otherwise fall within the other enumerated exceptions to the definition of "breach." If a risk assessment is not performed and none of the other exceptions apply, the incident is automatically presumed to be a breach.
The final rule requires the risk assessment to consider at least the following four factors:
The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification.
To assess this factor, entities should consider the type of PHI involved, such as whether the disclosure involved information of a sensitive nature (e.g., credit cards; Social Security numbers; information that increases the risk of identity fraud; and clinical information, such as diagnosis, treatment plans, medication, medical history and test results). Considering the type of information disclosed will allow the HIPAA-covered entity to assess the probability that the PHI could be used by an unauthorized user in a manner adverse to the individual. Additionally, if there are few, if any, direct identifiers in the PHI impermissibly disclosed or used, the HIPAA-covered entity may want to determine whether there is a likelihood that the PHI released could be re-identified based on the context and the ability to link the information with other available information.
The unauthorized person who used the PHI or to whom the disclosure of PHI was made.
Entities should consider whether the unauthorized person who received the information has obligations to protect the privacy and security of the information. For example, if PHI is impermissibly disclosed to another entity obligated to abide by the HIPAA Privacy and Security Rules or to a federal agency obligated to comply comparable regulations, then there may be a lower probability that the PHI has been compromised since the recipient of the information is obligated to protect the privacy and security of the information in a similar manner as the disclosing entity. Furthermore, if the information impermissibly used or disclosed is not immediately identifiable, entities may want to determine whether the unauthorized person who received the PHI has the ability to re-identify the information.
Whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired.
For example, if a laptop computer was stolen and later recovered and a forensic analysis shows that the PHI on the computer was never accessed, viewed, acquired, transferred or otherwise compromised, the HIPAA-covered entity could determine that the information was not actually acquired by an unauthorized individual even though the opportunity existed. In contrast, if a HIPAA-covered entity mailed information to the wrong individual who opened the envelope and called the entity to say that she received the information in error, in this case, the unauthorized recipient viewed and acquired the information because she opened and read the information to the extent that she recognized it was mailed to her in error.
The extent to which the risk to the PHI has been mitigated.
HIPAA-covered entities may want to attempt to mitigate the risks to the PHI following any impermissible use or disclosure, such as by obtaining the recipient's satisfactory assurances that the information will not be further used or disclosed (through a written confidentiality agreement or similar means) or will be destroyed. They should consider the extent and efficacy of the mitigation when determining the probability that the PHI has been compromised.
The federal government clarifies that each factor above must be considered in a HIPAA-covered entity's risk analysis, and other factors may also be considered where necessary. HIPAA-covered entities should then evaluate the overall probability that the PHI has been compromised by considering all the factors in combination. These risk assessments should be thorough and completed in good faith, and the conclusions reached have to be reasonable. If an evaluation of the factors discussed above fails to demonstrate there is a low probability that the PHI has been compromised, breach notification is required. With regards to breach notification, the HIPAA-covered entity bears the burden of proof to demonstrate that all notifications were given or that the impermissible use or disclosure did not constitute a breach and to maintain documentation (e.g., the risk assessment) to meet the burden of proof.
Exceptions to the Definition of "Breach"
The final rule also eliminated the exception where the PHI used or disclosed constitutes limited data sets that do not contain any dates of birth and ZIP codes. The other exceptions remain.
Specifically, a "breach" does not include:
any "unintentional" acquisition, access or use of PHI by a workforce member or individual acting under the authority of the covered entity or business associate that is made in good faith, within the course or scope of employment or other professional relationship, and is not further used or disclosed in an unlawful manner under the HIPAA Privacy Rule.
An "inadvertent" disclosure to another authorized person at the same covered entity, business associate or organized healthcare arrangement, and the PHI is not further used or disclosed in an unlawful manner under the HIPAA Privacy Rule.
A disclosure where the covered entity or business associate had a good-faith belief that the unauthorized person to whom the information was disclosed would not reasonably be able to "retain" such information.
New Policies and Procedures Required
The Breach Notification Rule requires HIPAA-covered entities to develop and document policies and procedures, train workforce members on and have sanctions for failure to comply with these policies and procedures, permit individuals to file complaints regarding these policies and procedures or a failure to comply with them, and require HIPAA-covered entities to refrain from intimidating or retaliatory acts. Thus, a HIPAA-covered entity is required to consider and incorporate the new breach notification requirements with respect to its administrative compliance and other obligations.
Every data breach is unique, and any assessment determining the probability that PHI was compromised will be highly fact-dependent and will incorporate a significant degree of subjectivity. However, the new low-probability standard is likely to be hard to meet and strongly indicates that HHS intends for the vast majority of breaches to be disclosed. Thus, with this heightened burden on risk-assessment analysis and notification, it is vital that all covered entities and business associates examine and update their current policies and procedures to ensure that they can detect and respond to potential data breaches in an appropriate and compliant manner.
About Duane Morris
Duane Morris attorneys provide the full range of services to entities that handle healthcare and other personal data, including healthcare providers, data analytic and management companies, software development and storage vendors, health information exchanges, and many others. Attorneys in the Duane Morris Health Law Practice Group have extensive experience with counseling clients on potential data breaches under HIPAA and other privacy and security laws, and in developing and executing a data breach response plan, including reporting to federal, state, local and foreign governmental agencies and responding to formal agency investigations.
For Further Information
If you have any questions about this Alert or would like more information, please contact Erin M. Duffy, Lisa W. Clark, any of the attorneys in our Health Law Practice Group or the attorney in the firm with whom you are regularly in contact.
As required by the Act, the Secretary initially issued this guidance on April 17, 2009 (it was subsequently published at 74 FR 19006 on April 27, 2009). This guidance, which was published in updated form within the preamble to the interim final rule and made available on the HHS website, specifies that only encryption and destruction consistent with National Institute of Standards and Technology (NIST) guidelines, renders PHI unusable, unreadable or indecipherable to unauthorized individuals.