After a wait of nearly three years, the U.S. Department of Health and Human Service's Office for Civil Rights released the much-anticipated update to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules, also known as the HIPAA omnibus
Another major development out of the HIPAA omnibus is the premium that Office for Civil Rights (OCR) officials place on documenting privacy and security policies, as well as responses to breaches. In particular, the changes to the breach notification rule set the bar high for documentation, and covered entities that fail to keep adequate records could face enforcement actions, even when their general response to a breach is appropriate.
The interim rule used a harm threshold to assess whether a covered entity was subject to penalties in the event of a data breach. This criterion forced providers to assess whether a breach was likely to result in significant financial, reputational or other harm to patients. The updated rule eliminates the threshold and assumes harm anytime there is a high probability that personal health information (PHI) has been compromised. It is up to the covered entity to assess whether an event such as a lost thumb drive or network intrusion is likely to have compromised PHI and to report any such cases to the OCR.
Breaches happen all the time. They are ubiquitous. Most of them are absolutely harmless and innocuous, but others are less innocuous. It adds enormous burdens.
head, global privacy and data security practice, Hunton and Williams
Doug Pollack, chief marketing officer at ID Experts, said this is a much more objective standard that will likely lead to more breach reporting. But organizations shouldn't worry they will be fined every time they report a breach. Those who have clearly documented their security policies and their method of responding to the breach are less likely to be fined, he said.
But many health organizations will have to change their culture to ensure this kind of documentation takes place. Health care organizations often don't make security a top priority, and compliance efforts tend to be underfunded, said Carlos Leyva, attorney and managing partner at the Digital Business Law Group of Pennsylvania. To comply with the new rules providers are going to have to examine how they approach security and privacy. The changes should start at the top.
"Until you reach the executive suite and they get it, not much is going to change," Leyva said. "That poor compliance officer just has that title, they don't have the budget. This is an executive-suite issue."
Leyva said an organization could do everything right when it comes to protecting PHI and responding to breaches. But if it doesn't have these policies and procedures documented appropriately, they become nothing more than "empty promises" during an OCR investigation. In this case the enforcement agency will assume the organization's procedures were inadequate and likely take action against the provider.
Because of the enhanced documentation requirements and other provisions, Lisa Sotto, head of the global privacy and data security practice at the law firm Hunton and Williams, sees the omnibus rules as creating major new burdens for providers, some of which she described as "administrative nightmares." The elimination of the harm threshold will force organizations to investigate any possible misuse of PHI and document the entire process. This could result in providers spending significant time reviewing small events.
"Breaches happen all the time," Sotto said. "They are ubiquitous. Most of them are absolutely harmless and innocuous, but others are less innocuous. It adds enormous burdens."