The omnibus HIPAA Privacy and Security final rule HHS released on Jan. 17 answered some questions, provided necessary guidance in certain areas — but some of the thorniest issues, data breach notification among those, are still cryptic enough that lawyers and privacy officers will still face difficult judgment calls every time a laptop is lost or stolen.
Bob Belfort is one such lawyer. As a partner in the healthcare practice at Manatt, Phelps & Phillips, Belfort works with states and providers on health IT and related public policy issues, and frequently helps clients craft breach notifications. Belfort weighs in on changes to data breach notification, fundraising practices, the lack of a bright line test, business associates and why the problems associated with a lost laptop are not going away.
Q: What are the main points you were looking for in the final rule?
A: The one that will probably get the most attention is the definition of a breach. There’s been a lot of controversy over the risk of harm standard. In the proposed rule there would be no breach unless there was significant risk of harm to the individual. [HHS] announced a while ago that they were rethinking that standard and in this rule they back off the risk of harm standard and replaced with an assessment of whether the improper disclosure compromised the privacy and security of protected health information so basically the burden is on the covered entity to show that there’s a low probability that the information has been compromised.
There are two changes there. First, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, second, the burden of proof is clearly on the covered entity so if that can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.
HHS tried to navigate a middle ground between privacy advocates who were arguing that any improper disclosure should be treated as a breach and opponents in the industry who were basically okay with the risk of harm standard and wanted to retain that and HHS staked that middle ground between those two. So I think that’s going to have a big impact on how incidents are assessed for breach notification purposes.
[See also: Stanford reports fourth HIPAA breach.]
Q: What other privacy changes are important to your clients?
A: An area that hasn’t gotten as much attention in the past but I know is a big one for my hospital clients is the change to the fundraising rule. Under the previous HIPAA privacy rule, a hospital could only use limited demographic information about its patients for fundraising purposes. Many of my hospital clients have had an interest in targeting fundraising based on the nature of the services a patient received or who their doctor was, and having doctors make personal appeals to the patients, or targeting, say, cancer fundraising at people who had been treated for cancer. They really were not permitted to do that under the prior rule.
Now that’s been loosened so that information about the type of department a patient was in within the hospital and who their physician was can be used to target fundraising. So I think that’s going to make a lot of the hospitals happy as it gives them more opportunity to target their fundraising.