By Karen Collier In August of 2009, one day after the statutory deadline set by Congress in the American Recovery and Reinvestment Act (ARRA), HHS released its interim final regulations on patient notification of breaches of unsecured Protected Health Information (PHI). These regulations were required under a part of the ARRA known as HITECH – […]
By Karen Collier
In August of 2009, one day after the statutory deadline set by Congress in the American Recovery and Reinvestment Act (ARRA), HHS released its interim final regulations on patient notification of breaches of unsecured Protected Health Information (PHI). These regulations were required under a part of the ARRA known as HITECH – the Health Information Technology for Economic and Clinical Health Act. HITECH included a number of amendments and additions to the HIPAA privacy and security rules. As with all of HIPAA Administrative Simplification, these provisions apply throughout the health care system, and not just in dealings with Medicare or other government programs.
The interim final regulations that pertain to the breach notification provisions in HITECH mandate covered entities (CE) such as health care providers, insurers and clearinghouses, and their business associates (contractors and vendors that access and use PHI for a covered entity) to notify patients in writing following the discovery of a breach of unsecured PHI. As of this writing, the health care industry is still operating under the interim final regulations.
In mid August of 2010, HIPAA watchdogs noticed a
In mid-August of 2010, HIPAA watchdogs noticed a strange occurrence – the final rule on patient breach notification which had been wending its way through the regulatory approval landscape, was mysteriously pulled from the process. HHS had removed the rule from consideration at the Office of Management and Budget, with no advance word or explanation as to why. Insiders speculated on the cause of the interruption, and the following week the New York Times published an article openly declaring that the regulations were being re-written by the administration to tighten up perceived holes in the breach notification requirements.
At issue is the “harm threshold” analysis inserted in the rules by HHS – a welcome, realistic provision according to many health care CEs, and an improper loosening of the rules to some privacy advocates and members of Congress, who crafted the patient notification requirements in early 2009. What HHS will do with the breach regulations, and how it will affect billing companies’ implementation of them, is still up in the air.
The current regulations define a breach as “the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of such information.”
Congress included these three narrow exceptions to the basic definition of breach:
- where the recipient of the information would not reasonably have been able to retain the information;
- certain unintentional acquisition, access, or use of information by employees or persons acting under the authority of a covered entity or business associate;
- certain inadvertent disclosures among persons similarly authorized to access protected health information at a business associate or covered entity.
Most observers agree that these exceptions will assist a covered entity or business associate in reducing the number of notifications it must send to patients resulting from ordinary, inadvertent access or disclosures. [Note: There is some confusion over the interpretation of the first exception, which will hopefully be answered in an FAQ or other official communication.]
The interim final rule continues its explanation of the CE or BA’s responsibility if patient information is improperly accessed or disclosed. It provides that a harm threshold analysis must be performed by the CE or BA upon unauthorized access, use or disclosure to determine whether the action “poses a significant risk of financial, reputational, or other harm to the individual” and, therefore, compromised the security or privacy of the information. This analysis is expected to be the key issue at stake in the new final rule.
Such an analysis must encompass a risk assessment which considers the following factors:
- Who impermissibly used or to whom was the information impermissibly disclosed (was it to another CE)?
- Can and did the CE take immediate steps to mitigate the impermissible use or disclosure (e.g., receipt of satisfactory assurances that information will not be further used or disclosed)?
- Was information returned prior to being accessed (e.g., a stolen laptop recovered where forensics show nothing was accessed)?
- Was the information partially de-identified (e.g. only name and hospital or transport)? Was the information sensitive in nature (sexually transmitted diseases, behavioral health, info that could impact employment)? Did it contain anything that would increase the risk of identity theft (e.g. SSNs, date of birth, etc.)?
- Was the information de-identified (limited data sets) by removing all 16 direct identifiers, plus date of birth and ZIP code? If so, then it may be an exception to the breach definition (CE or BA will need to perform risk assessment if info contains any of the identifiers).
The burden of demonstrating that an impermissible use or disclosure was not a breach (because it did not pose a significant risk of harm to the individual) lies with the CE or BA; such analysis must be documented if notification to the patient(s) is not made.
The HITECH Act says that all covered entities and business associates must notify patients in writing without unreasonable delay after the discovery of a breach and in no case later than 60 days once the breach is known.
The notice must contain, as far as is possible, the following information:
- A description of what happened, including when the breach occurred and when it was discovered;
- A description of the type(s) of unsecured PHI that was breached;
- The steps individuals should take to protect themselves against potential harm from the breach;
- A description of what the covered entity involved is doing to investigate the breach, mitigate losses and prevent future breaches, and;
- Contact procedures for any questions and to learn additional information, including a toll-free number, email address, web site or postal address.
Patient notifications should be written at an appropriate reading level, using clear language and syntax, and not include any extraneous material that may cloud the message. The notice must be in written form, using first-class mail to the last known address for the individual. Email may be used where the patient has agreed in advance to use email for communication and notifications.
<??> <??> If 10 or more patients are involved that cannot be contacted by mail, the covered entity must post a public notice for at least 90 days in a conspicuous place on its website or through the media. If 500 or more patients are involved, then the major print and broadcast media in the area must be informed, as well as the Secretary of Health and Human Services.
Removal of the harm threshold analysis from the regulations will certainly open up billing companies and their clients to more administrative and financial burden by requiring letters to go to patients whose information goes astray, even where there is no risk of potential harm to the patient as a result. Supporters of the current provision say that more notifications to patients will not cause better privacy and security protections, but will cost the system more and cause unneeded anxiety and concern.
The Office of Civil Rights at the Department of Health and Human Services, charged with enforcing HIPAA privacy and security regulations under the original HIPAA and the new HITECH regulations, was reportedly urged by the White House to reconsider the breach notification rules due to the controversy over the “harm threshold.”
An OCR spokesman was quoted in the Times article as saying, “We decided to pull it back. We had second thoughts. We hope to issue a final regulation this fall.”
In the meantime, it is important for all HBMA member companies to review and strengthen not only their own privacy and security policies and procedures, but also those of their vendors and business associates, and to make sure that employees are well-trained to communicate mistakes or other errors in handling PHI to the privacy officer immediately. Whether the “harm threshold” analysis will survive or not, billing companies face new challenges every day to catch mistakes, minimize their reoccurrence and respond correctly under the law.