Q&A: On remaining ambiguities in the final HIPAA rule
The so-called omnibus HIPAA Privacy and Security final rule that HHS issued on Thursday answered some questions, provided necessary guidance in certain areas — but some of the thorniest issues, data breach notification among those, are still cryptic enough that lawyers and privacy officers will still face difficult judgment calls every time a laptop is lost or stolen.
Bob Belfort is one such lawyer. As a partner in in the healthcare practice at Manatt, Phelps & Phillips, Belfort works with states and providers on health IT and related public policy issues, and frequently helps clients craft breach notifications. Government Health IT Editor Tom Sullivan spoke with Belfort after HHS posted the final rule about changes to data breach notification, alterations to patient privacy when it comes to fundraising practices, the lack of a bright line test, what the rule means for business associates of covered entities, and why the common lost laptop scenario is not going be any easier.
Q: What are the main points you were looking for in the final rule?
A: The one that will probably get the most attention is the definition of a breach. There’s been a lot of controversy over the risk of harm standard. In the proposed rule there would be no breach unless there was significant risk of harm to the individual. [HHS] announced a while ago that they were rethinking that standard and in this rule they back off the risk of harm standard and replaced with an assessment of whether the improper disclosure compromised the privacy and security of protected health information so basically the burden is on the covered entity to show that there’s a low probability that the information has been compromised.
There are two changes there. First, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, second, the burden of proof is clearly on the covered entity so if that can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.
HHS tried to navigate a middle ground between privacy advocates who were arguing that any improper disclosure should be treated as a breach and opponents in the industry who were basically okay with the risk of harm standard and wanted to retain that and HHS staked that middle ground between those two. So I think that’s going to have a big impact on how incidents are assessed for breach notification purposes.
Q: What other privacy changes are important to your clients?
A: An area that hasn’t gotten as much attention in the past but I know is a big one for my hospital clients is the change to the fundraising rule. Under the previous HIPAA privacy rule, a hospital could only use limited demographic information about its patients for fundraising purposes. Many of my hospital clients have had an interest in targeting fundraising based on the nature of the services a patient received or who their doctor was, and having doctors make personal appeals to the patients, or targeting, say, cancer fundraising at people who had been treated for cancer. They really were not permitted to do that under the prior rule.
Now that’s been loosened so that information about the type of department a patient was in within the hospital and who their physician was can be used to target fundraising. So I think that’s going to make a lot of the hospitals happy as it gives them more opportunity to target their fundraising.
Q: And what about those patients? Are they likely to appreciate that alteration to the rule?
A: It will be interesting to see what, if anything, the patient reaction is. Right now patients shouldn’t be getting fundraising solicitation that they can see they’ve been targeted based on the nature of the services they got. And I don’t know whether patients will have a negative reaction to getting solicitations that indicate fundraisers have looked at their data in more detail. They do have the right to opt-out and hospitals will have to include a notice on all fundraising communications that the patient has the right to opt-out of solicitations, so it may be that more patients exercise that right when they see that their information is being looked at more carefully for fundraising purposes.
Q: You mentioned that the burden of determining whether the information has actually been compromised is now on covered entities. How can they prove that?
A: It’s a somewhat ambiguous concept about what it means for information to be compromised. What the government has in mind, the focus is supposed to be on the risk that the information will be misused in some way or used for improper purpose, rather than focusing on what the impact of that would be on the patient. One of the challenges in the risk of harm standard and why there’s been so much concern about it is that whatever the nature is of your risk assessment, whether you’re evaluating risk of harm to the patient or risk that the data has been compromised, these are all judgment calls and there are factors the rule identifies that you’re supposed to consider in making that determination like the nature of the information that was disclosed, who received it, what your capacity to mitigate the improper disclosure. But at the end of the day there’s no bright line test so there is still going to be a need for privacy officers and lawyers and other people involved in the breach notification process to make difficult judgment calls about whether there’s enough information to conclude that the probability is low that the information will be compromised. The rule provides an example that would fall into that category where someone faxes information to the wrong doctor and they contact the covered entity and say ‘this isn’t my patient, I’m sending this back to you.’ At that point you can probably conclude that the risk that the information could be misused or has been misused is very, very low. But those are the easy cases. There are a fair number of more ambiguous situations where reaching the conclusion that there’s a low probability of risk is a difficult thing and reasonable people might differ about that.
Q: So the lost laptop or other portable media containing thousands or millions of patient records that we keep seeing — that particular scenario is not going to get easier, is it?
A: I don’t think there’s a rule that’s going to change that situation. If you can retrieve the laptop or the device and assess forensically that nobody has accessed the information, I think you can probably conclude that there’s no breach, both under the prior rule and the new rule, but if you can’t get the laptop back you’re pretty much stuck having to treat it as a breach. So I don’t think that’s going to change and the best defense against breaches involving portable devices continues to be encryption, which still is a basis for not having to do breach notification.
[3 minute podcast: Micky Tripathi, CEO of the Massachusetts eHealth Collaborative explains the compelling reasons all hospitals should encrypt their data. Play in a new window]
The percentage of organizations effectively encrypting their portable devices is growing but it’s still not at the level where it should be. I frankly continue to wonder why encryption is still addressable at least with respect to portable devices but it was not addressed in the proposed rule or in HITECH so the landscape on that issue is still basically the same.
Q: It sounds as if the omnibus rule will not make your job all that much easier…
A: No, I don’t think so. It really just changes the nature of some of the analysis that needs to be done. But there’s still the ambiguity in the rule, which I think is unavoidable when you don’t have a bright line test on notification. And I understand the government’s decision not to impose a bright line test because the only bright line test you could really impose would be to say every time there’s a disclosure not permitted by the rule you have to notify and I don’t think that’s the right standard because you’ll end up getting huge numbers of notifications about innocuous situations. That’s not good for the industry of for consumers, who I think will start to tune it out if they believe that most of these notices are not situations that really threaten them. So I understand and agree with the decision not to impose a bright line standard but as long as you don’t have one there will be judgment calls and that’s going to continue to be the case.
Q: In some ways that alert notification fatigue you referenced might already be happening as breaches are at something of a fever pitch. Now, do you anticipate an uptick in OCR audits and fines?
A: Yes. We’re already seeing the beginning of more aggressive enforcement and stiffer penalties, more frequent penalties. It’s routine for OCR to investigate when breaches are reported, particularly when there are 500 or more individuals. In all of those cases, they’re following up with questions and making a decision about whether some more intensive investigation is warranted so that’s already in progress. And I think that trend will definitely accelerate.
This was true in the proposed rule as well. One of the really significant provisions of the rule is extension of privacy and security obligations on business associates whereas before HITECH the security rule didn’t clearly apply to business associates and the government didn’t have clear authority to put penalties on business associates. And now those things have changed. Business associates should now really be looking at their own compliance programs and deciding whether they need to be enhanced because their risk is really escalating under this rule. All the vendors out there that took comfort in the fact that they weren’t covered entities are now in very much the same position as the covered entities and need to have very strong security and privacy programs.