The Final Omnibus HIPAA/HITECH Rule: Significant Changes to Breach Notification Requirements
On January 17, 2013, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued its long-awaited omnibus final rule implementing changes to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules (Final Rule). The Final Rule was published in the Federal Register on January 25, 2013, and incorporates all of the changes to the HIPAA Privacy and Security Rules mandated by the HITECH Act. Among the Final Rule’s more significant changes are the definition of what constitutes a “breach” and various breach notification requirements.
BREACH – THE PRIOR DEFINITION AND EXCEPTIONS
The Interim Final Regulation (IFR) defined a “breach” as the impermissible acquisition, access, use or disclosure of protected health information (PHI), which compromises the security or privacy of the PHI. The phrase “compromises the security or privacy of the PHI” means that the impermissible acquisition, access, use or disclosure “posed a significant risk of financial, reputational or other harm to the individual.” A breach, however, excludes the following:
- Any unintentional acquisition, access, use or disclosure by a workforce member or person acting under the authority of a covered entity or business associate, if made in good faith and if no further impermissible uses or disclosures resulted.
- Any inadvertent disclosure by a person authorized to access PHI at a covered entity or business associate to another person authorized to access that same PHI at the same covered entity or business associate, and the PHI received is not impermissibly used or disclosed.
- A disclosure of PHI where the covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably be able to retain that information.
- The acquisition, access, use or disclosure of PHI that has been secured through a technology or methodology specified by the Secretary so as to be rendered unusable, unreadable or indecipherable to unauthorized persons. (The Secretary specified that only encryption and destruction consistent with National Institute Standards and Technology (NIST) guidelines meets these criteria.)
BREACH – A NEW DEFINITION AND A NEW PRESUMPTION
Under the Final Rule, the exceptions described above remain unchanged, but OCR did away with the “harm to the individual” standard for determining when an impermissible use or disclosure compromises the security and/or privacy of the PHI. It did so after determining that the standard was too subjective and gave covered entities and business associates too much latitude in deciding when notification is required.
As a result, the Final Rule revises the definition so that any impermissible acquisition, access, use or disclosure of PHI is presumed to be a breach, unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised based on a risk assessment involving at least the following four factors:
- The nature and extent of the PHI involved and the likelihood of re-identification;
- The unauthorized person to whom the disclosure was made;
- Where the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
OCR intends to issue additional guidance to aid covered entities and business associates in performing risk assessments in frequently occurring situations.
BURDEN OF PROOF
To overcome the presumption that a breach requiring notice has occurred, the covered entity or business associate has the burden of proof to demonstrate that:
- The PHI has not been compromised based on the risk assessment conducted;
- An exception applies and the incident should not be deemed a breach; or
- The incident did constitute a breach, but all notices were properly provided.
Whether an impermissible use or disclosure constitutes a breach remains a fact specific determination based on the circumstances, but the presumption of breach standard means that many more incidents will likely be treated as if a breach occurred, requiring that a documented risk assessment be undertaken. For example, the Final Rule expressly states that any use or disclosure of PHI in excess of the “minimum necessary” requirement constitutes a breach, as would any improper use or disclosure involving a limited data set, even those that exclude dates of birth or zip codes. Thus, covered entities and business associates will have to more diligently engage in conducting risk assessments in a host of seemingly mundane use and disclosure situations.
On the other hand, the Final Rule also indicates that a covered entity or business associate may forego completing a risk assessment, and simply notify affected individuals of the impermissible use or disclosure of their PHI. Whether covered entities and business associates will embrace this option as an alternative to the administrative burdens of increased risk assessments remains to be seen.
OCR encourages covered entities and business associates to avoid the risk of a breach by using encryption technology consistent with NIST guidelines whenever possible. Like the IFR, the Final Rule does not require notice for breaches of secured PHI.
Under the Final Rule:
- A breach is treated as having occurred at the time of the impermissible acquisition, access, use or disclosure.
- A breach is treated as having been discovered as of the first day on which the breach is known or should have been known by the covered entity or business associate, exercising reasonable diligence.
- Reasonable diligence means “business care and prudence expected from a person seeking to satisfy the legal requirement under similar circumstances.”
- A covered entity or business associate is treated as having discovered a breach at the time a workforce member or other agent has knowledge of the breach under these criteria.
REPORTING BREACHES AND PROVIDING NOTICE
Individuals must be notified of any breach involving their PHI without unreasonable delay, but in no case longer than 60 days from the date the breach was discovered (versus the date the breach occurred).
- The time clock begins to run when the incident is first known, not when the investigation of the incident is complete, and it is determined that a breach has occurred.
- The default presumption is that an incident is a breach unless a risk assessment determines otherwise. Practically speaking then, risk assessments must be made in less than 60 days of discovery.
- The 60 days is an outer limit, and it may be unreasonable to take that long. Notice should be provided as soon as it is feasible to do so.
- Determination whether any delay is reasonable or not involves a fact specific assessment of all the circumstances; but, if a computer or hard drive is lost or stolen, it is not reasonable to delay notice on the expectation that it will be returned or recovered.
- Business associates have a duty to notify covered entities of any breaches discovered, but covered entities will be presumed to have knowledge of the breach at the time a business associate acting as their agent has such knowledge. Whether a business associate is acting as an agent of the covered entity is determined by the Federal common law of agency. Obligations of the covered entity and business associate relating to how, when and who a business associate should notify of a breach should be addressed in detail in the parties’ business associate agreement.
- Business associates and covered entities can allocate between them responsibility and costs for notifying affected individuals of breaches of their PHI in the business associate agreement; but, covered entities are ultimately liable, regardless of the contractual allocation, even where the breach was the responsibility of the business associate.
NOTICE TO INDIVIDUALS
HIPAA requires notice to be provided by first class mail to the last known address of the individual, or next of kin if the individual is deceased, and multiple mailings may be required if additional information comes to light.
- If there is insufficient or out-of-date contact information for 10 or more affected individuals, substitute notice must be posted on the covered entity’s or business associate’s website or provided in a major print or broadcast outlet in the geographic area where the individuals reside.
- A toll-free phone number must be provided that remains active for 90 days where an individual can learn whether his or her PHI was involved.
- If insufficient or out-of-date information is available for 10 or fewer individuals, covered entities or business associates can provide substitute notice by phone or other means.
- The HITECH Act refers to “written” notice so if a person has agreed to telephonic notice, the covered entity or business associate can call and say the notice is available to be picked up in person. If the individual won’t travel to pick it up, the information can be provided over the phone, but the covered entity or business associate should document what was done, and OCR will exercise discretion in determining whether written notice was provided.
- For health plans, a single notice can be sent to participants, spouses and dependents so long as they all live at the same address and the notice makes it clear as to which persons at that address the notice applies.
- Direct notice to the individual is not waived when a breach affects a threshold number of individuals.
- Out-of-date contact information can be corrected when notices are returned as undeliverable so long as done promptly and no later than 60 days from the discovery of the breach.
NOTICE TO MEDIA AND SECRETARY
When a breach occurs involving more than 500 affected individuals in a state or jurisdiction, notice must be provided to a prominent media outlet in the affected location, but if not more than 500 affected individuals reside in a state or jurisdiction, media notice may not be required, but notice to the individuals and the Secretary will be.
Posting a press release on the covered entity’s or business associate’s website does not fulfill the media notification obligation, but providing the press release directly to prominent media outlets does. The media outlets, however, is under no obligation to print the notice.
The Secretary must be notified “immediately” regarding breaches involving 500 or more individuals, regardless of whether they all reside in the same state or jurisdiction. “Immediately” means notice must be provided to the Secretary at the same time notice is provided to the affected individuals.
The notice to the Secretary needs to include the: (i) name of the covered entity or business associate, (ii) state where located, (iii) number of individuals affected, (v) date of the breach, (v) type of breach (e.g., theft, loss, unauthorized access, etc.), and (vi) location of the breached information (e.g., laptop, paper record, desktop computer, etc.) OCR instructions for filling out and submitting the breach form can be found here.
For breaches involving less than 500 individuals, the covered entity or business associate can keep a log of such breaches and submit them annually, but not later than 60 days after the end of the calendar year in which the breaches were discovered, not the year in which they occurred.
Covered entities (including employer-sponsored group health plans) and their business associates should:
- Develop and document policies and procedures for reporting incidents, undertaking risk assessments and for notifying affected individuals where a breach has been deemed to have occurred. Existing risk assessment policies also should be updated to reflect the new factors for analysis;
- Train their workforce members in these policies and procedures;
- Permit individuals to file complaints regarding failures to follow these policies and procedures;
- Consider the extent to which PHI could be encrypted to avoid future breaches;
- Implement disciplinary procedures for those who commit breaches; and
- Prohibit retaliation or intimidation of those reporting or uncovering breaches or potential breaches.
If you have any questions about these breach notification requirements, or any other aspect of the Omnibus HIPAA Regulations, please contact any of our Employee Benefits or Health Care Professionals.