Legal Health Information Exchange

Lessons from the Idaho State University CAP

kmonticello@oscislaw.com (Krystyna Monticello) — Thu, 13 Jun 2013 10:20:53 -0500

Back in 2011, Idaho State University (Idaho State) experienced a breach of PHI affecting approximately 17,500 individuals after firewalls on its servers were disabled at one of its outpatient clinics. It appropriately notified HHS in August of that year whereafter (surprise, surprise) HHS informed Idaho State that it would be investigating Idaho State's compliance with HIPAA.

HHS released news of its settlement with Idaho State on May 21, 2013, with Idaho State agreeing to pay $400,000 as part of the Corrective Action Plan (CAP) to resolve allegations that:

It did not conduct a risk analysis for over 5 (five) years;
It did not implement security measures sufficient to reduce risks and vulnerabilities to ePHI for that same period;
It did not implement procedures to regularly review information systems activity for that same period.

As part of the CAP, Idaho State, which operates as a hybrid entity with several covered entity components, must beef up its documentation and specifically designate its covered entity components (i.e., its outpatient clinics). Unsurprisingly, Idaho State is also required to provide HHS with its most recent risk management plan and information systems activity policies for "review and approval" by HHS. Idaho State must also complete and submit a compliance gap analysis indicating all changes to compliance status with the required provisions of the Security Rule.

Although Idaho State experienced a breach of PHI AND was informed in November of 2011 that HHS was investigating its compliance with HIPAA, according to HHS, Idaho State did not get around to performing a risk assessment, reviewing information systems activity or identifying gaps in security measures until the summer of 2012 and post-Thanksgiving, November 26, 2012. It is baffling that, after experiencing a breach which was caused by firewall protections being physically disabled for over 10 months, Idaho State appears to have not done much to assess and safeguard against future problems.

Or did it? Maybe it was just too little, too late. But part of Idaho State's problem could simply have been that it couldn't prove what steps it had taken towards HIPAA security compliance. Although Idaho State clearly dropped the ball in failing to realize firewalls protections were disabled for almost a year at its Pocatello Family Medicine Clinic, it may have been more compliant than the CAP suggests and simply had nothing to show.

Increasingly, covered entities are realizing that saying and believing they are HIPAA compliant is about as effective with OCR as your teenager telling you he cleaned his room as he runs out the door to the movies. It's like high school all over again - if you can't "show your work" and prove your HIPAA compliance through documentation, regular reports and reviews, and clearly defined privacy and security policies procedures, OCR simply isn't going to buy it when they show up at your door.

To be sure, many covered entities have been completely lax about security until now. Conducting a comprehensive risk assessment (documenting that it was done and periodically reviewed) and having processes in place for ongoing risk management are some of the biggest things OCR has repeatedly been driving home. Too often, as Idaho State's CAP illustrates, security risk assessments are inadequate and fail to properly identify security risks and vulnerabilities to ePHI.

On the other hand, many covered entities think that they are compliant with the Security Rule, but really aren't. A covered entity may conduct a risk assessment of its EHR or EMR, for example, but fail to assess the security risks and vulnerabilities associated with other systems that feed into it or maintain PHI, or with workflow processes, resulting in PHI accidentally being made available online (think Phoenix Cardiac Surgery or Stanford Hospital). Furthermore, where risks and vulnerabilities are identified, appropriate security measures are not always evaluated and action taken as needed to correct them.

As we can see from Idaho State, performing a comprehensive risk assessment now isn't necessarily going to cure your failure to do so before and an overwhelming number of covered entities could still be in the hotseat even if they are actively beefing up their HIPAA privacy and security. And there's still the risk that what has and is being done is simply too little to satisfy OCR.

However, good faith efforts and diligence to bring your organization into compliance with the Security Rule implementation standards and specifications will go a long way toward lessening the likelihood and impact of an unwanted OCR investigation, not to mention minimizing the risk of breach and harm to your patients and organization. It is far easier to seek forgiveness for past transgressions from OCR with a robust updated HIPAA security management program in hand.

ONC Releases Governance Framework for Trusted HIE

kmonticello@oscislaw.com (Krystyna Monticello) — Mon, 06 May 2013 17:35:03 -0500

After backtracking on developing "Rules of the Road" for trusted electronic health information exchange (HIE) last year, ONC has released its promised Governance Framework for HIE after months of collaboration with stakeholders. Crafted through public listening sessions, hearings, partnerships and the NHIE Governance Forum, the Governance Framework,

Reflects what matters most to ONC when it comes to national health information exchange governance and the principles in which ONC believes,

stated Dr. Mostashari last Friday in his Health IT Buzz Blog. Short and sweet, the Governance Framework provides guidelines for the governance of HIE.

The Governance Framework sets forth four sets of principles for HIE which are specifically geared towards HIOs and other entities that set HIE policy such as state agencies and partnerships:

Organizational principles, focusing on transparency and openness, inclusiveness, oversight and enforcement;
Trust principles, focusing on meaningful choice to participate in HIE and to limit types of data exchange, transparency in privacy and security practices, and the accuracy of information;
Business principles, providing open access and standards to promote collaboration; and
Technical principles, ensuring technology can accomodate exchange through the use of standards and implementation specifications, testing and collaboration with voluntary consensus standards organizations.

Of particular interest is the recommendation that HIOs provide a "Notice of Data Practices" entirely separate from the Notice of Privacy Practices each participating organization in an HIO would provide to its patients describing HIE activities. The Notice would describe not only uses and disclosures of identifiable information, but de-identified information as well.

Furthermore, organizational principles would include,

[P]romot[ing] inclusive participation and adequate stakeholder representation (especially among patients and patient advocates) in the development of policies and practices.

Another recommendation would prompt HIOs to maintain and publish statistics on their exchange capacity, including number of users and patients, type of standards implemented and transaction volume, as well as to disseminate "up-to-date" information on compliance with statutes and regulations, best practices and even potential security vulnerabilities.

Is the Governance Framework helpful to HIOs? Maybe. It does NOT

Prescribe specific solutions but lays out milestones and outcomes that ONC expects for and from HIE governance entities as they enable electronic HIE.

It is a far cry from guidance for the every day problems HIOs are faced with as expressed by numerous stakeholders to ONC, such as sharing data across state lines, sustainability, variations in standards between providers and HIOs, and differences in policies governing who may access patient data (i.e., clinicians only vs. administrative and other personnel).

It does, however, provide at least a "common founation" for HIOs to build their organizational structure and policies upon. And it's better than a set of regulations and rules for HIE and HIOs that no one is ready for.

To read the full Governance Framework and for additional information on ONC's HIE activities, visit ONC's HIE Governance website.

EHR Vendor Loses Meaningful Use Certification

kmonticello@oscislaw.com (Krystyna Monticello) — Sat, 27 Apr 2013 12:58:07 -0500

HHS announced on Thursday that two EHRs have had their Meaningful Use certification revoked. EHRMagic-Ambulatory and EHRMagic-Inpatient, which are developed by EHRMagic, Inc., were previously certified for the Medicare and Medicaid EHR Incentive Programs. It is the first time that a certified EHR has had its certification status revoked.

ONC and InfoGard Laboratories, an ONC authorized certification body for Meaningful Use, both were notified that the EHRs did not provide required functions and shouldn't have passed certification. After retesting, the EHRs failed.

ONC has made it clear that certification is an ongoing process. Dr. Mostashari stated,

We and our certification bodies take complaints and our follow-up seriously. By revoking the certification of these EHR products, we are making sure that certified EHR products meet the requirements to protect patients and providers."

Eligible professionals and hospitals who purchased the decertified EHRs will have no choice but to implement an alternative EHR in order to continue participating in Meaningful Use. EHRMagic customers now are in a difficult situation, with significant costs, downtime and retraining to transition to a new EHR as well as loss in incentive payments they would have otherwise been potentially eligible for.

iHealthBeat.org reports that no one has attested to Meaningful Use using the EHRMagic products yet, according to Peter Ashkenaz, an ONC spokesperson. These means that EHRMagic customers will at least not be faced with potential recoupment of payments. It remains unclear what liability EHRMagic may have to its customers for failing to retain certification for its EHR products.

Proposed Rules Extend EHR Donation Sunsets for Stark and Anti-Kickback

kmonticello@oscislaw.com (Krystyna Monticello) — Mon, 22 Apr 2013 13:46:35 -0500

Earlier this month, CMS and OIG proposed amendments to and extension of the temporary Stark exception and Anti-kickback safe harbor for electronic health record (EHR) donations to physicians. The Proposed EHR Rules would extend the deadlines for EHR donations which are set to expire December 31, 2013.

The Proposed EHR Rules come at a perfect time, when many organizations are adopting EHRs for purposes of participating in the Medicare and Medicaid EHR Incentive Programs ("Meaningful Use"). Although the OIG Proposed Rule would extend EHR donations until at least December of 2016, the CMS Proposed Rule contemplates extending EHR donations through December of 2021 to align with the end of Medicaid Meaningful Use.

The Anti-kickback Statute prohibits referrals for federal health care business. Certain "safe harbors" provide assurances that certain conduct will not violate the Anti-kickback Statute. One of these safe harbors, the EHR safe harbor, permitted certain EHR donations of interoperable EHRs and other technology and services.

The OIG Proposed Rule would:

Amend how interoperable EHRs are treated, permitting also certified EHR technology adopted for purposes of Meaningful Use;
Remove the e-prescribing capability requirement; and
Extend the sunset date of the safe harbor to coincide with the end of Medicare Meaningful Use payments and the last year in which one can begin participating in Medicaid Meaningful Use.

OIG also requests public comment on additional amendments, such as limiting the scope of protected donors to only hospitals group practices, PDP sponsors and MA organizations. It also requests comment on modifying or adding conditions to prevent risk of misuse of the EHR safe harbor and limit the risks of data and referral lock-in.

The Stark Law prohibits physician self-referrals for designated health services payable by Medicare. The Stark Law allows for certain exceptions which an arrangement must fit into. Almost identical to the EHR safe harbor under the Anti-kickback Statute, the EHR exception also allowed for donations of interoperable EHRs.

Like the OIG Proposed Rule, the CMS Proposed Rule would likewise amend what interoperable EHRs are permitted to include those adopted for Meaningful Use, remove the e-prescribing capability requirement, and extend the sunset date of the safe harbor. Both CMS and OIG acknowledged that e-prescribing is adequately provided for by Meaningful Use and the Medicare E-Prescribing Incentive Program. However, while CMS proposes to extend the sunset date to December 2016, it acknowledges that it is contemplating extending EHR donations through December 2021.

Comments to the EHR Proposed Rules are due no later than 5pm EST on June 10, 2013.

Joy Pritts, Special Guest Speaker at Seton Hall Law - HIPAA, HITECH and Our Cyber World

helen@oscislaw.com (Helen Oscislawski) — Mon, 15 Apr 2013 21:28:20 -0500

This coming Friday, April 19th, Seton Hall Law in collaboration with the Bergen County Prosecutor’s Office is offering a fantastic event called: “HIPAA, HITECH & Beyond: Protecting Healthcare Data in Our Cyber World”, which promises to examine current issues, enforcement trends, and regulations relevant to healthcare with data privacy experts who counsel hospitals, providers, and other healthcare facilities. Joy Pritts, Chief Privacy Officer for ONC will be a Special Guest Speaker, and I am honored to also be among the distinguished list of Faculty for this event. If you can, I hope that you might consider joining me this Friday at Seton Hall. To register, visit: htttp//www.law.shu.edu/healthcaredata.com. (Up to 6.0 hours NY/NJ CLE available)

Meaningful Use Sees Impressive Payouts since Beginning

kmonticello@oscislaw.com (Krystyna Monticello) — Wed, 27 Mar 2013 08:32:47 -0500

CMS recently released the numbers for the Medicare and Medicaid EHR Incentive Programs through February 2013. About $12.6 billion has been paid out to participants by the program so far.

Although only 4,299 hospitals are actively registered for Meaningful Use, over 380,000 EPs are registered, with about 234,000 providers combined receiving payments through February 2013. CMS greatly exceeded the goal it had set for the program for 2012 of 100,000 participants, which had been reached by last summer.

On the state side, California, Florida, New York, Texas and Pennsylvania lead the way in the amount of payments made to EPs and hospitals, as well as total number of participating providers. New Jersey has 6,891 participating providers as of February 2013 with $318,261,098 paid out.

Visit the CMS Data and Program Reports page for up-to-date Meaningful Use payment and registration information.

HHS Releases RFI on Interoperability and HIE

kmonticello@oscislaw.com (Krystyna Monticello) — Thu, 07 Mar 2013 08:05:30 -0500

HHS, CMS and ONC have released a Request for Information (RFI) seeking input on policies and programs to encourage health information exchange (HIE) through interoperable systems. Although the Medicare and Medicaid EHR Incentive Programs and other federal efforts are rapidly increasing the adoption of standards based HIE and EHR technology,

This alone will not be enough to achieve the widespread interoperability and electronic exchange of information necessary for delivery reform where information will routinely follow the patient regardless of wheter they receive care....

The overarching goal is to develop and implement a set of policies that would encourage providers to routinely exchange health information through interoperable systems in support of care coordination across health care settings.

HHS therefore seeks comment on several options for encouraging HIE among providers and settings of care through a hodge-podge of existing statutory vehicles (primarily CMS and ONC programs and projects). In addition to requesting comment on these existing vehicles, CMS and ONC seek to identify what is currently working to encourage HIE, and which changes would have the biggest impact on HIE adoption, including regulatory requirements.

Furthermore, although long neglected under the EHR Incentive Programs, CMS and ONC specifically seek comment on what policies and programs would have the most impact on post-acute and LTC care providers as well as behavioral health. They ask for insight into how these programs and policies should be implemented and developed to maximize care coordination and quality improvement for these populations. In addition, CMS and ONC specifically seek comment on policies and programs which would most impact patient access and use of their electronic health information for management of their care.

Post-Acute and Long-Term Care Providers. HHS acknowledges the low rates of EHRs and HIE among LTC and post-acute care providers and identifies existing authority which could be leveraged to expand HIE. These include incorporating HIE as key components of:

Medicaid health homes;
Demonstration and pilot projects under Medicaid and the Childrens Health Insurance Program (CHIP);
Home and community based services (HCBS), which would include LTC;
State expansions of HIE infrastructure as part of the Medicaid EHR Incentive Program, and
CMS Conditions of Participation or Coverage

Settings of Care. HHS additionally acknowledges the need to accelerate HIE across providers, including ambulatory care, behavioral health, laboratory, and post-acute and LTC. For example, HHS seeks comment on:

New e-specified measures for exchanging summary records following transitions of care aligned with CMS quality reporting programs, including the EHR Incentive Programs;
Medicare Shared Savings Program, requiring or encouraging Accountable Care Organization (ACO) to engage in HIE as part of coordination of care;
Payment and service delivery model testing under the Affordable Care Act, such as demonstration of use of interoperable technology for HIE to facilitate model participation decisions and requirements;
Model testing to align Medicare and Medicaid financing and care integration under the Capitated Financial Alignment model.

Consumer and Patient Engagement. HHS and CMS seek to encourage engagement of patients in their care by improving their access to health information and electronic communication between their health care providers. Options to encourage consumer and patient engagement include:

Incorporating new measures into Medicare Advantage Program consumer assessment serveys (CAHPS);
Blue Button availability to all CMS beneficiaries;
Payment and service delivery model testing under the Affordable Care Act, such as demonstration of incentives for consumers to more actively participate in their health; and
Direct access to lab results from laboratories (CLIA and HIPAA Amendments).

The RFI will be published today in the Federal Register. Comments may be submitted up to 5pm on April 22, 2013.

What Do I Need To Do to Comply with the HITECH Omnibus Rule? (the short version, please)

helen@oscislaw.com (Helen Oscislawski) — Mon, 04 Mar 2013 21:02:06 -0500

The HITECH Omnibus Rule clocked-in at 563 pages, and we have read, digested and condensed the nuts and bolts for you here in our February 2013 edition of our Health Law Diagnosis newsletter. But if 11 pages is still too long for you, then here is a checklist that bullets out the basics of what Covered Entity Health Care Providers need to know in order to update their compliance programs for HITECH & the Omnibus Rule:

Update the following HIPAA Policies & Procedures:
- Patient Rights to Access: Patients now have a right to an electronic copy of their ePHI. An updated policy should address processes for how much data the patient can get; how much you can charge for producing electronic formats; security safeguards to be applied with transfer of ePHI to the patient, and others issues.
- Patient's Right to Restrictions: When a patient pays for services "out-of-pocket" and in full, you must abide by any request the patient makes to restrict PHI generated from that visit from being disclosed to their health plan. The procedures should address how to flag such episodes in the record and abide by the restriction; informing patients that if disclosures are "required by law" then their restriction would not prevent such disclosures; how to notify individuals that the restriction only applies to the provider restricting disclosures to the health plan, and does not necessarily prevent downstream disclosures (i.e., if a prescription is sent to the pharmacy, then the pharmacy may submit a claim for payment to the patient's health plan).
- Fundraising: You must provide a "clear and conspicuous" opportunity for individuals to opt-out of future fundraising communications. You cannot condition treatment/payment on any decision. The NPP must include a sentence about this right to opt-out.
- Marketing: Communications that encourage a patient to use a product or service are considered marketing and require the patient's signed HIPAA Authorization, unless the communication falls within specific new exceptions; but, if there is any payment exchanged for making such communication, then it may still be prohibited. This HITECH change is complicated, and revisions to this policy requires careful drafting to not be overly restrictive or too permissive.
- Prohibition on Sale of PHI: Policies must be updated to reflect that in any case where there is payment exchanged for PHI, that this must be flagged and is prohibited unless it falls within one of the specifically listed exceptions. Otherwise, the patient's HIPAA Authorization is required.
- Security Breach Notification: Policies governing security incidents and mitigation when there is an unauthorized disclosure of PHI must be updated to synchronize with new Security Breach Notification obligations. A stand-alone new policy to govern Security Breaches is recommended for compliance with HITECH. Note that any draft polices that were prepared under the Interim Final Breach Rule must now be updated as a result of the Omnibus Final HITECH Rule to reflect that the "Harm" threshold no longer applies, there is a presumption of Breach.
- Definition of PHI: Policies should reflect two important changes to the definition of PHI (i) that Genetic Information is PHI, and is prohibited from being used for underwriting purposes; and (ii) that PHI of decedents is no longer protected by HIPAA 50 years after their death. This last change should also be synchronized with an organization's medical retention policies, and with how they will deal with BAs who do may retain PHI after termination of the underlying services contract (i.e., when return or destruction of PHI not possible).
- Public Health Disclosures: this policy should be updated to reflect the Omnibus Rule change that now permits proof of immunizations to be released to schools where the school is required by law to have that information. The policy should reflect that the parent or guardian's approval is still required, which can be satisfied by documenting a phone conversation, an email or by other methods.
- Minimum Necessary: this policy must reflect that Covered Entities and Business Associates must limit uses and disclosures of PHI to only the minimum amount necessary, or to the limited data set. Also, update BA Agreements accordingly.
- Research: If your organization engages in research, policies can permit compound authorizations, condition participation on authorization, and obtain authorization for future research now, post-HITECH and Omnibus.
- De-identification: this policy should be reviewed and updated to reflect OCRs new guidance on de-identification, see here.
- Accounting of Disclosures: STAY TUNED ON THIS ONE. HHS declined to finalize the proposed expansion of AOD to treatment, payment and health care operations, or the Access Report in the Omnibus Rule. This will be subject to a future Final Rule. In the meantime, Covered Entities may follow the "old" HIPAA standard for Accounting for Disclosures.
Update your Notice of Privacy Practices: Several statements must be added to the NPP to comply with HITECH. As a courtesy, here is a copy of our "Update your NPP" checklist from our HIPAA HITECH Helpbook.

Update your HIPAA Business Associate Agreements: HIPAA BA Agreements must be updated to reflect required language. Covered Entities will also want to address issues such as determining if a BA is its "agent", which carries with it significant implications post-HITECH, and including indemnity provisions as a result. It is also recommended that Covered Entities address BA's rights with regard to using de-identified data, and what to do with information 50 years after a patient's death, among other issues.

Update Your HIPAA Authorization: If you are sending marketing communications, you must update your Authorization forms to indicate this. If you are using HIPAA Authorizations for research, make sure to update them for the new changes.

Update your Fundraising forms: If your organization engages in fundraising activities, then you must update your communications for the new "opt-out" requirement.

For more help, email me at helen@oscislaw.com for more information about forms and checklists available in our HIPAA HITECH Helpbook, or our HIPAA HITECH Workshop.

Note to Mr. Donald Trump: According to HHS' New Omnibus Rule, You Can Have A Copy of That Birth Certificate in About 100 or so Years Because HIPAA Doesn't Apply

helen@oscislaw.com (Helen Oscislawski) — Mon, 28 Jan 2013 01:48:47 -0500

One change under the Omnibus Rule that is somewhat flying under the radar is that HIPAA no longer will apply to a patients’ medical information 50 years after their death. One of the main reasons HHS cites as the impetus for this change is that researchers, historians, biographers and archivists have had difficulty gaining access to such information since HIPAA was enacted. While I find this to be an issue that may have justified a small tweak to the Privacy Rule to allow proper access to such information by authorized individuals, I find it is curious that HHS chose to simply remove all protections 50 years after death.

The Omnibus Rule has revised the definition of “deceased individuals” at Section 164.502(f) so that a covered entity is no longer required to abide by HIPAA’s restrictions on using and disclosing a patient’s PHI 50 years after their date of death.

More curious rationale abounds in the Preamble to the Omnibus Rule. At one point, all decedents’ information is referred to as “ancient or old records of historical value held by covered entities” and with “likely few surviving individuals concerned with the privacy of such information”. HHS also believes that 50 years is an appropriate period of protection for decedents’ information, taking into account the remaining privacy interests of living individuals “after the span of approximately two generations have passed”. Finally, HHS dismisses that the 50 year limitation will incentivize record retention policies to be changed in order to profit from decedents’ data after 50 years has elapsed. In my opinion, these don’t really hold up as great reasons for entirely removing HIPAA’s protection of decedents’ health information.

First, not all records are “ancient” and there certainly can be surviving individuals concerned with keeping such information private. Obviously, people don’t all live to average life expectancies and some decedents will have even died at birth. Such “young” decedents in particular can have many surviving family members, including siblings (maybe even a twin), parents or their own offspring. These family members absolutely have a continuing interest to not have their deceased family member’s health information become “public” during their lifetime.

Thus, this Omnibus Rule change to the Privacy Rule appears to essentially have shifted the burden to the surviving family member to take affirmative action and expend potential resources to ensure such information is not made public.

I am also not convinced that this change does not create an incentive to monetize access to decedents' data. Although HHS emphasized that the change is NOT a record retention requirement (i.e., they are not saying that hospitals or health care providers have to keep records for 50 years), the change certainly could cause covered entities and business associates to hang on to such records longer, especially in cases where the data originates from decedents between the ages of birth-20 years and is still relatively “current”.

When the original HIPAA Privacy Rule was enacted, HHS considered many comments that pointed out the negative consequences of not extending HIPAA’s protections to decedents’ data. Commentators originally specifically argued that surviving family members would be negatively affected, and a number of medical associations even asserted that individuals may avoid genetic testing, diagnoses, and treatment and suppress information important to their health care if they fear family members will suffer discrimination from the release of their medical information after their death. Further, it was argued that the privacy of the deceased individual and his or her family is far more important than allowing genetic information to be abstracted by an institutional or commercial collector of information. HHS’ original response to such comments was:

Response: We find the arguments raised by these commenters persuasive. We have reconsidered our position and believe these arguments for maintaining privacy on protected health information without temporal limitations outweigh any administrative burdens associated with maintaining such protections. As such, in the final rule we revise our policy to extend protections on the protected health information about a deceased individual to remain in effect for as long as the covered entity maintains the information.

In the end, while HHS may give “researchers” the big “GO AHEAD” to access information like birth certificates of past presidents and other health information 50 years after the person's date of death, there are state laws, like Hawaii's health care information privacy law (Haw. Rev. Stat. section 323C-43 (*), that will continue to apply to the protected health information of a deceased individual following the death of that individual. Therefore, covered entities and business associates should be remember that before you begin to amend your policies to reflect that HIPAA will no longer protect the privacy of medical records and health information 50 years after a decedent’s death, state laws must still be followed – and, should be reflected in such policies as well.

(*) Note that while this statute is mentioned by HHS in its original Preamble, Hawaii appears to have repealed this law on on June 30 2001.

"Significant Risk of Harm" No Longer Required to Trigger Breach Notification

helen@oscislaw.com (Helen Oscislawski) — Fri, 25 Jan 2013 12:29:26 -0500

When it comes to responding to a Breach, what every Covered Entity (CE) and Business Associate (BA) wants to know is “Do we have to notify, or not?” Completing a documented “Risk Assessment” has always been required under the Interim Final Breach Notification Rule, but now HHS has made it expressly clear that the “risk of harm” is not something that can be used to avoid required notifications.

The Interim Breach Rule defined a Breach to mean generally “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the Privacy Rule] which compromises the security or privacy of the protected health information.” See 45 CFR 164.402. It further elaborated that “compromises the security or privacy of the PHI” meant poses a significant risk of financial, reputational, or other harm to the individual. HHS explained that it originally included this “harm” standard in order to align the rule with many State breach notification laws as well as existing obligations on Federal agencies that have a similar “risk of harm” standard for triggering breach notification.

But, HHS has now backpedaled on the 'significant risk of harm' test, and replaced it with a presumption that any impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA, as the case may be, demonstrates that there is a low probability that the PHI has been compromised.

HHS goes on to state in its Preamble to the Omnibus Rule that CEs and BAs essentially have the burden of proof to demonstrate that there is a low probability that the PHI is compromised. The CE and BA must also maintain written documentation (for 7 years) sufficient to demonstrate why it concluded that there is a low probability that the PHI was compromised and did not issue notices.

So, developing a process for completing and documenting Breach Risk Assessments is now more important than ever with each incident of unauthorized use or disclosure of PHI. The 4 factors that HHS states should be evaluated during such assessment follow:

1) Nature & Extent of PHI

For this factor, HHS suggests that CEs and BAs consider the type of PHI involved, such as if the PHI was of a more “sensitive” nature. An example given is if credit card numbers, social security numbers, or other information that increases the risk of identity theft or financial fraud are involved, then this would cut against finding that there is “low probability” that the PHI was compromised. With respect to clinical information, HHS points out that CEs and BAs might consider things like the nature of the services, as well as the amount of information and details involved. It is worth noting that in a footnote, HHS specifically calls out that “sensitive” information is not just things like STDS, mental health or substance abuse.

2) Unauthorized Person

To evaluate the second factor, HHS suggests that CEs and BAs consider who the unauthorized recipient is or might be. For example, if the recipient person is someone at another CE or BA, then this may support a finding that there is a lower probability that the PHI has been compromised since CEs and BAs are obligated to protect the privacy and security of PHI in a similar manner as the CE or BA from where the breached PHI originated. Another example given is if PHI containing dates of health care service and diagnoses of certain employees was impermissibly disclosed to their employer, the employer may be able to determine that the information pertains to specific employees based on other information available to the employer, such as dates of absence from work. In this case, there may be more than a low probability that the PHI has been compromised.

3) Acquired or Viewed

The third factor requires CE and BAs to investigate and determine if the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed. One example given here, which is a common scenario that arises for many CEs and BAs, is where a CE mails information to the wrong individual who opens the envelope and calls the CE or BA to say that he/she received the information in error. HHS points out that in such a case, the unauthorized recipient viewed and acquired the information because he/she opened and read the information and so this cuts against a finding that there is low probability that the PHI was compromised. To contrast, HHS offers an example of how to analyze this factor in the context of lost laptops. Specifically, HHS explains that if a laptop computer is stolen and later recovered and a forensic analysis shows that the otherwise unencrypted PHI on the laptop was never accessed, viewed, acquired, transferred, or otherwise compromised, the CE or BA could determine that the information was not actually acquired by an unauthorized individual even though the opportunity existed.

However, here HHS is also quick to point out that if a laptop is lost or stolen, HHS would not consider it reasonable to delay breach notification based on the hope that the computer will be recovered and that forensics might show that the PHI was never accessed.

4) Mitigation

The final factor to analyze is mitigation. HHS reminds CEs and BAs that each must attempt to mitigate the risks to PHI following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the PHI will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed. When determining the probability that the PHI has been compromised, CEs and BAs should consider the extent of what steps needed to be taken to mitigate, and how effective the mitigation was. HHS offered an example that CEs and BAs may be able to obtain and rely on the assurances of an employee, affiliated entity, BA, or another CE that the entity or person destroyed PHI it received in error, while such assurances from certain third parties may not be sufficient.

HHS discusses other aspects of Breach Notification in the Preamble, which I will cover in future posts. As a primer, HHS goes into a discussion on how uses and disclosures of PHI beyond HIPAA’s Minimum Necessary rule could constitute a Breach! (but remember that Minimum Necessary does not apply to disclosures: for treatment; to the patient himself/herself; pursuant to a valid Authorization; that are required by law, including HIPAA; and (of course) to HHS, when disclosure of PHI is required under the Privacy Rule for enforcement purposes (See here).

In the end, covered entities and business associates (and now, sub-vendors of BAs too!) just want to know what they should do in response to breaches. The general answer is that the scales have tipped towards notifying affected individuals in most cases where PHI gets into the hands of someone who was not intended to have it. That said, CEs and BAs should strongly consider assembling an educated core "team" of individuals who will become adept at completing Breach Risk Assessments, contacting outside assistance and counsel as needed, and proceeding with an appropriate response.

As a final interesting observation, it's worth noting that HHS specifically states that the penalty distribution methodology requirement of the HITECH Act (§13410(c) was not addressed in the Omnibus Rule, and will be the subject of a future rulemaking. The HITECH Act provides:

(c) DISTRIBUTION OF CERTAIN CIVIL MONETARY PENALTIES COLLECTED.—

(3) ESTABLISHMENT OF METHODOLOGY TO DISTRIBUTE PERCENTAGE OF CMPS COLLECTED TO HARMED INDIVIDUALS.—

Not later than 3 years after the date of the enactment of this title, the Secretary shall establish by regulation and based on the recommendations submitted under paragraph (2), a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense. (emphasis added).

It will be very interesting to see if HHS will apply the same standard it decided on for Breach determinations to also determine if a person has been “harmed” for purposes of paying individuals a percentage of CMPs collected against a Covered Entity, BA or BA sub-vendor for such HIPAA violations. That is, will HHS part with a % of CMPs collected and disburse such payments to patients based on a “presumption of harm” unless HHS can demonstrate and document otherwise?

I guess we will have to wait for the next Rule to be released to see if the threshold HHS selected for purpose of determining "harm” for Breach Notification will be carried over to its own determinations of when to pay individuals under this HITECH Act mandate. Stay tuned for that.....