The Health Insurance Portability and Accountability Act (“HIPAA”) Omnibus Rule1 made significant changes to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules. Importantly, the Omnibus Rule modified the breach notification interim final rule issued on August 24, 20092 to change the risk assessment standard used to determine whether a covered entity must provide notification of a privacy or security breach. Although The Department of Health and Human Services (“HHS”) intended the new standard to foster a more objective analysis,3 its application raises similar questions and could result in similar notification decisions as those reached under the old standard.
Harm Standard Pre-Omnibus Rule
The HIPAA Breach Notification Rule requires covered entities to notify patients, the government, and sometimes the media upon the occurrence of security breaches involving the unauthorized use or disclosure of patients’ protected health information (“PHI”).4 Prior to the Omnibus Rule’s promulgation, the HIPAA Breach Notification Rule required covered entities to conduct a risk assessment to analyze the risk of harm to an individual in determining whether an impermissible use or disclosure of that individual’s PHI constituted a breach. A violation that “pose[d] significant risk of financial, reputational, or other harm to the individual” was considered reportable.5
The risk assessment required consideration of a combination of factors, including who impermissibly used the information or to whom the information was impermissibly disclosed; whether the covered entity had taken steps to mitigate or eliminate the risk of harm; whether the PHI was actually accessed; and the type or amount of PHI that was impermissibly used or disclosed.6
Risk Assessment Post-Omnibus Rule
The Omnibus Rule moved away from the “risk of harm” standard and instead created a rebuttable presumption that all breaches must be reported. The Omnibus Rule also modified the definition of “breach” to provide that:
an acquisition, access, use, or disclosure of protected health information in a manner not permitted under…[the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment….7
As HHS explained in its comments to the Omnibus Rule:
[w]e believe that the express statement of this presumption [of reportable breach] in the final rule will help ensure that all covered entities and business associates interpret and apply the regulation in a uniform manner . . . .8
A covered entity or business associate must now undertake a four-factor risk assessment to determine whether or not PHI has been compromised and overcome the presumption that the breach must be reported. The four-factor risk assessment focuses on:
(1) the nature and extent of the PHI involved in the incident (e.g., whether the incident involved sensitive information like social security numbers or infectious disease test results);
(2) the recipient of the PHI;
(3) whether the PHI was actually acquired or viewed; and
Testing the Old vs. the New Standard
It is important to assess how the new breach notification risk assessment framework is affecting breach notification obligations. The following are two examples used to test whether the entity in each example would have to provide breach notifications under each standard and to explore how application of the two standards may or may not differ.10
Example #1: Disclosures to Law Enforcement
Under the old standard, the pharmacy would need to analyze the risk of harm caused by the unauthorized disclosure. If the information disclosed included sensitive prescription-related data elements, if the law enforcement officials actually accessed the information, did not return or destroy the information after discovering the erroneously disclosed information, or further used or disclosed the information, the risk of harm could be high enough to require breach notification. If the law enforcement officials did not further use or disclose the information and immediately returned or destroyed it, the facts might suggest a minimal risk of harm to individuals, rendering the incident unreportable.
Note how the preceding analysis highlights the old standard’s subjective nature. Some might reasonably conclude that disclosure of prescription drug information to law enforcement risks significant harm; for example, it could disclose the use of prescription painkillers by an individual and subject that individual to law enforcement scrutiny.
The new standard attempts to create a more objective analysis. Under the new standard, the pharmacy would consider who received the unauthorized disclosure of PHI, the nature and extent of the PHI involved, whether the recipient actually acquired or viewed the unauthorized PHI disclosed, and the extent to which the recipient mitigated the risk that the PHI was compromised. The pharmacy would have to overcome the rebuttable presumption of a breach with facts indicating that the privacy or the security of individuals’ PHI had not been compromised. Even assuming that the PHI included sensitive information and the law enforcement officials did not return or destroy the PHI, the security of the PHI may not have been compromised, depending on various factors, such as whether the pharmacy could rely on the law enforcement recipient’s representations that its administrative, technical, and physical security safeguards sufficiently ensured that the unauthorized PHI disclosed could not be further accessed by other unauthorized parties. However, one could argue that disclosing PHI to a non-healthcare provider, and especially to law enforcement, compromises the individuals’ privacy even without further disclosure. Thus, using the new standard would still likely require a breach disclosure.
Example #2: Appointment Reminders
In the second example, a physician sent appointment reminders for standard physical examinations to patients. Some of the appointment reminders were placed in the wrong patients’ envelopes and were misdirected to unauthorized individuals.
Under the old standard, the physician would analyze the risk of harm caused by the unauthorized disclosure. The disclosure only contained the patient’s name, contact information, and a general appointment reminder, and no medical or other PHI was included. Thus, the unauthorized disclosure would probably not present a significant risk of financial or other harm.
Under the new standard, the physician would consider who received the unauthorized disclosure of PHI, the nature and extent of the PHI involved, whether the recipient actually acquired or viewed the unauthorized PHI disclosed, and the extent to which the recipient mitigated the risk that the PHI was compromised. The first two factors - the nature and extent of PHI involved and whether or not the recipient actually acquired or viewed the PHI - result in a very similar analysis as the old standard. The acquisition of PHI and mitigation of risk are more difficult to rationalize. Since the physician failed to prevent the mailing from going out to unauthorized patients, it is unlikely that the physician could conclude, based on the new risk assessment, that there is a low probability that the PHI has been compromised. Thus, the physician would be required to provide breach notifications to the affected individuals.
Applying the old and new standards to both examples shows their striking similarities. Still, it appears that the new standard creates an increased probability that breach notification would be required for most unauthorized disclosures of PHI. This is consistent with the Omnibus Rule’s rebuttable presumption that creates an expectation that the breach will require notification to affected individuals and the government, except under narrow circumstances. With the new risk assessment standard, those circumstances will become harder to justify and will possibly require either more breaches to be reported or will prompt more searching inquiries for facts to support the contention that there is a low probability that individual’s PHI was compromised. Striking a balance between an inquiry that meets the risk assessment’s requirements but that minimizes the over-reporting of breaches will be a challenge that covered entities and business associates will need to address in the future.
78 Fed. Reg. 5565 (Jan. 25, 2013).
74 Fed. Reg. 42740 (Aug. 24, 2009).
See, e.g., 78 Fed. Reg. 5566 (Jan. 25, 2013).
45 C.F.R. §§ 164.400-414.
78 Fed. Reg. 5577 (Jan. 25, 2013).
Id. at 5641.
Id. at 5642-43. HHS indicated in its comments to the Omnibus Rule that the new standard is in line with current practices: “although we have included this risk assessment in the final rule, this type of assessment of risk should not be a new or different exercise for covered entities and business associates. Similar assessments of risk that data have been compromised must be performed routinely following security breaches and to comply with certain State breach notification laws.” Id. at 5642.
One of these case examples is based on an example described on OCR’s website; See Case Examples Organized by Issue, available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/casebyissue.html#impermissible.
See 45 C.F.R. § 164.512(f). The Privacy Rule permits some disclosures for law enforcement purposes, such as to comply with a court order or to report evidence of a crime. See id.