Guilty until proven innocent regarding HIPAA breaches

The HIPAA Omnibus Final Rule brings a significant change to the HIPAA/HITECH Breach Notification Rule. Prior to the HIPAA Omnibus Rule, organizations were required to perform a risk assessment to determine if there was likely harm to a patient resulting from a privacy breach. Determining if the breach resulted in harm was referred to as the “harm threshold”.

Changes under the HIPAA Omnibus Rule

As mentioned, the HIPAA Omnibus Rule has significantly changed what is and what isn’t a reportable breach. The “harm threshold” has been replaced with a more objective risk based approach. The Omnibus Rule now defaults to a reportable breach unless the organization can prove otherwise. In other words, you are guilty unless you can prove you are innocent. You have to report a breach unless you can prove that you do not have to report the breach.

The “hard threshold” allowed for a subjective analysis of whether a breach would pose harm to a patient. This allowed organizations to determine if they should or should not report a breach of patient information. Let’s look at the factors that organizations need to look at under the Omnibus Rule.

4 Factors

1. The nature and extent of the protected health information (PHI) involved, including the types of identifiers and the likelihood of re-identification

 

2. The unauthorized person who used the protected health information or to whom the disclosure was made

 

3. Whether the protected health information was actually acquired or viewed

 

4. The extent to which the risk to the protected health information has been mitigated

Taking a look at each of the 4 factors

1. The first factor to consider is the nature and extent of PHI involved. What information was involved in the breach? What names, social security numbers, credit card information, etc were included? If it was internal patient codes that didn’t disclose names of patients, what is the likelihood that the other information can be used to identify a patient?

 

2. The second factor to consider is who was the information disclosed to?  Was it another physician that was accidentally sent the wrong patient’s records? Was it hackers looking to sell patient information on the black market?  

 

3. The third factor and probably the most significant is whether the information was actually acquired or viewed. This is where an organization is guilty until proven innocent. Let’s take the scenario of a laptop that is lost or stolen. The laptop contained patient information and was NOT encrypted. It is the organization’s responsibility to prove that the patient data on the lost laptop was not accessed or viewed. Unless the organization can retrieve the lost or stolen laptop AND prove forensically that the information on the computer was not accessed, they have to assume it was a breach. The chance of retrieving a lost laptop and proving that the data was not accessed is very remote. This will cause a lot more breach notifications as the result of lost or stolen laptops, smartphones, USB  drives, etc.  It should be noted that if the device is encrypted then the breach does NOT need to be reported regardless of whether the device is retrieved or not. Encryption continues to be a “safe harbor” that does not require notification. 

 

4. The fourth factor looks at how a breach was been handled and mitigated. An example is that an incorrect patient record was sent via email to another physician. The employee realized their mistake and called the physician’s office and spoke with person that the email was sent to. The person assured the employee that the email would be deleted. In that case there is a low probability that the information would actually be used or shared.

More Breach Notifications 

The changes to breach notifications as a result of the HIPAA Omnibus Rule is significant. Organizations have to take a much more objective approach to breaches and notifications. As demonstrated, organizations are now guilty until they can prove themselves innocent. This will result in a lot more breach notifications being sent to patients and reported to HHS/OCR.

Find out more about the HIPAA changes under the Omnibus Final Rule. Download our 7 Things You Must Know About HIPAA Security. It’s packed with very useful information!