Oh where, Oh where has the Security Breach Rule gone?
Today, I was going to draft a follow up article to my previous post to address whether notification was required under the Security Breach Notification Rule. However, when I sat down to begin typing, I discovered that the Breach Rule was gone! Well, maybe not exactly gone, but at least “withdrawn”.
HHS recently posted on its website the following:
At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months. Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.
So now what?
For starters, HHS made clear in its last statement that the Interim Final Rule that went into effect in September remains in effect. Therefore, whatever “difficulties” HHS/OMB/OCR may be having with regard to administering or enforcing compliance, this does not automatically give covered entities or business associates a “free pass” to not report Breaches if an incident warrants such notification –to patients, OCR or otherwise – under the Interim Final Rule. As of today, OCR’s website set up to receive breach notifications is still up and running, and so covered entities should continue make any required reports of breaches though that website. Also, entities should be mindful that if their state has implemented a breach notification statute (as many have), then such state law must still be complied with. To see if your state has such a law, visit NCSL’s website.
As for what HHS will be doing to the Breach Rule? … it’s not clear. It has been suggested that the withdrawal may have been prompted to address certain privacy groups’ concerns regarding the “Harm” threshold. Particularly, the Harm threshold has been heavily criticized by some as creating a loophole to avoid reporting by Business Associates who are required ONLY to notify the Covered Entity regarding a Breach (which then triggers the Covered Entity’s obligation to notify HHS and patients of the Breach caused by the BA). Specifically, as the Breach Rule currently reads, a Business Associate is entitled to go through the same Harm analysis in order to decide whether or not to report the Breach to the Covered Entity. Some have compared this to the “fox guarding the chicken coop”. Nevertheless, I don’t believe that this warrants complete removal of the Harm balancing from the Breach Rule, and here is why:
And here is why:
First, what the Breach Rule may not do, HIPAA still does –at least to some extent. Specifically the Security Rule requires that a HIPAA BA Agreement includes language that the Business Associate shall report to the Covered Entity any Security Incident of which it becomes aware. See §164.314(a)(2). Security Incident is a term defined as “the attempted or successful unauthorized access, use, disclose, modification, or destruction of information or interference with system operations in an information system”. See §164.304. Thus, because a Breach of e-PHI should almost always be a subset of all potential Security Incidents, Business Associates should already be reporting such Breaches to their respective Covered Entity.
But what about the paper?
Unfortunately, breaches involving paper PHI would not be subject to the same specific reporting requirement found in the Security Rule (which applies only to e-PHI). When reviewing or preparing HIPAA BA Agreements for Covered Entity clients, I have typically addressed this by including language that would obligate the Business Associate to also report any discovered “potential” Breach to the Covered Entity, and contractually curtail the right of the Business Associate to independently go through a Harm analysis. However, for those coming at the issue from the other side, I understand how mere “compliance with the letter of law” of the Breach Rule could give Business Associates some latitude with regard to when to report or not to report an incident involving paper PHI to the Covered Entity.
Nevertheless, at best the foregoing loophole deserves a “tweak” not an obliteration of the otherwise completely logical and reasonable Harm balancing test. As a safeguard, the Breach Rule already requires that a Covered Entity document its rationale behind making a decision to not report a Breach on the basis that it is unlikely that Harm would result. Moreover, if such Harm balancing is removed, there could be more damage done than good. An increase of notifications to patients of incidents that are not likely to result in any Harm could also desensitize patients and consumers to what is an important notification, versus what is not. Similarly, an inundation of reporting to OCR could overwhelm and undermine their ability to effectively review and enforce Breaches that truly warrant attention and response. Thus, hopefully when the revised Final Rule is released, we will see minor adjustments and not substantive changes — otherwise, it could turn into a case of “The Boy Who Cried Breach” and no one will pay attention when the real wolf comes…..
