On January 17, 2013, the Department of Health and Human Services (“DHHS’”) released its draft long-anticipated Omnibus Rule amending the HIPAA Privacy, Security, Breach Notification and Enforcement Rules as required to implement the HITECH Act and the Genetic Information Nondiscrimination Act of 2008. The Omnibus Rule is effective March 26, 2013, and compliance is required with respect to most provisions no later than September 23, 2013. One of the major changes was to the breach notification rule.
Some commentators stated that DHHS did away with the risk analysis requirement of the breach notification rule. Such is not the case. Rather, DHHS refined it by specifying factors to consider (which sounds like a risk analysis to me!).
Previously, covered entities only had to notify DHHS and the individuals at risk of the breach if a risk of harm existed. The HITECH Act replaced the harm threshold that had imposed a notification requirement only where there was a “significant risk” of harm to an individual by a presumption that any acquisition, access, use, or disclosure of PHI not permitted under the HIPAA Privacy Rule was a breach unless a covered entity or business associate could demonstrate that “there is a low probability that the [PHI] has been compromised based on a risk assessment.” The risk assessment must include consideration of the following four factors:
• Nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
• Unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• Extent to which the risk to the PHI has been mitigated.
As to the first factor, covered entities need to focus on whether sensitive data, such as Social Security numbers and detailed clinical information, are involved in a breach. DHHS has noted that such sensitive data “could be used by an unauthorized recipient in a manner adverse to the individual or otherwise used to further the unauthorized recipient’s own interests.”
With respect to the second factor, disclosures to another HIPAA-regulated entity or to a federal agency, for example, may result in a “lower probability that the [PHI] has been compromised since the recipient of the information is obligated to protect the privacy and security of the information in a similar manner as the disclosing entity.”
The third factor will often involve an analysis of whether PHI contained on a lost or stolen laptop or other portable electronic device actually was viewed or accessed, such as if it was protected by a sophisticated password system.
The fourth factor might involve contacting an unauthorized recipient of the PHI to obtain “satisfactory assurances” that any PHI sent to a recipient was not further used or disclosed but instead destroyed. This fourth factor—whether the risk has been mitigated adds even more emphasis to the Security and Privacy Rule’s mitigation requirement. Now, not only must you mitigate (lessen) the harm of a breach, but also doing so early on may keep you from having to report the breach.
DHHS noted in the Omnibus Rule that it will issue future guidance on risk assessments associated with breaches, hopefully before September 23, 2013, when the new risk assessment requirement for breaches becomes effective. Until that further guidance occurs, however, it is critical that organizations focus on identifying any gaps in compliance that led to an incident and closing those gaps to ensure that another similar incident will not occur.