Son of HIPAA Breach Notification Rules

Health care providers: If your patient records aren't already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government — as well as by some private payors and self-insured employers — to get all health care providers wired in the near future, in order to better coordinate patient care, improve outcomes, and "bend the cost curve" all at the same time. There are some financial incentives in play to achieving "meaningful use" of "certified" EHR systems; those terms are to be defined in federal regulations later this year, but the outlines of those definitions are already pretty clear.

Once all that patient data — or as it is known in HIPAA-speak, protected health information (PHI) — is stored electronically, it becomes exposed to potential data breaches. In late September, two sets of federal regulations took effect that address the way in which PHI should be maintained, and the steps that should be taken to prevent a data breach and to notify the government and affected individuals in the event there is a data breach. Compliance with these rules — issued under authority of the HITECH Act by the US Department of Health and Human Services (HHS) with respect to health care providers, and by the Federal Trade Commission (FTC) with respect to EHR vendors and other similar third parties — requires affected practices and businesses to assess and update their data privacy and security policies and procedures, as well as train all affected staff accordingly.

The exposure in case of violation is significant, both in terms of fines and penalties and in terms of bad publicity-certain data breaches require notice to potentially affected individuals via the general media in addition to notices required to be fled with the regulators. The new rules — I call them Son of HIPAA — are layered on top of existing HIPAA privacy and security rules, the FTC's Red Flags Rule regarding identity theft protections to be put in place by any "creditor" (which includes health care providers not paid in full at the time of service — though the effective date of Red Flags Rule is now delayed yet again), and state privacy rules. While HHS and FTC took some pains to harmonize the new rules so that patients will not be bombarded with multiple data breach notifications about the same incident, for example, the other applicable rules out there have not been harmonized.

The key concept in the new breach notification rules is that encryption of patient data will eliminate the need to notify patients and the federal regulators in case of an inappropriate release of data. Such a release, if the data is encrypted (i.e., unusable, unreadable, or indecipherable), is not considered a breach. Encryption is not required, though, and each affected entity must engage in a cost-benefit analysis before deciding whether to encrypt all affected data.

Another important aspect of the rule is the concept of harm-the regulators decided that not every data breach should trigger all of the notice requirements, just breaches that "pose a significant risk of financial, reputational, or other harm to the individual." For example, if an employee of a health care provider accesses a patient record inappropriately, but immediately realizes his or her mistake, and exits the record quickly and does not retain any PHI, that is not a reportable data breach.

Finally, "business associates" under HIPAA are now required to implement policies and procedures to maintain privacy and security of PHI, parallel to those that have been required of "covered entities" under HIPAA since the beginning. All business associate agreements and notice of privacy practices (NPPs) will have to be updated to account for the new requirements before February. Health care providers that wish to distinguish themselves should consider revising their NPPs to highlight the ease with which they will make copies of records available to patients. This is a bone of contention for many patients, and ensuring that patients' rights to their records are easily exercised could be a way to build goodwill among patients and potential patients.

This is an extremely brief introduction to a very involved set of regulations. My hope is that you now have a sense of how important it is to be sure that your operations are fully compliant with the regulatory requirements before full enforcement and random field audits begin in February 2010.

A version of this post was published on HCPlive.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting