HITECH Update: New HHS Rule Expands Notification Requirements for Breach of Privacy
by Wayne Kinkade and David Briggs
Saafeld Griggs PC
Let’s face it; your employees can do things that make you shake your head. Like leaving a practice laptop in a car overnight, which then gets stolen. Or, snooping into patient records to get a friend’s treatment information. Or, like in the case of an east coast clinic, an employee recognizes a patient as the boyfriend of a sister-in-law and texts the sister-in-law about the fact that the patient is being treated for an STD.
As we approach the ten year anniversary of the HIPAA Privacy Rule, we’re all aware that protected health information needs to be treated with the utmost care. When practices fall short of that standard – that it to say there is a breach of privacy –patients need to be notified.
In January, the U.S. Department of Health and Human Services issued a final rule altering the definition of “breach” under the HITECH act. The new definition expands the circumstances that constitute a breach of privacy of a person’s protected health information.
Once a breach of a person’s protected health information occurs, a practice is obligated to inform patients of that breach. So, HHS’s expansion of that definition will lead to more notifications to patients.
The HITECH act defines a“breach” as the “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
The Old Rule
In an interim rule issued by HHS in 2009, the agency took that statute to mean that a breach occurred when the unauthorized access or use posed a significant risk of financial, reputational or other harm to the patient. This standard focused on whether the patient was likely to be injured by the disclosure of the information.
The New Rule
The new rule now focuses on whether the information has been compromised. Practices need to conduct a case-by-case risk assessment to determine whether the information has been compromised. That assessment needs to include at least the four following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
HHS provided some examples to flesh out this standard. In doing so, HHS recognized that while notification is required in many cases, there are certain instances where it wouldn’t be appropriate. Too much notification would cause unnecessary anxiety and if such notifications became routine, it would likely create apathy.
One example where notification probably wouldn’t be required is in the situation where a practice misdirects a fax containing protected health information to the wrong physician, and upon receipt, the receiving doctor calls the covered entity to say he or she received it in error and has destroyed it. In that case, the practice can likely demonstrate a low risk that the information has been compromised, although HHS admonished that the practice would have to perform its own risk assessment.
HHS also discussed the “lost/stolen laptop” scenario. Leading up to the rulemaking, many practices had advocated that notification not be required if the laptop was recovered and a forensic analysis showed that no one had accessed any PHI. However, HHS stated that the loss of the laptop was sufficient to pose a risk of loss of PHI and that practices should be alerting patients upon discovery of the missing laptop and cannot delay notification “based on the hope that the computer will be recovered.”
HHS did give practices flexibility in describing what is being done in response to a breach. If employees were disciplined because of the breach, an employer may choose to describe the sanctions generally, such as saying they have been appropriately disciplined. The new rule doesn’t require practices to include the names of the employees involved.
Three Exceptions to Notification
The final rule contains three statutory exceptions to the definition of “breach”:
- A breach excludes any unintentional access or use of protected health information by an employee, if the access or use was made in good faith and within the scope of authority and does not result in further use or disclosure. HHS expressly stated that snooping employees do not fit in this exception because the access was neither unintentional nor done in good faith.
- A breach excludes inadvertent disclosures of protected health information from a person who is authorized to access PHI at a covered entity to another person authorized to access PHI at the same covered entity, business associate or organized health care arrangement in which the covered entity participates.
- Also exempted are disclosures of protected health information where a covered entity or a business associate has a good-faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Audit Risks and Notable Breaches
The ARRA allows for HHS to audit practices on their compliance with privacy, security and breach notification practices and procedures. HHS’s Office for Civil Rights just completed its first round of audits in December.
Among practices that were audited was a Phoenix cardiology group that inadvertently posted patients’ PHI on a publically available internet-based calendar. The group paid a penalty of $100,000 and instituted a corrective action plan. Separately, a Massachusetts hospital was fined $750,000 after it hired a third-party to dispose of unencrypted data that was never destroyed.
HHS has not announced any additional audits, but it seems likely that HHS will ramp up enforcement again before long.
In addition to civil liability, more individuals are facing criminally prosecuted for accessing PHI. For example, an employee of UCLA Health Systems was prosecuted for accessing celebrity PHI. The court allowed the case to proceed even though the employee claimed that he didn’t know that the law prohibited him from snooping.
HHS emphasized the importance of ensuring that staff was properly trained and knowledgeable about what constitutes a breach and how to handle PHI the practice inadvertently receives from another provider. Practices should also train its employees on the policies and procedures for reporting, analyzing and documenting a possible breach of unsecured PHI.
The final rule also requires modifications to and redistribution of a covered entity’s notice of privacy practices. The final rule is effective March 26, 2013, but practices have until Sept. 23, 2013, to comply with its requirements.
Contact Wayne Kinkade or David Briggs at Saalfeld Griggs for more information about the new HHS requirements or how to update your privacy practices.