Changes to the Breach Notification Rule
March 2013—As previously discussed in our last Link article, the Office for Civil Rights of the US Department of Health & Human Services (OCR) recently issued its long awaited final regulations modifying the HIPAA privacy, security, enforcement, and breach notification rules (the HIPAA Megarule).
The HIPAA Megarule will become effective on March 26, 2013, and compliance will be required by September 23, 2013. Briefly summarized below are changes to the Breach Notification Rule, which is of particular interest to radiologists and their practices given the amount of patient information which they handle.
The HIPAA Megarule, its impact on radiology providers, and steps that they will need to take to comply with the law, will be given more detailed treatment in the upcoming March/April issue of Radiology Management.
Changes to Breach Notification Rule
For nearly 3 years, providers have had to implement the breach notification regulations mandated by the HITECH Act (the Breach Notification Rule) in the manner set forth in the August 24, 2009 interim final HITECH Act rules regarding breach notifications (the IFR). By way of brief background, the Breach Notification Rule requires covered entities to disclose to both patients and the government when there are specific kinds of security breaches involving an unauthorized use or disclosure of unsecured patient information. The HIPAA Megarule made two primary changes to the Breach Notification Rule regulations.
First, and possibly most importantly, the HIPAA Megarule established that there is a presumption that any unauthorized use or disclosure of unsecured PHI is a “breach.”
Second, since the publication of the IFR in 2009, stakeholders have eagerly speculated as to what, if any, changes would be made to its “risk of harm” standard, which allowed providers to avoid notification if they determined that the unauthorized use or disclosure “poses a significant risk of financial, reputational, or other harm to the individual.” The HIPAA Megarule purports to remove the IFRs “harm standard” and replace its subjectivity with a more objective and detailed standard of whether the PHI has been compromised.
Thus, combining the two changes, under the HIPAA Megarule, any situation involving an impermissible access, acquisition, use or disclosure of PHI is presumed to be a breach unless the covered entity is able to demonstrate that there:
“is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated.”
It remains to be seen whether the revisions to the Breach Notification Rule represent a material shift in policy or will change the outcome of the breach/notification determination of providers. Interested parties should continue to monitor developments.
It is our opinion, however, that the changes to the Breach Notification Rule are ultimately minor, at least with respect to the outcome of the “breach or no-breach” analysis that most providers will reach when they conduct their risk assessment. Just last week, the Executive Director of OCR indicated his agreement with this analysis in a speech given to the American Bar Association’s Health Law Section at their Emerging Medical Issues Conference. In that speech, Mr. Rodriguez indicated that he believes that breaches are significantly underreported, but that for 98% of the providers out there who are doing things correctly, the breach/no-breach outcome, and their decision trees for reaching the same, will not be significantly impacted by the final HIPAA Megarule, since in most cases the decisional factors are going to work the same way.
Nevertheless, the OCR has promised to issue additional guidance to aid covered entities and business associates in performing risk assessments with respect to frequently occurring scenarios. It is possible that the OCR will use such future guidance to influence the risk assessment process, either strengthening, loosening, or continuing to maintain the status quo as to the breach/notification determination.
In any event, radiology providers should update their federal breach notification policies to reflect the HIPAA Megarule changes, and should scrupulously document any risk assessment they undertake using guidance from both the IFR and the HIPAA Megarule.
Adrienne Dresevic, Esq. graduated Magna Cum Laude from Wayne State University Law School. Practicing healthcare law, she concentrates in Stark and fraud/abuse, representing various diagnostic imaging providers, eg, IDTFs, mobile leasing entities, and radiology and multi-specialty group practices.
Clinton Mikel, Esq. graduated from the University of Michigan Law School. Practicing healthcare law, he concentrates in Stark, fraud/abuse, telehealth/telemedicine, compliance, and the corporate and financial aspects of healthcare practice.
The authors are members of The Health Law Partners, P.C. and may be reached at (248) 996-8510 or (212) 734-0128, or at www.thehlp.com.