Breach Notifications
The term “breach” still means the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information. Prior to the Final Rule, HIPAA allowed covered entity’s to determine if the security or privacy of PHI was compromised based on a “harm standard.” This standard provided that a breach of PHI would not have occurred unless the disclosure presented a significant risk of financial, reputational or other harm to the individual.
The Final Rule eliminates the “harm standard” and instead provides that an impermissible use or disclosure of PHI is presumed to be a breach and therefore notification is required unless a covered entity can demonstrate and document that there is a “low probability that the PHI has been compromised.” A covered entity is required to consider and document four factors to determine whether the new “low probability” standard has been met. These include the nature and extent of the PHI involved, the unauthorized person who used the PHI or to whom the disclosure was made, whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated.
When a breach of PHI occurs a covered entity has an obligation to report the breach to the affected individual, the Secretary of HHS and possibly the media. The Final Rule maintains the current breach notification requirements without modification, but provides clarification on when a breach is discovered, the time-frame for reporting a breach, methods of notification, and the content of the notice. A covered entity must excise reasonable diligence to determine a breach. Whether a covered entity used reasonable diligence will generally be a factual determination depending on the facts and circumstances. The Final Rule also makes it clear that the time period to report a breach begins to run when the incident becomes known, not when it is determined that a breach as defined by HIPAA has occurred.
Updates to Notice of Privacy Practices
HIPAA requires that covered entities distribute a Notice of Privacy Practices to patients describing the uses and disclosures of PHI a covered entity is permitted to make, the individual’s rights concerning PHI and the covered entity’s legal duties and privacy practices with respect to PHI. Covered entities must update their Notice of Privacy Practices to address the changes caused by the Final Rule. The updated Notice of Privacy Practices should address, among other things, the prohibition on the sale of PHI, the new opt-out requirements for fundraising, an individual’s right to restrict access to PHI to a health plan, and the new HIPAA breach notification requirements.
The Enforcement Rule
Significantly, the enforcement provisions of the Final Rule impose civil money penalties directly on business associates and their subcontractors. Now, many of the provisions of HIPAA and the HITECH Act apply directly to business associates and their subcontractors in substantially the same manner as they apply to covered entities. Consequently, business associates and their subcontractors are subject to civil money penalties for HIPAA violations similar to covered entities.
The enforcement provisions also impose liability on covered entities and business associates for violations caused by their agents, and require (instead of permit) HHS to conduct compliance reviews and investigations for certain HIPAA violations. Finally, the enforcement provisions no longer require HHS to first attempt informal resolution of a violation prior to imposing civil money penalties.
Although the enforcement provisions retain the tiered civil money penalty structure that was implemented in the Interim Final Rule, the enforcement provisions clarify the “state of mind” requirement applicable to the "reasonable cause" standard. This standard states that a violation occurs when it is established that a violation of HIPAA was due to reasonable cause and not to willful neglect. “Reasonable cause” is now defined as an act or omission in which the covered entity or business associate knew or by reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but which the covered entity or business associate did not act with willful neglect.
The enforcement provisions also list numerous factors that HHS will consider in determining the amount of a civil money penalty. These factors include the nature and extent of the violation (including the number of individuals affected and the time period), the nature and extent of the harm resulting from the violation (including whether the violation caused physical harm, financial harm or harm to the individual’s reputation), the covered entity or business associate’s history of prior compliance with HIPAA, and the financial condition of the covered entity or business associate.
The enforcement provisions also extend liability to covered entities and business associates when a HIPAA violation is caused by one of their agents. Previously, a covered entity would not be liable for a HIPAA violation caused by an agent as long as the covered entity had met its business associate agreement requirements, did not know the business associate was in violation of the agreement and did not fail to act as required by HIPAA if it was aware of a pattern or practice of violations by the agent. Now, covered entities and business associates can be held liable for the acts of their agents acting within the scope of the agency, regardless of whether the covered entity or business associate did no wrong themselves. Whether or not a business associate is an agent of a covered entity will be fact-specific, taking into account the terms of the business associate agreement and the totality of the circumstances involved in the relationship.
Previously, HHS had the discretion to investigate complaints and to conduct compliance reviews. Now under the enforcement provisions, HHS is required to conduct a complaint investigation or compliance review where facts indicate a possible violation due to willful neglect. Where willful neglect is not indicated, HHS still retains discretion to decide whether to conduct a compliance review or complaint investigation.
The previous HIPAA rules required HHS to first attempt to resolve noncompliance by informal means such as settlement agreements with covered entities. The enforcement provisions now provide that HHS has discretion to attempt settlement prior to seeking civil money penalties. Consequently, HHS may pursue civil money penalties directly without attempting informal resolution efforts.
Jim Hoover is a partner in the Health Care Practice Group at Burr & Forman LLP and exclusively represents healthcare providers in regulatory and litigation matters.
