Few will mourn the loss of the ambiguous “harm threshold” requirement. Patient privacy advocates perceived the harm threshold to be subjective, which led “to inconsistent interpretations and results,” according to the HIPAA Final Omnibus Rule published by the U.S. Department of Health and Human Services (HHS).
Under the Breach Notification Interim Final Rule, a breach crossed the harm threshold if it “posed a significant risk of financial, reputational, or other harm to the individual.” The rule required healthcare organizations to perform an incident risk assessment to determine if a breach crossed the harm threshold standard and thus required notification.
Opponents claimed that placing the burden of proof for determining this “risk of harm” on covered entities caused huge (subjective) variances in the definition of a notifiable breach, leaving affected individuals at risk for harm, while burdening HHS to judge if the assessments met the intent of the rule. It didn’t help that healthcare organizations lacked clear guidance on how to conduct such an assessment, even though the rule had the right intent by recognizing that there are real patients behind protected health information (PHI) and when PHI is compromised these patients can suffer real harm — medical, reputational and/or financial.
The HIPAA Final Omnibus Rule seeks to better protect patients by removing the harm threshold. Covered entities and their business associates must still conduct an incident risk assessment, for every data security incident that involves PHI. Rather than determine the risk of harm, the risk assessment determines the probability that PHI has been compromised, based on four factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed;
- The extent to which the risk to the protected health information has been mitigated.
These factors should be considered in combination and not in isolation when conducting a risk assessment. If an entity has an incident and its risk assessment concludes that there was a very low probability that the PHI was compromised, it may choose to not notify the affected individuals or the Department of Health and Human Services Office for Civil Rights (OCR). However, the Final Omnibus Rule requires that the entity maintain a “burden of proof” if its conclusions are called into question. If the OCR investigated the covered entity, it would be required to provide conclusive documentation of its incident risk assessment and analysis as to why the incident did not result in a “compromise” of PHI. If the entity doesn’t meet that burden of proof, it could be found to have been negligent in not notifying the affected individuals and subject to substantial fines, penalties, and corrective action.
Organizations still required to “mitigate” harm
Even though the HIPAA Final Omnibus Rule eliminates the “significant risk of harm” phrase and its application during breach risk assessment, it still requires covered entities and business associates to “mitigate harm to individuals” through individual notification. This makes it clear that notification should describe the steps the covered entity or business associate “is taking to mitigate potential harm to individuals resulting from the breach and that such harm is not limited to economic loss.” In fact, some of the comments that HHS received suggested that the notification letter identify the level of potential harm to individuals so they could better protect themselves. So even though the harm threshold is no longer part of the risk assessment it should play an important role in how a breached entity responds to the breach.
Now harmonious: State and federal breach notification laws
Another key outcome of the revised breach definition and the risk assessment requirement in the HIPAA Final Omnibus Rule is that federal and state breach notification laws are more in sync.
Most states already require a risk assessment to determine the probability that PHI was compromised. The Final Omnibus Rule clarifies that only contrary state laws are to be preempted by the federal breach law. This should help covered entities and business associates create a consistent risk assessment approach to ensure compliance with HIPAA-HITECH and state breach laws.
Enforcement by the Office of Civil Rights
OCR will enforce of the final breach notification rule in accordance with the HIPAA Enforcement Rule. OCR may work with covered entities to achieve voluntary compliance through informal resolution or may impose a civil money penalty for a failure to comply with the breach notification rule. The rule provides an exception to voluntary resolution in the case of violation due to willful neglect. The OCR also has the authority to impose a civil money penalty for violation of the HIPAA Privacy Rule, even in cases where the entity made all required breach notifications.
What you should do
The Final Omnibus Rule is effective on March 26, 2013; covered entities and business associates must comply with the applicable rules of the final rule by September 23, 2013.
Despite the removal of the harm threshold as one of the factors in the risk assessment process, there’s good news for covered entities and business associates that already comply with the Breach Notification Interim Final Rule, which became effective on September 23, 2009. They are well positioned to comply with the final rule given the limited scope of changes in the final rule. For example, the final rule retained all the exceptions allowed by the interim final rule except the limited data set exception. In addition, the rules around incident discovery and notification timelines remained virtually unchanged.
For those organizations that have yet to comply, however, the six-month window for compliance will be a challenge. They must put in place the appropriate operational mechanisms — policies, procedures, methodologies — for carrying out the incident risk assessments that are required in the Breach Notification Rule, and document their results in such as way as to maintain a burden of proof that will stand up to an audit or investigation by OCR.
There will be little tolerance for lack of compliance going forward if OCR makes good on the comments that the agency received for auditing and evaluation entities’ risk assessment and documentation process when carrying out compliance audits required by the ARRA.
Doug Pollack, CIPP, chief strategy officer at ID Experts, has over 25 years of experience in computer systems, software, and security concerns focusing on creating successful new products in new emerging markets.
Mahmood Sher-Jan, CHPC, vice president of product management at ID Experts, brings over 25 years of analytical solutions development and deployment across healthcare, financial, and retail industries. Sher-Jan holds patents in fraud prevention and secure ID solutions.
Not merely lost: What happens to stolen medical records