“Significant Risk of Harm” No Longer Required to Trigger Breach Notification
When it comes to responding to a Breach, what every Covered Entity (CE) and Business Associate (BA) wants to know is “Do we have to notify, or not?” Completing a documented “Risk Assessment” has always been required under the Interim Final Breach Notification Rule, but now HHS has made it expressly clear that the “risk of harm” is not something that can be used to avoid required notifications.
The Interim Breach Rule defined a Breach to mean generally “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the Privacy Rule] which compromises the security or privacy of the protected health information.” See 45 CFR 164.402. It further elaborated that “compromises the security or privacy of the PHI” meant poses a significant risk of financial, reputational, or other harm to the individual. HHS explained that it originally included this “harm” standard in order to align the rule with many State breach notification laws as well as existing obligations on Federal agencies that have a similar “risk of harm” standard for triggering breach notification.
But, HHS has now backpedaled on the ‘significant risk of harm’ test, and replaced it with a presumption that any impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA, as the case may be, demonstrates that there is a low probability that the PHI has been compromised.
HHS goes on to state in its Preamble to the Omnibus Rule that CEs and BAs essentially have the burden of proof to demonstrate that there is a low probability that the PHI is compromised. The CE and BA must also maintain written documentation (for 7 years) sufficient to demonstrate why it concluded that there is a low probability that the PHI was compromised and did not issue notices.
So, developing a process for completing and documenting Breach Risk Assessments is now more important than ever with each incident of unauthorized use or disclosure of PHI. The 4 factors that HHS states should be evaluated during such assessment follow:
1) Nature & Extent of PHI
For this factor, HHS suggests that CEs and BAs consider the type of PHI involved, such as if the PHI was of a more “sensitive” nature. An example given is if credit card numbers, social security numbers, or other information that increases the risk of identity theft or financial fraud are involved, then this would cut against finding that there is “low probability” that the PHI was compromised. With respect to clinical information, HHS points out that CEs and BAs might consider things like the nature of the services, as well as the amount of information and details involved. It is worth noting that in a footnote, HHS specifically calls out that “sensitive” information is not just things like STDS, mental health or substance abuse.
2) Unauthorized Person
To evaluate the second factor, HHS suggests that CEs and BAs consider who the unauthorized recipient is or might be. For example, if the recipient person is someone at another CE or BA, then this may support a finding that there is a lower probability that the PHI has been compromised since CEs and BAs are obligated to protect the privacy and security of PHI in a similar manner as the CE or BA from where the breached PHI originated. Another example given is if PHI containing dates of health care service and diagnoses of certain employees was impermissibly disclosed to their employer, the employer may be able to determine that the information pertains to specific employees based on other information available to the employer, such as dates of absence from work. In this case, there may be more than a low probability that the PHI has been compromised.
3) Acquired or Viewed
The third factor requires CE and BAs to investigate and determine if the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed. One example given here, which is a common scenario that arises for many CEs and BAs, is where a CE mails information to the wrong individual who opens the envelope and calls the CE or BA to say that he/she received the information in error. HHS points out that in such a case, the unauthorized recipient viewed and acquired the information because he/she opened and read the information and so this cuts against a finding that there is low probability that the PHI was compromised. To contrast, HHS offers an example of how to analyze this factor in the context of lost laptops. Specifically, HHS explains that if a laptop computer is stolen and later recovered and a forensic analysis shows that the otherwise unencrypted PHI on the laptop was never accessed, viewed, acquired, transferred, or otherwise compromised, the CE or BA could determine that the information was not actually acquired by an unauthorized individual even though the opportunity existed.
However, here HHS is also quick to point out that if a laptop is lost or stolen, HHS would not consider it reasonable to delay breach notification based on the hope that the computer will be recovered and that forensics might show that the PHI was never accessed.
4) Mitigation
The final factor to analyze is mitigation. HHS reminds CEs and BAs that each must attempt to mitigate the risks to PHI following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the PHI will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed. When determining the probability that the PHI has been compromised, CEs and BAs should consider the extent of what steps needed to be taken to mitigate, and how effective the mitigation was. HHS offered an example that CEs and BAs may be able to obtain and rely on the assurances of an employee, affiliated entity, BA, or another CE that the entity or person destroyed PHI it received in error, while such assurances from certain third parties may not be sufficient.
HHS discusses other aspects of Breach Notification in the Preamble, which I will cover in future posts. As a primer, HHS goes into a discussion on how uses and disclosures of PHI beyond HIPAA’s Minimum Necessary rule could constitute a Breach! (but remember that Minimum Necessary does not apply to disclosures: for treatment; to the patient himself/herself; pursuant to a valid Authorization; that are required by law, including HIPAA; and (of course) to HHS, when disclosure of PHI is required under the Privacy Rule for enforcement purposes (See here).
In the end, covered entities and business associates (and now, sub-vendors of BAs too!) just want to know what they should do in response to breaches. The general answer is that the scales have tipped towards notifying affected individuals in most cases where PHI gets into the hands of someone who was not intended to have it. That said, CEs and BAs should strongly consider assembling an educated core “team” of individuals who will become adept at completing Breach Risk Assessments, contacting outside assistance and counsel as needed, and proceeding with an appropriate response.
As a final interesting observation, it’s worth noting that HHS specifically states that the penalty distribution methodology requirement of the HITECH Act (§13410(c) was not addressed in the Omnibus Rule, and will be the subject of a future rulemaking. The HITECH Act provides:
(c) DISTRIBUTION OF CERTAIN CIVIL MONETARY PENALTIES COLLECTED.—
(3) ESTABLISHMENT OF METHODOLOGY TO DISTRIBUTE PERCENTAGE OF CMPS COLLECTED TO HARMED INDIVIDUALS.—
Not later than 3 years after the date of the enactment of this title, the Secretary shall establish by regulation and based on the recommendations submitted under paragraph (2), a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense. (emphasis added).
It will be very interesting to see if HHS will apply the same standard it decided on for Breach determinations to also determine if a person has been “harmed” for purposes of paying individuals a percentage of CMPs collected against a Covered Entity, BA or BA sub-vendor for such HIPAA violations. That is, will HHS part with a % of CMPs collected and disburse such payments to patients based on a “presumption of harm” unless HHS can demonstrate and document otherwise?
I guess we will have to wait for the next Rule to be released to see if the threshold HHS selected for purpose of determining “harm” for Breach Notification will be carried over to its own determinations of when to pay individuals under this HITECH Act mandate. Stay tuned for that…..
