Determining Breaches under HIPAA Omnibus
The newÂ HIPAA Omnibus RuleÂ includes the final regulations on breachÂ notification. While some organizations may not need to change their incident response plans to comply with the final breach notification rule, many others have been missing the boat when it comes to identifying a breach of protected health information. This final rule is less a change than a clarification of the Department of Health and Human Servicesâ€™ (and Congressâ€™) original intent.
HHS notes in the rule preamble that some organizations have set a much higher threshold than HHS intended for an incident being a breach. To make this point explicit, the final rule states that â€śan acquisition, access, use or disclosure of [unsecured] protected health information in a manner not permitted under the HIPAA Privacy Rule is presumed to be a breach.â€ť That presumption should be the starting point for responding to an incident. Only if an organization performs the ruleâ€™s specifiedÂ risk assessment and â€śdemonstrates that there is a low probability that the protected health information has been compromisedâ€ť is the organization off the hook for breach notification (although the incident may still be aÂ HIPAAÂ violation to be dealt with).
Fortunately, to avoid â€śinconsistent interpretations and results,â€ť HHS, in the final version of the breach notification rule, replaces assessing risk to individuals with assessing risk to data, i.e., PHI. This language is more consistent with risk assessment practices that HIPAA covered entities and business associates should be following for HIPAA Security Rule compliance.
Itâ€™s important to note that risk assessments estimate the potential for harm or an adverse impact. We donâ€™t wait to see if lost or stolen data â€" e.g.,Â unencryptedÂ medical records or Social Security numbers on a laptop â€" are misused before declaring a breach. In fact, no identifiable harm may ever come from a breach, but it is still a breach.
Letâ€™s say that a workerâ€™s laptop with unencrypted PHI goes missing. This is most likely a breach, and that assumption should be the starting point for investigating the incident. The risk assessment is performed toÂ rule outÂ the probability that the incident is a breach. Based on the four factors moved from the interim ruleâ€™s preamble to the final rule itself, hereâ€™s a scenario where the incident might not be a breach:
- The PHI consists of patient names only, and the organization is a general medical practice. But if seemingly benign addresses and telephone numbers were included, some patients (e.g., estranged spouses) who wanted to keep this information private may be exposed. And if the organization offered only specialty services, such as oncology or obstetrics, clinical information about each patient could be inferred.
- The missing laptop is found in the workerâ€™s building. Co-workers are subject to the same policies,Â trainingÂ and sanctions, so the PHI may be safe. But anyone in the building, a worker or an outsider, could have had access to the laptop.
- The missing laptop is returned to the worker without any evidence of tampering. But someone in the building could have accessed the PHI. Password crackers are easy to use. Someone could have read, and even copied, the PHI, for a variety of unauthorized purposes.
- The organization uses forensics tools and determines that no files were opened since the worker last used theÂ laptop.
Each step of the above risk assessment scenario presents the most favorable outcome in terms of risk. But real-life lost laptop incidents are apt to carry some degree of risk that the PHI could be compromised.