More and more companies are focusing on HIPAA compliance, with good reason. The law was strengthened in recent years to create tougher penalties when information is shared or disclosed illegally, and the analysis required to determine when a disclosure constitutes a breach has also changed. Given these recent changes to the law, and the high stakes nature of HIPAA compliance in general, it’s a good time to review procedures for recognizing, analyzing, and responding to a beach.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) and subsequent regulations have changed several aspects of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including the way covered entities should think about misuses of Protected Health Information (PHI).
HIPAA requires covered entities to conduct a thorough, good-faith analysis to determine whether misuse rises to the level of a breach. A “breach” is the unauthorized acquisition, access, use or disclosure of unsecured PHI which compromises the security or privacy of such information.
A breach contains the following elements: (1) an unauthorized acquisition, access, use, or disclosure; (2) of unsecured PHI; (3) resulting in an impermissible disclosure under the privacy rule; (4) that compromises the security or privacy of such PHI; and (5) to which an exception does not apply.
Under the final regulations issued by HHS, the concept of what “compromises” the security or privacy of PHI has changed. Under 2009 interim regulations for the HITECH Act, a breach occurred only if there was a significant risk of financial, reputational or other harm to the individual. The 2013 final regulations remove this “harm standard” and instead require a four-part risk assessment intended to focus on the risk that PHI has been compromised in a more objective way.
The 2013 regulations provide that a covered entity must presume that an acquisition, access, use or disclosure of PHI in violation of the privacy rule is a breach. This presumption holds unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised based on a risk assessment which considers at least the following factors: 1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification, 2) the unauthorized person who used the PHI or to whom the disclosure was made, 3) whether the PHI was actually acquired or viewed, and 4) the extent to which the risk to the PHI has been mitigated.
The nature and extent of the PHI involved
Covered entities should consider whether the disclosure involved PHI that is of a sensitive nature, including the types of identifiers and the likelihood of re-identification. Social Security numbers would be considered sensitive. Entities should consider the likelihood that someone could suffer financial or reputational harm based on the information.
The unauthorized person who used, accessed or received the PHI
The second factor requires covered entities to consider the unauthorized person who impermissibly used the PHI. Entities should consider whether the unauthorized person is trained in HIPAA compliance, has obligations to protect the privacy and security of the information, has a track record of protecting similar information, and can be obligated to return it. This factor should be considered in combination with the first factor regarding the risk of re-identification.
Whether the PHI was actually acquired or viewed
The third factor requires covered entities to analyze whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed. Entities may have the technology to confirm that information was unviewed, or they may be able to lock a lost cell phone or destroy files remotely in order to protect themselves under this factor.
The extent to which the risk to the PHI has been mitigated
Finally, covered entities must consider the extent to which the risk to the PHI has been mitigated. If the PHI is no longer in the entity’s possession, factors such as how easily it can be duplicated should be considered.
With high-profile data breaches on the rise and increased scrutiny by HHS, employers and other entities subject to HIPAA should review these new guidelines and revise their HIPAA policies and practices accordingly.