The U.S. Department of Health and Human Services (HHS) has issued final rules to:
- Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules to implement statutory amendments under the Health Information Technology Economic and Clinical Health Act (HITECH Act) to strengthen the privacy and security protection for individuals’ health information;
- Modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comments received on the interim final rule;
- Modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title 1 of the Genetic Information Nondiscrimination Act of 2008 (GINA); and
- Make other modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to improve their workability and effectiveness, and to increase flexibility and decrease burden on regulated entities.
The final rules were published in the Federal Register on January 25, 2013, and will be effective on March 26, 2013. Covered entities and business associates must comply with the final rules by September 23, 2013. This is the fifth in a series of articles that will address key provisions of the rules, their impact on post-acute providers, and practical solutions for compliance.
The final rule also includes modification to the interim final breach notification rule published on August 24, 2009. Although the interim final rule was finalized without change in the new HIPAA rules, there was one significant exception. The definition of “breach” was clarified by removing the “harm standard” for disclosures and substituting a more objective standard of whether protected health information has been “compromised.” The Office of Civil Rights (OCR) clarifies its “position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information is compromised.”
The following language was added to the interim final rule:
(2) Except as provided in [the existing exceptions to the definition of breach], an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated.
The practical effect of this change is that providers will undoubtedly report more breaches, since they are required to do so whether or not patients have been harmed by the breach. If PHI is compromised, providers must now report a breach. It is also important to note that the new rules eliminate the regulatory exception for limited data sets that do not contain any dates of birth or zip codes.
With regard to notification to individuals of breaches, the new rules provide clarification that covered entities acting as business associates by providing billing services, for example, should respond to breaches as business associates. The covered entity, not the business associate, will be required to close in these situations.
The new rules also makes it clear that notice has not been given if written notices are returned as undeliverable. If more than ten notices are returned as undeliverable, providers may take a reasonable period of time to search for correct addresses for affected individuals, but must provide substitute notice as soon as reasonably possible within the original sixty-day time period for notifications.
The final rules say the following with regard to notification to the media of breaches:
- Providers are not obligated to incur the cost of media broadcasts regarding breaches;
- Media outlets are not obligated to publicize every notice of breach received and the failure to do so does not make notices insufficient; and
- Providers must deliver press releases directly to the media. Posting a general press release on a website, for example, does not meet the requirements of the final rules.
As OCR becomes increasingly committed to enforcement actions, providers must continue to be serious about compliance.