Exclusive: Privacy rule refocuses on breaches, business associates

The wait for the omnibus privacy rule “was extraordinary,” considering there was no good reason for the delay, Lisa J. Sotto, managing partner of the New York City office of Hunton & Williams law firm, told Clinical Innovation + Technology in an interview. But, “it is definitely time to move to the next generation with respect to HIPAA.” When HIPAA was enacted in 1996, “we were in the dark ages of data privacy and security so a refocus is a good thing.”

“This is the first thing that changes the current practices of privacy and security since HIPAA,” said Angela Dinh Rose, director of health information management solutions for the American Health Information Management Association. “When HIPAA first came out, we were in a frenzy. Here we go again. We still have to be compliant with HIPAA, but HITECH is adding to the requirements of HIPAA. We survived HIPAA; we’re going to survive this.”

The most important new standard, said Adam H. Greene, partner of Davis Wright Tremaine law firm in Washington, D.C., is the standard for breach notification which was modified from risk of harm to probability of compromise. “What this really means is that the Department of Health and Human Services (HHS) is attempting to go from what many argued was subjective determination as to whether an individual was harmed to something a bit more objective.” If the information was compromised, “the rule suggests that HHS would consider it a breach regardless of whether there is potential reputational or financial harm.” The rule expands the scope of what is going to be reported.

In the past, Greene explained, “if you had patient information that fell into the wrong hands and knew the information was compromised but there didn’t seem to be much harm to the individual, you could demonstrate that there was no significant risk of potential harm. That standard has been removed.” Now, if you know the information has been compromised, you are no longer in a position of determining whether you believe that compromise will result in harm. You are required to report the breach.

This shift from a solid and respectable harm threshold to the presumption that there’s been a breach means covered entities and business associates must prepare by performing a formal risk assessment, said Sotto. That risk assessment will need to be documented so “they can later demonstrate to HHS why they didn’t believe they needed to notify in a particular instance. The shift moves away from considering injury to the individual toward violation of regulations and the probability that protected health information (PHI) has been compromised, she said. “I don’t think that’s terribly objective” because the rule states covered entities need to base their risk assessment on “at least the following factors." Sotto said, "That right there is subjective in and of itself and there are plenty of subjective issues here like the nature of the information involved. Who is to say what’s sensitive or not?”

“It is clear what they’ve tried to do is create a more objective standard,” said Lisa A. Gallagher, senior director of privacy and security for the Healthcare Information Management and Systems Society. “This is a positive step and I’m a big proponent of ongoing security risk management anyway.”

The rule introduces another challenge for covered entities. In the preamble, HHS stated that 60 days to conduct notification of a breach is the outer limit. “In some cases, even waiting that long will be considered an unreasonable delay,” said Sotto. “That’s strong language and suggests that the agency is going to place emphasis on the timing of notification. Those of us who have handled breaches know that a number of breaches are not susceptible to notification within 60 days.” It can take months to determine the scope of a breach, organize a list of individuals to be notified and get the right contact information together. “Sixty days is a short period of time and there is no flexibility in this standard.”

The 60-day notification requirement is going to be challenging to manage, agrees Gallagher. But the requirement is in the final rule, so covered entities are “going to have to find ways to be actively monitoring for breaches, have a process in place to make sure they are capable of analyzing and notifying in that time frame.”

The privacy rule also changes responsibilities for business associates (BAs). “We knew previously that BAs would be directly responsible for compliance with pieces of the privacy rule and most of the security rule. What I think is really difficult to manage, even though it’s not new, is the concept of subcontractors being included in the definition of business associates. The fact that subcontractors are just as responsible for compliance as BAs and that follows subcontractors down the line all the way to the end of the data stream, will be extremely difficult to manage.”

A healthcare organization easily could have 20,000 BA agreements and “every single one of them is going to have to be amended,” she said. “Then there’s the issue that many subcontractors will have no earthly idea that they interact with HIPAA. Unless they are told via business associate agreement, if there is a failure of communication, they will be directly liable under the rule but they won’t even know it.”

If a subcontractor is not presented with a BA agreement, then it has no responsibility, she said. “Here you can have entities that think they have no interaction at all with the healthcare world but in fact do because of sub- sub- subcontractors.” For example, a cloud provider is a few levels removed. That provider won’t look at the content sitting in their cloud and won’t know if there is PHI being stored in the cloud if they are not specifically told.

This step of being held accountable for their subcontractors “officially put business associates out of their comfort zone,” said Rose.

“Some work has to be done to see where each of your business associate agreements fall,” said Gallagher. “That will require some focus for organizations.”

Another change is a HITECH provision related to electronic access. Covered entities are expected to cover the default right of electronic access when information isn’t maintained electronically. This is not a big difference from the prior law, said Greene. “Essentially, an individual was entitled to access to their information in the form and format requested if that form and format is readily producible. If the requested form and format was not readily producible the default form and format was a hard copy. Now, the default form and format is an electronic version."

Lastly, the HHS has indicated that they plan to continue the privacy and security audit program that began last year, according to Greene. "We can expect a significant delay while the agency is assessing the rules and looking at ways to improve it," he said. “We may not see audits pick up until late 2013 or even 2014. Then it’s an open question. They could continue the program much the way we’ve already seen. That’s a strong possibility. HHS has suggested that the next round will include BAs. That’s even more likely now that the rule is out.” There is a possibility of more focused audits on a specific area such as risk assessments or mobile devices, he added.

One thing is sure, according to Rose, “we’re going to continue to see reporting of breaches. There is always going to be human error. You can know all the rules, and have all the training but someone still might grab your laptop and run. There are always going to be things out of your control.”