To round out this four-part series, we’ll discuss two important and often misunderstood aspects of HIPAA compliance in 2015: the requirements of the Breach Notification Rule (BNR) and the tiered penalty structure of the Enforcement Rule.
The earlier installments of this series can be read here:
These posts demonstrate the importance of integrating HIPAA compliance into your existing IT security program, and specifically address compliance with the requirements and nuances of HIPAA’s separate-but-related Security and Privacy Rules.
Breach Notification Rule
The Breach Notification Rule (BNR) was one of the most impacted aspects of HIPAA with the passage of the Final Omnibus Rule. Prior to the Omnibus Rule, the BNR defined a breach as an acquisition, access, use or disclosure of PHI that compromises the security or privacy of the PHI which involves a significant risk of financial, reputation or other harm. This was referred to as the “harm standard,” and it means that an unauthorized disclosure of PHI is only considered to be a breach if harm to individuals can be shown.
This standard was tipped on its head.
Now, a breach is defined as “an acquisition, access, use or disclosure of protected health information in a manner not permitted under [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” So, any authorized disclosure will be considered to be a breach by default, and the onus is on the covered entity or business associate to prove otherwise. The Omnibus Rule effectively reversed the burden of proof that governs HIPAA breaches.
The practical effect of the BNR change is the creation of more objective standard that can be more uniformly applied. It also reduces the ability of covered entities to be creative in their interpretation of “harm,” and draws a brighter line between a breach and a non-breach.
Furthermore, the Omnibus Rule states that the probability of compromise should be based upon a risk assessment that addresses the following factors:
- The unauthorized person who used the protected health information or to whom the disclosure was made. Things to consider:
- Does the recipient have an obligation to protect PHI, or was the disclosure made to another entity subject to HIPAA?
- Is the recipient able to combine its own information to re-identify the disclosed data?
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification. Things to consider:
- How sensitive was the information breached?
- How likely is it that the data can be used to identify an individual and thus be used improperly?
- Can the data be linked with other information, thereby re-identifying it?
- Whether the protected information was actually acquired or viewed. Things to consider:
- Given the circumstances, was there an opportunity for someone to access, use, transfer or view the data?
- The extent to which the risk to the protected health information has been mitigated. Things to consider:
- What’s been done to ensure the potential harm caused by disclosing the data is mitigated, such as through a confidentiality agreement, assurances the disclosed data will be destroyed or hasn’t been viewed/accessed?
Evaluating these factors after a potential breach will begin to provide an organization with information needed to gauge the probability of data compromise.
Yes, the rule does have exceptions. If a covered entity or business associate can prove one of the following scenarios, then breach notification will not be triggered:
- Any unintentional acquisition, access or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted the Privacy Rule.
- Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity, a business associate to another person authorized to access protected health information at the same covered entity or business associate, or an organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure, is not further used or disclosed in a manner not permitted under the Privacy Rule.
- A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Example from HHS include: A covered entity, due to a lack of reasonable safeguards, sends a number of explanations of benefits (EOBs) to the wrong individuals. A few of the EOBs are returned by the post office, unopened and marked as undeliverable. In these circumstances, the covered entity can conclude that the improper addressees could not reasonably have retained the information. The EOBs that were not returned as undeliverable,
Breach Notification Requirements and Obligations
When a disclosure of data has been deemed a breach under the BNR, several things must be done. Notice has to be sent to the individuals effected, the Secretary of HHS and potentially the media. The notice has to have specific information in it, and must be sent according to a strict timeline.
A breach is deemed discovered by a covered entity or a business associated if “any person, other than the individual committing the breach, that is an employee, officer or other agent of such entity or associate” knows or should reasonably have known of the breach.
|Notice To Individuals: A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach.|
|Timeliness||A covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.|
|Content||· A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
· A description of the types of unsecured protected health information that were involved in the breach, such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved).
· Any steps individuals should take to protect themselves from potential harm resulting from the breach.
· A brief description of what the covered entity involved is doing to investigate the breach, mitigate harm to individuals and to protect against any further breaches.
· Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website or postal address.
|Form of Notice||· Written notice via first class mail to the individual’s last known address, via email or to next of kin/personal representative if the individual is dead.
· Substitute notice if written notice is not possible. If less than 10 people, then telephone or other alternative means can be used. If more than 10 people, then a posting on the website of the breached organization or notice in a major print or broadcast media in geographic areas where the individuals likely reside for at least 90 days, including a toll free number for individuals to learn if their data was breached.
· If notice is urgent, notice may be provided via telephone, in conjunction with a written notice.
|Notice To the Media: For a breach of unsecured protected health information involving more than 500 residents of a state or jurisdiction, a covered entity shall, following the discovery of the breach as provided in § 164.404(a)(2), notify prominent media outlets serving the state or jurisdiction.|
|Timeliness||· A covered entity shall provide the notification required without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.|
|Content||· Same requirements as individual notice.|
|Notice To the Secretary: A covered entity shall, following the discovery of a breach of unsecured protected health information, notify the secretary of HHS.|
|500+ Individuals||For breaches of unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in § 164.412 (law enforcement delay), provide the notification to the secretary contemporaneously with the notice required by § 164.404(a) and in the manner specified on the HHS website.|
|-500 Individuals||For breaches of unsecured protected health information involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification to the secretary of the breaches discovered during the preceding calendar year, in the manner specified on the HHS website.|
Business Associates must notify the covered entity when it discovers a breach, without unreasonable delay but no later than 60 days from discovery. Business Associates also have to notify the CE of the identities of the individuals affected, or believed to have been affected, by the breach. The CE, in turn, will notify the individuals. Business Associates also have to provide CEs with information that the CE is required to provide to the individual in their written notices. BAs may be responsible for notifying the individuals directly if doing so is part of the Business Associates Agreement.
Prior to the Final Rule, it was generally held that HIPAA had no enforcement “teeth.” The Final Omnibus Rule changed this sentiment, and not only did it add teeth, but it filed those teeth to sharp points.
Nowadays, a non-compliant organization faces a four-tiered penalty structure, whereby fines are calculated to be commensurate with the significance of the non-compliant act(s). Additionally, criminal liability exists for a person who knowingly discloses health information, ranging from a $50,000 fine and/or up to a year in prison to a $250,000 fine and/or up to 10 years in prison.
Here’s how the tiered system breaks down:
Tier 1: Violations that the entity did not realize it made; $100 – $50,000 per violation with a $1.5 million annual cap.
Tier 2: Violations made by reasonable cause; $1,000 to $50,000 per violation with an annual cap of $1.5 million.
Tier 3: Violations made by willful neglect, but that were corrected; $10,000 to $50,000 per violation with a $1.5 million annual cap.
Tier 4: Violations made by reason of willful neglect but that were not corrected; $50,000 per violation with an annual cap of $1.5 million.
It’s not hard to find recent evidence of several million dollar HIPAA fines being handed down. The government is taking HIPAA compliance very seriously, and it isn’t afraid to whack you with a huge penalty. It’s evident that the cost of becoming compliant is substantially exceeded by the costs of non-compliance. If nothing else, HIPAA compliance is just a smart business decision.
This series was designed to provide readers with a understanding of what HIPAA compliance means in 2015, why it’s important and how you can begin a HIPAA compliance program. Please stay tuned for more HIPAA-related information, thoughts, opinions, interpretations and updates. But for now, contact Lunarline … before it’s too late.