HHS Makes Significant Changes to HIPAA Breach Notification Rules

Three years ago, almost to the day, we posted the first of a two part analysis of the Interim Final Rules published by the U.S. Department of Health and Human Services (“HHS”) governing the HIPAA privacy breach notification requirements. We now return to that subject in light of the recent publication (January 25, 2013 in the Federal Register) by HHS of a set of Final Omnibus Rules under HIPAA. The Final Rules cover four distinct areas: (1) privacy and security standards regarding protected health information (“PHI”); (2) enforcement and penalties; (3) breach notification requirements; and (4) final implementation of the Genetic Information Nondiscrimination Act of 2008 (“GINA”). The Final Rules take effect March 26, 2013, and covered entities and business associates have 180 days (until September 23, 2013) to comply. While the Final Rules make some substantial revisions to the prior rules in all four areas, the changes to the breach notification rules are perhaps the most significant.

Presumption of Breach

In the preamble to the Final Rule, HHS’s Office of Civil Rights explains that the Final Rule “modifies and clarifies the definition of breach and the risk assessment approach” contained in the 2010 Interim Final Rule. Most commentators agree that is a bit of an understatement.

The 2010 Interim Final Rules provided a process for privacy officials to follow in order to determine whether an impermissible use or disclosure of PHI resulted in a “breach” that would have to be reported to the affected person(s) and HHS. That process involved a review of the facts and circumstances surrounding the impermissible use or disclosure, a determination of whether an exception to the notification requirement could apply, and (assuming no exception applied) a somewhat subjective assessment of whether impermissible use or disclosure posed a “significant risk of harm” to the affected person(s). The “harm” could be financial, reputational, or in some other form. But ultimately a privacy official could reasonably determine that a given breach might not be so damaging to the affected person(s) that a notification was required.

It appears that the “significant risk of harm” standard set the bar for notification higher (or created more wiggle room) than the regulators intended, so the Final Rules do two things to lower the notification bar to the intended level. First, the Final Rules modify the definition of “breach” by providing that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate can demonstrate that there is a “low probability” that the PHI has been compromised. This means that a breach notice would have to be given in all cases unless the low probability standard can be met (or unless one of the available exceptions applies). Second, the Final Rule requires the probability of compromise to be determined through a prescribed risk assessment.

Risk Assessment

In order to determine the probability that PHI has been compromised, a covered entity or business associate must undertake a risk assessment that takes into account the following factors:

• The nature and extent of PHI involved
• The unauthorized person by whom (or to whom) the PHI was used (or disclosed)
• Whether the PHI was actually viewed or obtained
• Efforts made to mitigate the use or disclosure of the PHI

Some residue of the “significant risk of harm” standard perhaps survives in the first of the factors. That is, if the PHI involved is not of a highly sensitive nature (e.g., a prescription for a high dose of Vitamin D) or minimal in extent (such that it would be difficult to identify an affected person), there is at least the possibility that the risk of compromise could be low. Still, the other three factors appear to focus directly on whether the PHI (regardless of the nature and extent) may actually have been accessed in an impermissible way. And to emphasize that point, the Final Rules specify that this risk assessment must be conducted even in cases where the impermissible use or disclosure occurs entirely within a covered entity or business associate, despite the fact that one would expect the probability that the PHI was compromised to be low.

The abandonment of the “significant risk of harm” standard in favor of a presumption of breach effectively turns the prior rule on its head and is likely to require substantial changes in HIPAA privacy policies and the procedures followed by covered entities and business associates in dealing with potential breach situations.

* * * * * * * *

Future posts on the new Final Rules under HIPAA will examine changes affecting business associates and Business Associate Agreements and suggest steps that should be taken by sponsors of self-funded group health plans in order to comply with the new rules by the September 23, 2013 deadline.