Experts see major shifts in privacy rule

Think of it as a chain of responsibility and legal liability that just got a whole lot longer.

Not just business associates to healthcare providers and other HIPAA-covered entities, but also the subcontractors those business associates hire, if they routinely handle patient data, they are all now obliged to protect patient medical records or be subject to enhanced penalties for federal privacy and security law violations under the newly released update to the Health Insurance Portability and Accountability Act's privacy and security rule.

The driving force behind the 563 pages of the “omnibus” privacy and security rule released Thursday was the more stringent privacy and security provisions Congress wrote into some provisions of the American Recovery and Reinvestment Act in 2009.

The long-awaited rule had been in regulatory purgatory, locked up by the Office of Management and Budget since March.

Under the new final rule, “covered entities must ensure that they obtain satisfactory assurances required by the rules from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far 'down the chain' the information flows,” the rule writers said. Increased penalties for negligent violations under the new rule can run as high as $1.5 million a year.

Before 2009, the biggest legal worry of business associates in regard to their relationships with hospitals, physicians and other covered entities was about breach of contract liability, said Robert Belfort, a partner in the healthcare practice at Manatt, Phelps & Phillips.

Since then, “the level of seriousness about developing all the (privacy and security) safeguards has really increased.” But the new rule went even further, extending liability “down the chain to subcontractors,” Belfort said. “It's greatly expanding the universe of companies that are now subject to penalties under the law.”

The new rule also:

• Tightens limitations on the use of patient records for marketing
• Prohibits the sale of patient information without a patient's consent.
• Provides patients with a right to insist that a provider not share their patient-care records with their insurance company if that care is paid for by the patient out-of-pocket in full.
• Requires entities with patient record breaches to assess the likelihood that the information could be accessed in determining whether they must notify individuals of the breach.
• Adds patient-safety organizations, health information exchange organizations and e-prescribing gateways to a specific list of HIPAA business associates liable under the rule. It also includes as business associates certain vendors of personal health records, those that provide a PHR to patients “on behalf of a covered entity,” but excludes other PHR providers, such as those working on behalf of consumers.

It generally requires patients to consent in advance, that is, “opt in,” before third parties can use their healthcare information to send them marketing information.

“That's the thing that drives people nuts,” McGraw said, “that somebody else had information about their health and is using it to market to them.”

“Congress closed that loophole” with the ARRA, she said, and HHS' Office for Civil Rights “implemented it. That's huge for consumers.”

The big change in the breach-notification portion of the rule was in the definition section, said Katherine Keefe, head of Beazley Breach Response Services, Philadelphia, a unit of the London-based Beazley insurance group.

Under the 2009 interim final breach rule, breaches were defined as incidents that posed a significant risk of financial or reputational or other harm. Covered entities had to perform an assessment to determine whether harm might have occurred, and if it did, then breach notices to patients and HHS' Office for Civil Rights were required.

The new rule changed the definition so that an unauthorized use or disclosure of protected health information is presumed to be a reportable breach unless a covered entity can, through a documented assessment, conclude that there is a “low probability” the information has been compromised.

The rule lays out four factors that covered entities have to consider in making that determination, Keefe said. They are: 1) the nature and extent of the protected information involved, including whether it was particularly sensitive, such as mental health treatment records; 2) to whom the breach was made, for example, a wrong fax to another covered entity, where the risk of misuse was low; 3) was the protected health information actually viewed or acquired; and 4) whether the risk has been mitigated.

Government regulators saw the old definition as being “too subjective and applied inconsistently,” Keefe said. “They believe this (new definition) is more objective and straightforward.”

The bottom line, Keefe said, is that “I think it will make covered entities and business associates more skittish. The government has huge leeway to come in and cry breach because of the presumption” that a loss of control over patient information is a breach.

HHS estimates industrywide compliance costs at $114 million to $225.4 million the first year.

“Much has changed in healthcare since HIPAA was enacted over 15 years ago,” HHS Secretary Kathleen Sebelius said in a news release. “The new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age.”

Official publication of the new rule in the Federal Register is scheduled Jan. 25. Its effective date is March 26 with a compliance date 180 days later, or Sept. 21.