Talk of a final rule pertaining to the privacy breach notification portion of the Health Information Technology for Economic and Clinical Health Act (HITECH) in combination with the buzz surrounding broader changes to HIPAA privacy and security regulations has caused a fair amount of confusion among healthcare providers and administrators.
The bottom line for privacy breaches is that nothing has changed … yet. “The breach notification in the interim final rule is the law of the land,” stated Alisa L. Chestler, of counsel for Baker Donelson. The Washington, D.C.-based attorney, who is part of the firm’s Health Law group and counts privacy and security among her specialties, said it is understandable that providers and administrators might be confused given the intertwined nature of HIPAA and HITECH, which was part of the American Recovery and Reinvestment Act (ARRA).
Adding to the general muddle is the fact that a final rule has been ‘coming soon’ for the past year. In fact, a final rule regarding privacy breach notifications was floated out to the Office of Management and Budget (OMB) in May 2010 but was withdrawn two months later. “They (covered entities) heard that the rule got pulled back and thought it was the interim final rule, when in fact it wasn’t,” Chestler said. “That’s where a lot of the confusion began.”
A Little History
Privacy and security regulations have been around for over a decade, and thought was given to the subject when HIPAA legislation was passed in 1996. Over the years — as providers called for administrative simplification and standardized transactions … and as healthcare began to segue to electronic data exchange — Congress realized the need to be much more careful about the privacy and security of personal information. Tougher standards were implemented in 2003.
Then, in 2005, there was the ChoicePoint data security breach. Chestler explained that the Georgia-based company inadvertently sold information to thieves. “At that time, California was the only state that had a breach notification law,” she said, adding that therefore ChoicePoint wasn’t legally obligated to notify any customers of the breach with the exception of those living in California. “Since 2005, over 45 states have implemented state data breach laws.” Although ChoicePoint wasn’t dealing in healthcare information, the incident brought the issue to light.
Indeed, the attention prompted Congress to include a federal mandate for notifying individuals when personal data was breached in the HITECH legislation. “Congress instructed HHS to put together a breach notification regulation,” noted Chestler. “That was done and issued in August 2009 as an interim final rule and went live in September 2009.”
Where The Rule Now Stands
Although only a handful of people know for sure what caused the outcry over the pending final rule for privacy breach notification, it has been broadly speculated that there is debate and disagreement over the harm standard, which gives latitude to healthcare facilities to assess the real risk of harm to an individual as the result of a breach.
“I think that may be one of the sticking points as to why they haven’t released the final rule,” Robert M. Tennant, senior policy advisor for the Medical Group Management Association, said of the delay from HHS. “I think there was some concern as to whether or not the practice is in a position to determine harm. Our position is that they are in the best position to determine that.”
Chestler agreed the determination of harm seems to be at the center of the current controversy. “In its simplest form, the point of a breach notification is to say, ‘You, Jim Jones, have had your personal information compromised.’” However, she added, there is an analysis to be performed to determine if there is a real risk of harm from that breach. If a record was sent to Dr. Johnson instead of Dr. Johnston, is there any real danger that the patient’s information will be used in a nefarious manner? Similarly, if a nurse grabs the wrong patient folder, glances at it and realized the mistake, has the patient been harmed?
The answer … to some extent … is that it depends on the circumstances. Generally in these situations, the patient is at no real risk of harm. The exception to the rule might be if the patient was a celebrity and unauthorized staff members were looking without permission out of curiosity or with an eye toward financial gain.
Another often cited example is a stolen or lost laptop, hard drive or USB drive. If that hardware was encrypted, then arguably there is no risk of harm to the individuals whose information resided on the hardware, Chestler explained. “Regardless of the event, the issue will be whether there is a threat to the financial, reputational or other harm, which would impact the well being of that individual. The analysis of the threat is a key component to the rule,” she continued.
“There’s got to be some flexibility built into the rule so practices don’t incur needless costs — time and expense — to notify patients,” Tennant added. “The practice should have the discretion to make that call I think, and that’s been our position all along.”
In addition to the burden on providers and administrators to notify individuals of every incident in which no real risk of harm exists, there is the worry that patients would be inundated with notifications since such occurrences happen relatively frequently. “There is a concern that if individuals really start getting notifications as often as it happens that people will become desensitized to them,” said Chestler, adding, “Will your average person receiving these notifications really be able to discern when there is a real risk of harm?”
When a true breach does occur, the law is quite specific about the steps that must be followed. Detailed information is available through HHS at: www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html. When more than 500 records have been breached … or potentially breached, such as might happen with a stolen laptop … then the covered entity must notify the media and the information is posted on OCR’s ‘Wall of Shame.’
Knowing the federal law, however, is not enough. As Chestler pointed out, most states now also have their own privacy breach notification laws. Therefore, if a breach occurs, not only must the HITECH rules be followed but steps must be taken as outlined in the statutes of any state from which a patient resides. This is particularly important in large urban settings where patients might travel regionally or nationally for treatment. “HIPAA is a starting point and provides a good baseline, but that’s not the only law (covered entities) need to know about,” said Chestler.
For example, HITECH/HIPAA requires notification “without unreasonable delay and in no case more than 60 calendar days from discovery,” Chestler explained. However, California’s law is much tighter on timelines. “In 2010, the state of California fined a hospital $250,000 — the highest possible penalty — for failing to notify patients within the mandatory five days for facilities. They notified them within two weeks, but they still got the maximum penalty,” she said.
An Ounce of Prevention
“This is one of those issues where we’re trying to encourage our members to be proactive because you want to avoid a breach rather than have to send out notifications,” said Tennant. He added that even if the harm standard should be eliminated from the final rule, it’s likely that certain safe harbor standards would still apply such as media destruction and encryption. “We’re certainly encouraging our members to explore encryption, especially since more and more physicians are using mobile technology.”
Like Tennant, Chestler said her message is always about preventive measures. However, she added, the reality is often a matter of when not if there is a breach. When a breach does occur, it’s vital to be ready. “If they don’t have the basics down, then their breach has turned into a much bigger issue than it had to.”
She continued, “Hackers and viruses exist, and they’ll always exist. The question is, ‘What are you doing to prevent hackers or viruses from successfully infiltrating your systems?’ If the answer is ‘nothing,’ then you have a problem.”
Even without the final rule, there has been a lot of tweaking since major privacy regulations were rolled out in 2003. Tennant said it’s vital for covered entities to reevaluate their privacy and security plans, update virus software, ensure the current team understands the law, and to reassess how daily operations have changed over time and what that means in light of increased data exchange. “From time to time, you should have a long, hard look at your policies and procedures to make sure they are really doing what you want them to do.”
Both Chestler and Tennant said HHS is developing an omnibus HIPAA rule that is anticipated by year’s end. The expectation is that the final privacy breach notification rule will come out on or about the same time.
“What we’re trying to do with HITECH is craft regulations that don’t impede the ability of physicians to provide care for their patients but do provide an adequate level of privacy protection,” concluded Tennant. “We’re cautiously optimistic that we’ll see a privacy breach notification rule that is workable for the physician practice community.”