With the HIPAA Privacy and Security final rule released on January 17th also comes some significant changes that are likely to impact the healthcare industry. While this final rule, to a large extent tracks what was in the proposed rule, certain changes are expected to catch the attention of healthcare providers in the country, according to Bob Belfort, partner in the healthcare practice at Manatt, Phelps & Phillips, which works with states and providers on health IT and related public policy issues, and frequently helps clients craft breach notifications.
One change that will possibly get the most attention is the definition of ‘breach’ according to the new rule. Since there has been a lot of controversy surrounding the standards of ‘risk of harm’ in a breach, the proposed rule held that unless there was significant risk of harm to individuals, there would be ‘no breach’. However, HHS indicated that this clause requires rethinking, and replaced it with a requirement of assessment of whether the improper disclosure comprises of protected health information. So the burden on healthcare entities is now to show that the probability that information has been compromised is low.
According to Belfort, there are two changes in this regard. Firstly, the assessment is no longer meant to determine the extent of harm to the patient, but to find out whether information has been compromised or not, and secondly, the burden of proof is now very clearly on the healthcare entity. If the entity is unable to prove that there is a low probability that information has been compromised, then it will be categorized as a ‘breach’. This modification in the final rule may be viewed as the middle ground between privacy advocates that recommend any improper disclosure to be treated as a breach, and those who are in support of retaining the ‘risk of harm’ standard.
Industry experts like Deven McGraw, director of the health privacy project at Center for Democracy and Technology consider this to be a positive development because it gives organizations the right to investigate the breach and then decide if it has to be notified based on the circumstances and the likelihood that information is compromised. Moreover, this change addresses the notion of over-notification that many stakeholders are concerned about.
With more aggressive enforcement and stiffer penalties underway, this final rule is likely to accelerate the current trend. Healthcare providers and their business associates should therefore be equipped with the right tools to prevent breaches from occurring, and in the event of a breach, should be well-prepared with documented evidence to prove that there has been no compromise of health information. This is possible only with the help of a well-rounded information security platform like SecureGRC which can take care of all the requirements to comply with HIPAA and to prevent any such data breaches from taking place.