On January 18th, 2013, the Department of Health and Human Services released their final ruling on modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. These rulings will affect the way in which an individual’s health information is shared and will identify the consequences when there has been a breach of privacy. While the law has been less defined in the past, it will now be much more highly regulated through these provisions. The effective date of the final ruling is March 26th, 2013 with compliance required on or before September 23rd, 2013. The ruling most relevant to physicians and health care practices is the modification to breach notification regulations, which will further define a “breach” and will present specific questions to be raised when determining if a breach has occurred.
The department’s new breach notification requirements will increase the accountability of health care providers, health plans, and business associates, along with their covered entities, in situations where protected health information (PHI) had been breached. Previously, a breach was defined by whether or not the disclosure of the PHI had significant risk of causing financial, reputational, or other harm to an individual. The final ruling modifies the previous statement by presuming breach has occurred unless the covered entity is able to prove there is little chance that the patient’s health information has been compromised. The “burden of proof” lies with the violating entity or business associate. There are guidelines in the ruling which outline what constitutes “unsecured” versus “protected” health information.
In order to determine the probability that breach has occurred, the final ruling outlines questions which must be addressed, as mentioned by Katherine Keefe, head of Beazley Breach Response Services. “In particular,” Ms. Keefe noted, “the final rule requires that four factors be considered when determining if PHI has been compromised. First, the nature and extent of the PHI involved. Second, the unauthorized person who used the PHI or to whom the disclosure of PHI was made. Third, whether the PHI was actually viewed or acquired. And fourth, the extent to which the risk to the PHI has been mitigated. The government makes very clear that that each of these factors must be considered when evaluating impermissible uses or disclosures of PHI, and that compliance policies need to include these factors.” The department has encouraged internal compliance officers to implement these considerations into their current compliance program.
In the event a breach has occurred, there are regulations, established in the HITECH Act of 2009, which define the actions to be taken by an individual or organization whom have violated the Act. Generally speaking, it is the responsibility of the HIPAA covered entity to notify the affected individuals in a prompt manner and to report the breach to the Health and Human Services (HHS) Secretary annually. In the event the breach affects 500 or more individuals, the violator is additionally obligated to report the breach to the HHS Secretary immediately, as well as to the media. Also, it is required that any business associate of a specific HIPAA covered entity notify a covered entity if a breach occurs.
As it relates to breach notification, the purpose of the final ruling by the US Department of Health and Human Services is to redefine what constitutes a breach and what factors to consider if a breach is suspected. This ruling will provide added protection to consumers and will increase awareness within the healthcare community. If you have additional questions regarding breach notification or the final ruling, or to inquire as to whether you or your organization has the appropriate privacy breach coverage, please contact a Diederich Healthcare representative at 800.457.7790.