The new HHS rule applies to providers, health plans and other so-called “covered entities” as defined by the Health Insurance Portability and Accountability Act of 1996 and their business associates. Also a part of the rule is a request for public comment and an updated “guidance” on using technology and processes to secure patient information in such a way as to eliminate the need for breach notification. The effective date of the rule is Sept. 23. Comments on the rule are due Oct. 23.
The Federal Trade Commission last month wrote a companion rule governing breaches involving personal health-record systems and their business associates and service providers.
In April, HHS took its first shot at rulemaking on the new breach notification law in a 20-page guidance specifying the technologies and methodologies HHS deems capable of rendering patient-identifiable records “unusable, unreadable or indecipherable”—a phrase taken from the recovery act itself—to unauthorized individuals. In its initial guidance, HHS approved encryption as one such protective technology. HHS said destroying the record under specific guidelines was an acceptable methodology. Either way, such a rendering would, according to HHS, give data holders a “safe harbor” from federal breach notification rules by both HHS and the FTC.
Also in the April guidance, HHS toyed with—and sought public comment on—the idea of possibly creating a safe harbor from the new breach notification requirement by classifying so-called “limited data sets” as “unusable, unreadable or indecipherable” as well.
As defined under HIPAA, fully de-identified data has 18 key identifiers such as name, address, Social Security number, date of birth, dates of service, ZIP codes and sex, among others, removed from the patient records. In comparison, limited data sets have 16 identifiers removed, but retain identifiers such as dates—date of birth, dates of service—and locations—state, city, town or ZIP code. Because their data can be re-identified, limited data sets under HIPAA must be protected as if they were fully identified patient information. They can be released without patient consent, however, for certain purposes, such as research.
In the updated guidance accompanying the Aug. 24 interim final rule, HHS retained encryption and destruction as the only two technologies or methodologies that qualify for the breach notification safe harbor despite what HHS said was “a majority of commenters” calling for extending the safe harbor to limited data sets. HHS said it decided against including limited data sets in the safe harbor, “due to the potential risk of re-identification of this information.” (According to a research study at Vanderbilt University cited in the final rule issued last month by the FTC on PHRs, 68% of limited data set records could be re-identified.)
One area where HHS rulemakers appeared to be stretching the statute to satisfy industry commenters was in defining “breach” itself, and here HHS also gave some comfort to users—and possibly to future breachers—of limited data sets by introducing the threshold of “harm” to the definition of the word breach.
In a section on definitions, language in the recovery act says: “The term ‘breach' means the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” Thus, the word “harm” is not in the statutory definition of breach.
And yet, HHS reported that “many commenters suggested that we add a harm threshold such that an unauthorized use or discloser of protected health information is considered a breach only if the use or disclosure poses some harm to the individual.”
As justification, HHS said, “These commenters noted that the ‘compromises the security or privacy' language” in the statute “contemplates that covered entities will perform some type of risk assessment to determine if here is a risk of harm to the individual, and therefore if a breach has occurred,” HHS said.
Even so, the idea that a covered group should perform an assessment of harm to determine whether a disclosure is serious enough to constitute a “breach” is not only unspecified in the definition of breach, but also the idea is nowhere to be found anywhere else in the breach notification section of the recovery act.
In fact, the only place the word “harm” is found in the breach notification section of the statute is in a part that instructs covered groups on what they should include in the text of a breach notification itself. Specifically, the statute says any notice by covered organizations to patients affected by a breach of information should include: “The steps individuals should take to protect themselves from potential harm resulting from the breach.”
Nevertheless, the concept of harm as a pre-condition to the existence of a breach (at least by HHS's definition) was created by HHS by adding language to the interim rule. Ultimately, it would appear, HHS went along with the commenters' suggestion.
“We agree that the statutory language encompasses a harm threshold,” the HHS rule said, adding it had “clarified” its definition of breach by coming up with its own definition of the phrase “compromises the security or privacy of the protected health information.” According to the HHS rule, the phrase “compromises the security or privacy of the protected health information” in that statute means “poses as significant risk of financial, reputational or other harm to the individual.”
HHS further supported its decision to add an assessment of harm to the definition by noting it would harmonize the breach notification rule for HIPAA-covered entities with a 2007 Office of Management and Budget memorandum on handling breaches within federal agencies. The memo requires a federal agency suspecting a security breach to assess harm. The office, however, defined harm with a somewhat lower threshold than HHS as “damage, fiscal damage, or loss or misuse of information which adversely affects one or more individuals or undermines the integrity of a system or program.”
Thus, to determine if an impermissible use or disclosure rises to the level of a breach, HHS said covered entities and their business associates “will need to perform a risk assessment to determine if there is a significant risk of harm to the individual.” In doing the risk assessment, covered entities and business associates should take into account the sensitivity level of the information that was breached and also consider who it was who impermissibly used or accessed the breached information, HHS recommended.
For example, if the breached information were disclosed to another covered organization “there may be less risk” than if the breach occurred to an individual or entity not covered by HIPAA privacy rule obligations, HHS said. In addition, regarding the kind of information breached, if a covered entity improperly discloses patient information saying simply that a named person received treatment at a certain hospital, “then this would constitute a violation of the privacy rule, but it many not constitute a significant risk of financial or reputational harm to the individual,” to warrant breach notification, HHS said.
On the other hand, if the information breached is about a patient's cancer or substance abuse treatment, or includes a Social Security number, “then there is a higher likelihood that the impermissible use or disclosure compromised the security and privacy of the information.”
The bottom line, according to HHS, is: “If the nature of the protected health information does not pose a significant risk of financial, reputational or other harm, then the violation is not a breach.”
This harm-based definition of what constitutes a breach was extended by HHS to breaches involving so-called “limited data sets.”
According to HHS' guidance, “In performing the risk assessment to determine the likely risk of harm caused by an impermissible use or disclosure of a limited data set, the covered entity or business associate should take into consideration the risk of re-identification of the protected health information contained in the limited data set.”
If that risk is found to be so small that the disclosure “poses no significant risk of harm to any individuals,” then, according to HHS, “no breach has occurred and no notification is required.” HHS did not elaborate on what should go into an acceptable risk assessment or who should perform them.
Privacy advocates who have reviewed the HHS rule say they see significant risks in HHS's reasoning and approach.
“I guess the thing that stood out to me was the threshold of harm being entered into the picture,” Pam Dixon, executive director of the not-for-profit, public interest research group World Privacy Forum, said. “It wasn't in the statute.”
Dixon said the harm approach has been used by the FTC for years, but the FTC has since recognized “the extraordinary limits to focusing on harm” and is moving to additional standards, she said. “You'll always have harm before you see it. We should be working to prevent harm. You shouldn't have to prove harm to prevent harm. That's one of the illogical things about the rulemaking.”
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.