Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System Thomas N. Shorter, Godfrey & Kahn, S.C. 1 Today s panel discussion addresses the HIPAA/HITECH Omnibus Rule change to Breach Notification that removed the harm threshold and replaced it with the presumption that each impermissible use or disclosure of PHI is a breach unless an exception applies or there is a low probability that PHI has been compromised, as determined through risk assessment. 2 Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System Moderator Thomas N. Shorter, Godfrey & Kahn, S.C. 3 1
HIPAA security breach incidents affecting over 22 million individuals have been reported. Theft remains the leading reason for breaches, followed closely by unauthorized access/disclosure and then loss. 4 Top locations for large breaches: Laptops Paper records Desktop Computers Portable Electronic Devices 5 Sec. 13402. Notification In The Case of Breach. (HITECH Act) (a) In General A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. 6 2
... The unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. Sec. 13400. Definitions. 7 The new rule broadens the definition of breach of unsecured PHI. More circumstances in which covered entities and business associates must give notice of a breach. 8 The Final Rule removed the exception for a limited data set that excludes dates of birth and zip codes. Now, conduct risk assessment if PHI impermissibly used/disclosed/involved only a limited data set. 9 3
Good faith, unintentional access, use or disclosure by a workforce member, within the scope of authority; Inadvertent disclosures by a person authorized to access PHI within a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate; and Good faith belief that unauthorized person would not be able to retain PHI. 10 Subjective standard Notification required if significant risk of financial, reputational, or other harm to the individual. 11 Objective standard Eliminates the harm standard, which looked to whether the impermissible use, acquisition or disclosure of PHI constituted a significant risk of financial, reputational or other harm to the individual. 12 4
Focus is now on the risk the PHI was compromised, instead of the risk of harm to the individual. 13 1. Nature and extent of the PHI, including types of identifiers and likelihood of reidentification. 2. Unauthorized person who used the PHI and/or to whom the PHI was disclosed. 3. Whether the PHI was actually acquired or viewed. 4. Extent the risk to the PHI has been mitigated. 14 1. Determine whether there has been an impermissible acquisition, access, use or disclosure of PHI in violation of the Privacy Rule. 2. Determine if PHI is unsecured. 3. Evaluate whether the incident falls under one of the exceptions to the notification obligations. 4. Presume the impermissible use or disclosure is a breach unless a risk assessment demonstrates a low probability of compromise to the PHI. 5. Resist the urge automatically assume notification is required. 15 5
After completing the 4 risk assessment factors and any other necessary factors, After determining that it is a probability that the PHI has been compromised, Remember to document in writing any risk assessment and analysis you complete. 16 Notice of Privacy Practices: Certain statements (e.g., maintenance of privacy by covered entity) must now be listed in the notice. Note that the Notice does not need the statement to include definitions of breach and unsecured or describe the types of information that will be provided in a breach notification. 17 18 6
What have you done to make the transition to the new breach standard? 19 Policy 20 Processes Format. Staff Involved. Processes needed to document against the new breach notification criteria. 21 7
Staff Education and Training Effective ways to teach workforce members the reality of the criteria. Which training formats have been especially effective? 22 Do you still see a place for the old harm standard? 23 What problems with the transition do you foresee? 24 8
Do you anticipate an increase in the breach notification to Patient/OCR? 25 What do you foresee as problematic breach scenarios? 26 Problematic scenarios 27 9
28 10