Final rule makes changes to HIPAA regs and HITECH Act and could lead to more breach notifications
On January 25, the Department of Health and Human Services (HHS) released its “Final Rule” , an update to several privacy and security protections under the Health Insurance Portability and Accountability Act of 1996 (HIPAA.) Along with protecting a patient’s privacy and providing individuals with rights to access their health information, the rule modifies the definition of breach for protected health information (PHI).
The Breach Notification Rule, mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) was originally issued in 2009 as an “interim final rule” and was defined as a use or disclosure of PHI that caused “a significant risk of financial, reputational or other harm to the individual.” This meant that any covered entity (CE) under HIPAA could determine whether or not a breach had occurred by conducting a risk of harm assessment, analyzing the individuals affected by the incident that involved the PHI. Covered entities could also use this analysis to determine whether or not the incident required notification to HHS and the content of that notification.
Under the new rule, HHS has declared that any impermissible use or disclosure of PHI is considered a breach, unless the CE can prove that the PHI has not been compromised. Rather than focusing strictly on the individuals harmed from the breach, CE’s must assess the risks related to a variety of factors, including:
- The nature and extent of the PHI involved
- Any unauthorized person who used the PHI or to whom the breach was made
- Whether or not the PHI was actually viewed or acquired
- The extent to which the risk to the PHI has been mitigated
The Final Rule also affects the liability of vendors, or business associates (BA’s – lawyers, consultants, medical transcriptionists, etc.) who have access to PHI. BA’s are now directly liable for compliance breaches for:
- Impermissible uses and disclosures
- Failure to provide breach notification to the covered entity
- Failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee.
- Failure to disclose PHI where required by the Secretary of HHS to investigate or determine the BA’s compliance with the HIPAA Rules.
Breaches must be reported to HHS within a certain time period as well, depending on the number of people involved. Large breaches, (500 people or more), must be reported as soon as the affected patient has been notified. For breaches involving fewer than 500 people, a CE or BA must notify HHS within 60 days of the last day of the preceding calendar year in which the breach was discovered. In addition, CE’s and BA’s should expect frequent requests for information about the breach from the Office for Civil Rights, which holds enforcement authority of the Privacy and Security Rules of HIPAA. While the Final Rule becomes effective March 26, CE’s and BA’s will have up to 180 days (until September 22, 2013) to comply with the new regulations.
According to HHS, HITECH does not pre-empt state law, and considers state regulation as the primary basis for PHI. Some states may have stricter rules than others regarding timeliness of breach notification, notification to state agencies and the content of the notification. Therefore, organizations should seek counsel on these issues to ensure they are in compliance with state laws.
So what can CE’s and BA’s do to prepare for the Final Rule? The following should be considered:
- Update any existing incident response plan
- Update existing policies & procedures regarding confidential information
- Complete beach analysis forms
- Education and awareness for employees
- Review vendor list and all vendor contracts
- Update risk management plans
- Consider purchasing Cyber Insurance
Cyber Insurance should be considered for any CE’s or BA’s that are affected by the final rule. In addition to proving coverage for third-party privacy lawsuits, this can also include coverage for costs incurred by the CE or BA associated with notification costs, credit monitoring services, forensics, public relations or defense costs in relation to a regulatory action.
About the Author
Michael Sullivan is a Client Executive in the Property & Casualty group at William Gallagher Associates. His responsibilities include negotiating and placing specialized insurance programs with a variety of clients in the Technology Life Science, Energy and Clean Technology industries.