Breach, Business Associate Obligations Biggest Provisions in HIPAA Rule, Experts Say

Health Care Policy Report™ offers the inside story on health care regulation and policy, with behind-the-scenes news and analysis of developments in Congress, the federal agencies, and the...

A change to how covered entities must evaluate whether they are required to notify individuals when their personal information has been breached is being described as one of the most significant new provisions in the long-anticipated final omnibus Health Insurance Portability and Accountability Act rule.

The rule's broad requirements for business associates and their contractors also are among now-final HIPAA regulations, making organizations that do business with health care companies liable for complying with many of the Privacy and Security rule and data breach notification obligations.

The Department of Health and Human Services Office for Civil Rights published the rule, which actually embodies four final rules covering a broad range of HIPAA issues, in the Jan. 25 Federal Register (78 Fed. Reg. 5,565; see related story). Covered entities and business associates have until Sept. 23 to comply with most provisions. In the case of existing business associate agreements, covered entities have until September 2014 to make changes.

Attorneys and others who spoke to BNA Jan. 18 said the breadth of the rule, alone, was a significant new development, even though covered entities and business associates already had been required to comply with most of the provisions that were in interim final rules.

“The big news is that the starting gun is sounded now and business associates will be scrambling to get into compliance by September this year,” attorney Reece Hirsch with Morgan, Lewis & Bockius LLP in San Francisco, told BNA. “That's a big shift in the regulatory landscape. We've seen it coming, but the clock is ticking.”

Attorney Lisa J. Sotto, with Hunton & Williams LLP in New York, called the enormity of the regulations a significant administrative burden for covered entities and business associates to absorb.

Harm Standard Replaced

Hirsch and Sotto agreed that perhaps the single biggest change in the final omnibus rule was OCR's removal of the so-called risk of significant harm standard that, in the interim final breach notification rule required covered entities to notify individuals their protected health information (PHI) had been breached if they determined through a risk assessment that the individuals could suffer financial, reputational, or other harm.

Although a majority of public comments to OCR on the data breach rule supported the standard, concerns were raised that the standard was too subjective and gave covered entities, in some instances, too much latitude to avoid notification.

OCR replaced the risk of significant harm standard with a provision that requires covered entities and business associates to notify individuals of a breach unless a risk assessment determines a “low probability” that the breached data were compromised.

OCR also described four factors that risk assessments must consider:

• the nature and extent of the PHI involved, including the likelihood data could be reidentified;

• the unauthorized person who used the PHI or to whom an improper disclosure was made;

• whether the PHI was actually acquired or viewed; and

• the extent to which the risk to the PHI was mitigated.


Hirsch said the new standard is more concrete and leaves less wiggle room for when a notification must be made.

“HHS was concerned there were some who were abusing the latitude [in the interim rule],” he explained.

Hirsch described the shift as a “big change, but not a radical departure,” from the interim rule, adding that the ultimate determination for notifications under the interim and now final rules was always meant to be based on a risk assessment.

However, Sotto said the shift to the presumption that a breach has occurred unless there is a demonstration of low probability of compromised PHI poses a “significant administrative burden” for covered entities and business associates.

“It's a dramatic shift away from [the focus on] injury to the individual,” she said.

The significance, she explained, is that HHS is now requiring a formal risk assessment for breach notifications even if an entity does not believe a breach rises to a notifiable event.

Notification Timing

Sotto also said the 60-day limit for notifying individuals of a breach was burdensome, noting that 60 days is the “outer limit” and that HHS may, in some cases, determine a breach should have been reported to individuals sooner.

“This is strong language,” she said.

The timing for reporting breaches did not change from the interim rule, but some had hoped HHS would reconsider the 60-day requirement, Sotto said.

Sotto advised that covered entities and business associates that experience a breach work as quickly as possible to understand whether it is a notifiable event. That means, she said, risk assessments must be done quickly, and if the determination is made that there was a notifiable breach, covered entities must act fast to figure out which individuals must be notified.

She said third-party consultants often are useful in those situations, not just for conducting forensic investigations, but also for “extracting and putting in logical format” information about affected individuals and tracking down their contact information.

Business Associate Obligations

One of the biggest changes in the omnibus rule were provisions that extend Privacy and Security rule compliance obligations to business associates, those organizations that do business with covered entities. The rule likewise finalized the definition of business associates to include subcontractors of business associates whose work involves PHI.

Hirsch said that while the final rule did not make major changes to the business associate provisions, it presents a significant compliance obligation for a host of organizations not covered by HIPAA rules before the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009.

Hirsch said he had hoped OCR would include new, additional guidance language for business associate agreements in the final rule, but there was little more in the way of such guidance than was in the proposed rule.

Chief among the obligations for business associates and subcontractors will be complying with much of the HIPAA Security Rule, including requirements that organizations have security policy and procedures in place.

The final rule also will mean covered entities must rewrite all their business associate agreement to reflect obligations of those organizations, Sotto said.

In some cases, large health systems or organizations that are HIPAA-covered entities have as many 20,000 business associates, Sotto said. Covered entities will have until September 2014--a full year after the compliance date for most of the other provisions--to bring existing business associate arrangements into compliance with the final rule, but Sotto said redrafting the deals will be a “massive” undertaking.

One of the biggest concerns will be for companies that subcontract with business associates and deal with PHI but have no idea they now are obligated to comply with strict HIPAA rules, she said.

Hirsch said covered entities are not legally obligated to look down the chain of contractors to affirmatively determine which ones are required to comply with HIPAA rules, but that business associate agreements must define the duties of business associate organizations in ensuring their relevant contractors are in compliance. Nevertheless, the new requirements will raise the bar for contractor scrutiny from covered entities down the line.

Implementation Concerns

Angela Dinh Rose, director of HIM solutions at the American Health Information Management Association in Chicago, told BNA that one of the challenges facing covered entities will be implementing new Privacy Rule requirements, mandated in the HITECH Act, that give patients the right to request electronic copies of their health records and to prohibit covered entities from sharing treatment information with health plans when the patients pay out of pocket.

Rose said many health care organizations are moving toward electronic health records, which often include a patient portal component, so complying with the access requirement will be less cumbersome than the requirement to let patients restrict how their data are shared.

Operationally, she explained, covered entities will have to determine whether their systems are capable of flagging services for nonreporting, and maintaining those flags beyond a single incident.

Likewise, Rose advised, covered entities will need to train staff on recognizing that flagged data and what to do with it.

Covered entities also will be required to issue new privacy rights statements, which provider groups are calling a major implementation challenge.

In a statement, Medical Group Management Association President and Chief Executive Officer Susan L. Turney said physician practices are worried about rewriting and reissuing notices of privacy practices by September.

By Kendra Casey Plank  

The final rule is available at