[ Monday, January 21, 2013 ]
Nugget 10: Breach Notification: This is the big one. The "harm" standard is out. Under the interim rule, a breach was not reportable if there was no substantial risk of financial, reputational, or other harm to the individual whose information was improperly used or disclosed. The vast majority of commentators supported the "harm" standard, but there were concerns that it was too subjective, and the rule should be more objective.
Jeff [2:45 AM]
So, the "harm" standard is no longer the rule. Now, an improper use or disclosure is a breach (unless it meets one of 3 stated exceptions) "unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised." That's less subjective, I guess (not dependent on the risk of harm, which would be different for different people and different situtions. But it's still subject to individual interpretation. Mainly, what the hell does "compromised" mean? HHS doesn't say.
The burden of proof is on the covered entity or business associate to show a low probability of compromise.
Upon a breach occurring, a covered entity or business associate must conduct a risk assessment using 4 factors: (i) the nature of the PHI involved (apparently not sensitivity of the data -- like STD or mental health data being of a nature that would make a breach more troubling -- but rather how much identifying data is there); (ii) who used or received the PHI; (iii) was the PHI actually acquired or viewed; and (iv) the extent that the risk have been mitigated.
The interim rule also had an exception that you did not have to report the improper use or disclosure of a limited data set that also excluded dates of birth and zip codes. HHS acknowledges that such a breach would probably pass a risk analysis, but they won't give it a bright-line free pass.
In my opinion, this is a bad change. It doesn't make it any less subjective, it just changes the specific types of issues you'll argue about. And why are we concerned about a potential "compromise" of the data (i.e., you report if the data is compromised), rather than being concerned about the well-being of the breach victim (i.e., you report if the victim is at risk of harm)? Even within the commentary, HHS notes that reviewing the type of information in the breach might reveal whether it's the type of information that "could be used by an unauthorized recipient in a manner adverse to the individual." Isn't that another way of saying "cause harm to the individual"?
Ultimately (and as mentioned by HHS), this is another nail in the coffin of those who want to avoid using encryption. The encryption golden ticket just got more gilt.
One last thing: HHS makes clear that any violation of the "minimum necessary" rule could be a breach (it's an improper use or disclosure), and therefore you must to a risk analysis any time someone violates the minimum necessary rule and, unless you determine a low risk of compromise, you'll have to report it.
Blogger: HIPAA Blog - Edit your Template