“The Omnibus Rule will come out this year,” Michael “Mac” McMillan, CEO of security and regulatory specialist CynergisTek explained earlier this week, “and when it does OCR will have what it needs to investigate their issues.”
And so the HIPAA Privacy and Security final rule arrived late Thursday, to a large extent tracking what was in the proposed rule, but also bringing some significant changes that will impact the industry, according to Bob Belfort, partner in the healthcare practice at Manatt, Phelps & Phillips, which works with states and providers on health IT and related public policy issues, and frequently helps clients craft breach notifications.
“The one that will probably get the most attention is the definition of a breach,” Belfort added. “There’s been a lot of controversy over the ‘risk of harm’ standard.”
Indeed, the proposed rule held that there would be no breach unless there was significant risk of harm to the individual, but HHS indicated it might rethink that, Belfort explained, and in the omnibus rule replaced it with an assessment of whether the improper disclosure compromises PHI (protected health information).
“The burden is on the covered entity to show that there’s a low probability that the information has been compromised. There are two changes there,” Belfort said. “Number one, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, secondly, the burden of proof is clearly on the covered entity so if it can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.”
Belfort views the final rule as HHS navigating the middle ground between privacy advocates arguing that any improper disclosure should be treated as a breach and those who wanted to retain the risk of harm standard.
Deven McGraw, director of the health privacy project at Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee said this is a very positive development.
“It continues to give organizations the right to do an investigation about what happened in the breach, and to make the judgment call in circumstances where the likelihood that anyone else saw the data is very low that they can make a decision not to notify for breach purposes,” McGraw continued. “This addresses the notion of over-notification that many stakeholders commented on and does it in a way that doesn’t give the breaching entity the subjective judgment call about whether that information would harm you or not. It refines some of the gray area and is a response to some of the criticism after the interim final rule. That’s appropriate.”
The rule also, as McMillan pointed out, arms OCR to continue audits and fines. “Third parties account for 40 percent of the breaches reported and 75 percent of the records exposed,” McMillan said.
Belfort expects the uptick in audits and fines currently under way to continue.
“We’re already seeing the beginning of more aggressive enforcement and stiffer penalties, more frequent penalties,” Belfort said. “And I think that trend will definitely accelerate.”