HIPAA Breach Notification Update:  No harm, No foul, No more?

On August 24, 2009, the Department of Health and Human Services ("HHS") published its interim final rule regarding the breach notification requirements applicable to covered entities and their business associates under HIPAA (the "Rule").  HHS was required to issue the Rule pursuant to the Health Information Technology for Economic and Clinical Health ("HITECH") Act, part of the American Recovery and Reinvestment Act of 2009 ("ARRA").  The Rule became effective September 23, 2009, but HHS will forego imposing sanctions for breaches occurring before February 22, 2010. 

On October 1, 2009, several Congressmen sent a letter (the "Letter") to HHS Secretary Kathleen Sebelius expressing concern that the Rule is inconsistent with Congressional intent and should be revised because it sets too high of a standard for notification of individuals when an unauthorized use or disclosure of protected health information ("PHI") occurs.   This creates an interesting dilemma for covered entities and business associates who are seeking to comply with the Rule.

The Harm Standard

HITECH provides that if a covered entity discovers a breach of unsecured PHI, the covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach.  Under the HITECH definition, a breach only occurs if the unauthorized access, acquisition, use, or disclosure compromises the security or privacy of the unsecured PHI.  The Rule adopted by HHS interpreted this standard to mean that the security or privacy of PHI has been compromised if there is "a significant risk of financial, reputational, or other harm to the individual." 

This harm standard adopted by HHS essentially requires covered entities and business associates to perform a risk assessment to determine the likelihood that a breach could cause harm to the individual.  In conducting this risk assessment, HHS stated that a covered entity should consider the following factors:

• Who impermissibly used the PHI or to whom was the PHI impermissibly disclosed?
• What immediate steps were taken to mitigate the impermissible use or disclosure?
• Was the PHI returned prior to being accessed for an improper use?
• What type and amount of PHI was involved in the impermissible use or disclosure?
• Did the use or disclosure involve sensitive information such as information regarding a sexually transmitted disease, mental health or substance abuse?

If the risk assessment indicates that a violation of the Privacy Rule does not pose a significant risk of financial, reputational, or other harm to the individual, then no notification is required.  It is this harm standard that has attracted the concern of the Congressmen.

The Letter

The Letter was signed by Representatives Waxman, Rangel, Dingell, Pallone, Stark and Barton, and reaffirmed the importance of health information technology to improve quality and efficiency in the United States health care system.  The Letter also stressed that the achievement of those improvements relies heavily on having strong safeguards in place to protect PHI.  With regard to the harm standard, the Congressmen stated that ARRA's statutory language does not imply a harm standard, and in fact that Congress "specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information." 

The Congressmen stated that the purpose of the breach notification provisions was to incentivize health care entities to protect data by means such as strong encryption or destruction, and to allow individuals to assess for themselves the seriousness of an unauthorized use or disclosure of their PHI.  Such transparency, according to the Congressmen, would allow individuals to choose health care providers with better privacy practices, and would make implementation and enforcement simpler.  The Letter urged HHS to revise or repeal the harm standard in the Rule at the soonest appropriate opportunity.

Impact

It is not clear how this matter will be resolved.  The indication in the Letter that the harm standard is more lenient than Congress intended, along with widespread criticism of the harm standard from patient advocacy groups, indicates there will be some change to the Rule.  HHS adopted the harm standard in attempt to align the federal Rule with state breach notification rules and to prevent the panic and burdens that may result from flooding patients with notifications of breaches that do not pose a threat.  Any modification to the Rule will need to balance these competing concerns and address what it means to "compromise the security or privacy" of PHI as that phrase is used in the HITECH definition of breach. 

Until a change is made, the breach notification Rule, including its harm threshold, remains in effect.  Therefore, covered entities and business associates may continue to use the harm threshold when determining if notification of a breach is required in a given circumstance.  There is, however, no prohibition against notifying individuals of a breach even if the breach does not pose a significant risk of harm.  Choosing to notify individuals of a breach, even if notification is not specifically required by the current Rule, provides both benefits and risks.  Organizations should carefully weigh all of the risks and benefits, and consider any applicable state laws, prior to making any such notification.  Organizations should also continue to monitor for changes to the breach notification Rule. 

It is also important to note that since the Rule was promulgated as an interim final rule, HHS is accepting comments on the rule through October 23, 2009.  Organizations that want to express comments or concerns about the Rule may do so in writing on or before that date.

The current Rule may be accessed at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf.

The Letter may be accessed at http://sn.im/sccds-rxv.

For our previous articles on the HIPAA breach notification requirement or on other HITECH changes to HIPAA, please see our "Impact Series" at www.hallrender.com/impact.

If you need additional information about this topic, please contact your regular Hall Render attorney or Mark J. Swearingen at (317) 977-1458 or mswearingen@hallrender.com.