Take Steps Now to Avoid Potential Liability Under the Amended Breach Notification Rule if You Are a HIPAA-Covered Entity, Business Associate, or Business Associate’s Subcontractor
On January 17, 2013, the U.S. Department of Health and Human Services (HHS) announced a final omnibus rule amending the Health Insurance Portability and Accountability Act (HIPAA) of 1996 in accordance with the HITECH Act of 2009. The 2013 amendments modifying the HIPAA Privacy, Security, Breach Notification/Reporting and Enforcement Rules, became effective March 26, 2013.
The amended Breach Notification Rule was significantly changed to now clarify the definition of “breach” and the risk-assessment approach required for breach notification. CEs, BAs, and BAs’ Subcontractors are accountable for the Rule, which applies to breaches discovered after September 23, 2013. The amended rule requires HIPAA-CEs to develop and document policies and procedures, train workforce members on and have sanctions for failure to comply with these policies and procedures, permit individuals to file complaints regarding these policies and procedures or a failure to comply with them, and requires HIPAA-CEs to refrain from intimidating or retaliatory acts.
Key Points of the Amended Breach Notification Rule
The new definition of “breach” is that if there is an unauthorized acquisition, access, use, or disclosure of protected health information (PHI) that compromises the security or privacy of that PHI. This new definition also creates a presumption that any unauthorized acquisition, access, use or disclosure of PHI is a breach and shifts the burden to the CE or BA to demonstrate through a risk assessment that there is a low probability that the PHI has been compromised.
- What is the Nature and extent of PHI involved and if disclosed was it of a sensitive nature? Financial information is highly sensitive and might increase risk of identity theft. Clinical information is highly sensitive and includes nature of services provided and amount of details (diagnosis, medication, test results).
- Who was the unauthorized person? If PHI is impermissibly disclosed to another CE obligated to abide by the HIPAA Privacy and Security Rules, there may be a low probability that the PHI has been compromised. If PHI is not immediately identifiable, CEs may determine that the unauthorized person who received the PHI does not have the ability to re-identify the information.
- Was the PHI actually viewed or acquired? If only the opportunity existed for the PHI to be viewed or acquired such as mail to the wrong individual and that individual informs the sender they have received information in error.
- Has the risk to the PHI been mitigated? CEs and BAs should consider the extent to which the risk to PHI has been mitigated such as, by obtaining a recipient’s satisfactory assurance that the information will not be further used or disclosed.
- When a breach notification is required, it must be completedwithout unreasonable delay and in no case later than 60 days, to affected individuals, the Secretary, and in some circumstances, the media. Notice to the Secretary of HHS of Breach of Unsecured PHI can be found here.
- CEs must provide a breach notification in writing by first-class mail, or alternative, by e-mail if the affected individual agreed to receive such notices electronically.
- The notification must include: a toll-free number for individuals to contact the CE to determine if their PHI was involved in the breach.
All HIPAA-CEs must revise their Notice of Privacy Practices to Comply with the Omnibus Final Rule Amendments
The Omnibus Final Rule made changes in how practices can use or disclose a patient’s PHI. You must revise your NPP to include the following:
- Include a description of the types of uses and disclosures of PHI that require a separate authorization: psychotherapy notes, marketing purposes, disclosures that constitute a sale of PHI, and other uses and disclosures not described in the NPP will be made only with authorization from the individual.
- If your practice engages in fundraising activities, explain that the patient may be contacted to raise funds, but has the right to opt-out of such communications.
- Include a statement regarding the patient’s right to request a restriction on certain disclosures to their health plan if the disclosure is purely for carrying out payment or health care operations and the requested restriction is for services paid out-of-pocket.
- Provide a statement that the practice is required to notify affected individuals of breaches of their unsecured PHI.
Note: Samples of NPPs can be viewed here.
Distribution of the NPP must be made available to any person who asks for it and must be prominently posted and made available on any website maintained by the CE that promotes its customer services or benefits. The NPP may be emailed if the individual agrees to receive an electronic notice.
We will review Security and HIPAA Compliance in the January 2014 newsletter.