Loss of HIPAA Breach Notice Threshold, New Business Associate Rules Pose Challenges

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...


The elimination of a risk of harm threshold for when breach notice is required under the Health Insurance Portability and Accountability Act, announced with the Jan. 25 publication of the long-anticipated final omnibus HIPAA rule (78 Fed. Reg. 5565, 1/25/13), is perhaps the most significant change from interim final rules implementing the 2009 Health Information Technology for Economic and Clinical Health Act, attorneys recently told BNA.

The breach notice change “likely will not have a significant impact on the situations in which notice is provided,” Kirk Nahra, partner at Wiley Rein LLP, Washington, told BNA Jan. 23.

In addition, the omnibus rule's broad requirements for business associates and their contractors that do business with health care companies to comply with many of the HIPAA Privacy Rule, Security Rule, and Data Breach Rule obligations will be an ongoing challenge, attorneys and others said.

The omnibus rule also made modifications to the Privacy Rule as required in the Genetic Information Nondiscrimination Act.

The experts said the breadth of the Department of Health and Human Services omnibus rule alone was a significant development, even though covered entities and business associates have already been required to comply with most of the provisions because they were set forth in previously published interim final rules.

Covered entities and business associates have until Sept. 23 to comply with most provisions. In the case of existing business associate agreements, covered entities have until September 2014 to make changes.

“The big news is that the starting gun is sounded now, and business associates will be scrambling to get into compliance by September this year,” Reece Hirsch, a partner with Morgan, Lewis & Bockius LLP, in San Francisco, told BNA Jan. 18.

“That's a big shift in the regulatory landscape. We've seen it coming, but the clock is ticking.”

Lisa J. Sotto, a partner at Hunton & Williams LLP, in New York City, called the enormity of the regulations a significant administrative burden for covered entities and business associates to absorb.

In addition to finalizing changes to the HIPAA Privacy Rule, Security Rule, and Data Breach Rule, the omnibus rule finalized changes to the HIPAA Enforcement Rule (see related report in this issue).

Risk of Harm Threshold Lowered

Hirsch and Sotto agreed that removal of the risk of significant harm standard that was present in the interim final breach notification rule is highly significant.

Under the interim final rule, which was made public in August 2009 (8 PVLR 1227, 8/24/09), covered entities were required to conduct an assessment of whether the risk of financial, reputational, or other harm to an individual or individuals was insignificant. If so, no breach notification was required.

Also in August 2009, the Federal Trade Commission issued parallel breach notification regulations for personal health record vendors and others not covered by HIPAA that did not contain a risk of harm standard.

In its comments on the final omnibus rule HHS said that although a majority of public comments on the HHS Data Breach Rule supported the risk of harm standard, some raised concerns that the standard was too subjective and gave covered entities, in some instances, too much latitude to avoid notification.

Some members of Congress told HHS that including a risk of harm standard was contrary to congressional intent expressed in the HITECH Act (8 PVLR 1524, 10/26/09).

Just as HHS was nearing completion of the Data Breach Rule, it withdrew the rule from the pre-release Office of Management and Budget approval process (9 PVLR 1120, 8/2/10).

HHS eventually added the Data Breach Rule to the omnibus package and replaced the risk of significant harm standard with a provision in the final omnibus rule that requires covered entities and business associates to notify individuals of a breach unless a risk assessment determines a “low probability” that the breached data were compromised.

OCR also described four factors that risk assessments must consider:

• the nature and extent of the protected health information (PHI) involved, including the likelihood data could be reidentified;

• the unauthorized person who used the PHI or to whom an improper disclosure was made;

• whether the PHI was actually acquired or viewed; and

• the extent to which the risk to the PHI was mitigated.


Hirsch said the new standard is more concrete and leaves less wiggle room for when a notification must be made.

“HHS was concerned there were some who were abusing the latitude [in the interim rule],” he explained.

Hirsch described the shift as a “big change, but not a radical departure,” from the interim rule, adding that the ultimate determination for notifications under the interim and now final rules was always meant to be based on a risk assessment.

However, Sotto said the shift to the presumption that a breach has occurred unless there is a demonstration of low probability of compromised PHI poses a “significant administrative burden” for covered entities and business associates.

“It's a dramatic shift away from [the focus on] injury to the individual,” she said.

The significance, she explained, is that HHS is now requiring a formal risk assessment for breach notifications even if an entity does not believe a breach rises to a notifiable event.

“While removing the risk threshold, HHS also clearly and explicitly recognized that the HITECH law does not require notification any time a breach possibility exists, and correctly flags the negatives, both in costs to covered entities and unfounded concerns for individuals, from notification without a purpose,” Nahra said.

Under the lower risk of harm standard “it is likely that most breaches will end up with the same result--notification to individuals where there is a good reason to think that some kind of reasonable harm can come to the individual from the particular situation,” he said.

Breach Notification Timing Unchanged

Sotto also said the 60-day limit for notifying individuals of a breach was burdensome, noting that 60 days is the “outer limit” and that HHS may, in some cases, determine a breach should have been reported to individuals sooner.

“This is strong language,” she said.

The timing for reporting breaches did not change from the interim rule, but some had hoped HHS would reconsider the 60-day requirement, Sotto said.

Sotto advised that covered entities and business associates that experience a breach work as quickly as possible to understand whether it is a notifiable event. That means, she said, risk assessments must be done quickly, and if the determination is made that there was a notifiable breach, covered entities must act fast to figure out which individuals must be notified.

She said third-party consultants often are useful in those situations, not just for conducting forensic investigations, but also for “extracting and putting in logical format” information about affected individuals and tracking down their contact information.

Business Associate Obligations Affirmed.

In October 2009, HHS issued an interim final rule, which included, among many other provisions, changes to expand the HIPAA Privacy Rule and Security Rule to cover business associates of covered entities (8 PVLR 1555, 11/2/09).

In July 2010, HHS issued a proposed rule to make changes to that interim rule, which sought to expand the reach of the Privacy Rule, Security Rule, and Enforcement Rule to cover subcontractors of business associates (9 PVLR 1007, 7/12/10).

The omnibus rule finalized those provisions.

Hirsch said that while the final rule did not make major changes to the business associate provisions, it presents a significant compliance obligation for a host of organizations not covered by HIPAA rules before the HITECH Act was signed into law in 2009 (8 PVLR 344, 3/2/09).

Hirsch said he had hoped OCR would include new, additional guidance language for business associate agreements in the final rule, but there was little more in the way of such guidance than was in the proposed rule.

Chief among the obligations for business associates and subcontractors will be complying with much of the HIPAA Security Rule, including requirements that organizations have security policies and procedures in place.

The final rule will also mean covered entities must rewrite all their business associate agreements to reflect obligations of those organizations, Sotto said.

In some cases, large health systems or organizations that are HIPAA-covered entities have as many as 20,000 business associates, Sotto said. Covered entities will have until September 2014--a full year after the compliance date for most of the other provisions--to bring existing business associate arrangements into compliance with the final rule, but Sotto said redrafting the deals will be a “massive” undertaking.

One of the biggest concerns, she said, will be for companies that subcontract with business associates and deal with PHI but have no idea they now are obligated to comply with strict HIPAA rules.

Hirsch said covered entities are not legally obligated to look down the chain of contractors to affirmatively determine which ones are required to comply with HIPAA rules, but business associate agreements must define the duties of business associate organizations in ensuring their relevant contractors are in compliance. Nevertheless, the new requirements will raise the bar for contractor scrutiny from covered entities down the line.

Patient E-File Concerns

Angela Dinh Rose, director of HIM solutions at the American Health Information Management Association in Chicago, told BNA Jan. 18 that one of the challenges facing covered entities will be implementing new Privacy Rule requirements, mandated in the HITECH Act, that give patients the right to request electronic copies of their health records and to prohibit covered entities from sharing treatment information with health plans when the patients pay out-of-pocket.

Rose said many health care organizations are moving toward electronic health records, which often include a patient portal component, so complying with the access requirement will be less cumbersome than the requirement to let patients restrict how their data are shared.

Operationally, she explained, covered entities will have to determine whether their systems are capable of flagging services for nonreporting and maintaining those flags beyond a single incident.

Likewise, Rose advised, covered entities will need to train staff on recognizing those flagged data and what to do with them.

Covered entities also will be required to issue new privacy rights statements, which provider groups are calling a major implementation challenge.

In a statement, Medical Group Management Association President and Chief Executive Officer Susan L. Turney said physician practices are worried about rewriting and reissuing notices of privacy practices by September.

By Kendra Casey Plank  

The final 138-page HIPAA omnibus final rule, including the Data Breach Rule, is available at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

Request Bloomberg Law: Privacy & Data Security