On January 17, 2013, the Office of Civil Rights of the Department of Health and Human Services published their final omnibus rule for implementing HITECH, which greatly modifies and amends HIPAA, the Health Insurance Portability and Accountability Act of 1996. While many different areas of HIPAA were modified, most experts are pointing out that, in terms of HIPAA – HITECH data security, the following areas deserve attention:
- Business Associates (BAs) and their subcontractors will now be responsible for their own PHI (protected health information) data breaches.
- HIPAA Security Rule remains generally unaltered – but extends to BAs.
- The HITECH Breach Notification Rule has been modified significantly.
A Little Detour: HHS Loves Encryption
Do HIPAA covered entities (CEs), BAs, and subcontractors need to use medical data encryption? Consider the following quote:
OCR Director Leon Rodriquez reported that his office is concerned about the failure to perform an analysis of possible alternatives when encryption of electronic protected health information is not considered reasonable and appropriate. “We love encryption,” according to Rodriquez. [mondaq.com]
To expand on the above quote:
“We love encryption, and those who use encryption love it, too,” Office for Civil Rights Director Leon Rodriguez said. “In the event of a breach, using encryption assures that that information is unreadable, unusable or undecipherable, which, basically, would qualify that entity for the safe harbors under our breach notification rule.”[modernhealthcare.com]
Business Associates and Subcontractors (and Their Subcontractors) Responsible for Their Own Data Breaches
One of the biggest changes is how PHI breaches will be handled at the “sub-CE” level. In the past, it was the covered entities (CE) that were left holding the bag even if a data breach originated from a business associate’s actions.
For example, let’s say that a healthcare organization transferred patient information to an accounting firm so it could get an idea of their financial status. The accounting firm loses a laptop computer that was full of patient data, such as names, addresses, billing information, how much was paid or owed to the healthcare organization. Since the “owner” of the data is the healthcare organization, it has to contact (a) patients who were affected, (b) the state Attorney General (if the breach is large enough to warrant notification), (c) the media (possibly), and (d) the HHS, who may post the breach on their “Wall of Shame” if it involves more than 500 people.
What did the healthcare organization do wrong? Nothing. Well, perhaps they chose the wrong accountants.
The thing is, the Big Four – according to some, the best of the best when it comes to accounting – are not immune or strangers to data breaches of such a nature. And yet, it’s not their name that gets dragged through the mud. It’s not their reputation that suffers. It’s not they who end up paying a monetary penalty.
The idea is that security would trickle downward. If the BA triggers the breach, its relationship with the covered entity – in our example, the healthcare organization – suffers. If it’s a subcontractor to the BA that triggers the breach, its relationship with the BA suffers, and the latter’s with the CE suffers (moderately). Hence, it’s in everyone’s best interest to not suffer a breach.
This approach sounds terrible, and it is. The latest change makes for a much fairer approach. You know, moral hazards and all that.
Breach Notification Rule
According to mondaq.com, there were significant changes to the Breach Notification Rule component of the HITECH Act. Four primary factors have to be evaluated when deciding whether a data breach incident is worthy of notification:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
- The unauthorized person who used the protected health information or to whom the disclosure was made.
- Whether the protected health information was actually acquired or viewed.
- The extent to which the risk to the protected health information has been mitigated.
The gist of it is, how likely is it that a data breach means PHI was compromised? In the past, a computer that was lost but recovered represented a data breach, even if forensic examinations declared that nobody accessed the computer while it was lost. Under the new rules, it might not be a data breach.
On the other hand, why subject yourself to such hair-splitting? Safe harbor from breach notifications, if encryption was used to protect data, is still in place and very valid, even under the “four primary factors” (re: “we love encryption” quote at the beginning of the blog post).