HIPAA Omnibus: Assessing BreachesAttorney Offers Insights on Reporting Incidents
Under the new HIPAA Omnibus Rule, organizations will need to conduct a thorough risk assessment to determine whether a breach must be reported based on the likelihood that information was compromised, says privacy attorney Marcy Wilder.
"Everybody's going to need to update their data breach policies and their breach response plans," she says in an interview with HealthcareInfoSecurity (transcript below). "They're going to need to modify the risk assessment tool they use when they're trying to figure out if an incident rises to the level of a data breach."
The former Department of Health and Human Services official helped develop the original HIPAA privacy regulations.
The previous "harm" standard contained in the interim final breach notification rule required organizations to assess whether an incident was likely to result in financial, reputational or other harm to an individual. The final version of the notification rule, contained in HIPAA Omnibus, spells out a more objective standard to determine whether breach notification is merited based on the probability that data was compromised.
HIPAA Omnibus goes into effect on March 26, but the compliance date is September 23; that's when the HHS Office for Civil Rights will enforce the new rule.
In the interview, Wilder also discusses:
The need for business associates to conduct a HIPAA security risk assessment and document their security policies;
- Changes that need to be made to notices of privacy practices;
- Other steps that covered entities, business associates and subcontractors should be taking now to comply.
Wilder is co-chair of the global privacy and information management group at Hogan Lovells, an international law firm. She assists clients with managing risks associated with privacy and information practices, including compliance with the HITECH Act, HIPAA and federal and state privacy laws. Wilder also has extensive experience helping clients that have experienced health data breaches. Previously, she served as deputy general counsel at HHS, where she was the lead attorney in the development of HIPAA privacy regulations.
MARIANNE MCGEE: To start, tell us very briefly about your organization and your role.
MARCY WILDER: I direct the privacy and information management practice here at Hogan Lovells. We have one of the largest global privacy practices in the world, and my area of specialization is in health privacy and health IT.
Business Associate Agreements
MCGEE: With the release of the HIPAA Omnibus final rule, covered entities will need to make modifications to their business associate agreements. What kind of modifications are needed?
WILDER: The world has changed for business associates in very significant ways. It used to be that they were bound by contractual obligations, and now for the first time they will be subject directly to the jurisdiction of the Department of Health and Human Services for purposes of HIPAA compliance. That means, in part, that these new obligations are going to need to be reflected in business associate agreements. The key provisions in terms of changes to those contracts are ... to be clear that they need to fully comply with the HIPAA security rule and that they need to report breaches to their covered entity customers.
[BAs] going to need to ensure that they have their own business associate agreement with subcontractors in place. And they're going to need to comply with the minimum necessary standard, which is a part of the rule that says when you're using protected health information or disclosing it you can only use or disclose the minimum necessary to accomplish a given task. These are some of the obligations that are going to need to be reflected in the contracts that business associates are going to need to deal with. All of that is in fact true for business associates as compliance obligations exist, regardless of whether there is in fact a contract in place, although there's supposed to be.
Compliance with the rules is going to be required pretty soon. ... The compliance date is Sept. 23 of this year, although they do have an extra year to modify their existing business associate contracts.
Changing Privacy Notices
MCGEE: Covered entities will also need to make changes to their privacy notices. What kinds of changes are needed there?
WILDER: The Department of Health and Human Services decided that some of the new requirements, and, in fact, even some of the old ones, ought to be included in the notice of privacy practices provided by HIPAA covered entities. There's a fair amount of controversy over these notices because they're very long. They read a little bit like mortgage documents. Some folks say that they're too complicated and too long and people don't read them, and therefore it would be better to just make them shorter and more user-friendly. Others say that it's important to make full disclosure so that patients can be fully aware at how their information might be used.
HHS went with a sort of compromise position in that they're requiring those longer, more complicated notices, but they're allowing a layered notice approach where you can sort of put a summary up-front. ...There are new provisions requiring more specific statements about when and how health information will be used for marketing, the conditions under which protected health information will or will not be sold, statements related to fundraising, more specific statements about genetic information and individual rights, and folks also need to make clear that patients have a right to be notified if there's a data breach.
Steps to Take Now
MCGEE: What key steps should covered entities, business associates and subcontractors be taking now to comply to the final rule?
WILDER: I think the first thing they'll want to do is review and update their privacy policies and procedures. They're also going to need to determine who their business associates are or whether or not they are a business associate in light of the changed definition. One of the things that the new rule does is it expands the definition of business associate. Some folks that maybe fell into a gray area before, like cloud storage providers, are now clearly business associates because HHS made it clear. It used to be that if you're a vendor or a service provider and you're using or disclosing protected health information on behalf of your customer, you're a business associate. Now the department added the word "maintaining." They're saying if you're simply maintaining protected health information on behalf of your client, even if you never access it, you're a business associate. And that's new. There's going to need to be some going back and making sure you have business associate agreements in place with all of the relevant vendors and service providers.
If you're a business associate, one of the things you want to do in short order is a HIPAA security risk assessment, and you're going to want to document your security policies and procedures in the ways that HHS requires. Everybody's going to need to update their data breach policies and their breach response plans. ... They're going to need to modify the risk assessment tool they use when they're trying to figure out if an incident rises to the level of a data breach. They're going to want to train their workforce, and they're going to want to engage executives in promoting data stewardship as a core value. That can really go a long way toward making sure that folks understand what their obligations are and that there's an expectation that they will keep protected health information private and confidential and will use it only in the permitted ways.
Struggles with Compliance
MCGEE: What sort of struggles do you think covered entities, business associates and subcontractors will likely have in their compliance efforts? And what sort of help will they need?
WILDER: I think that the HIPAA privacy rule is complicated and not always straightforward. In figuring out how those policies and procedures need to be revised, folks will likely need some help. In updating the data breach policies, I think folks will probably need help. Also, it used to be that if you're a healthcare organization and you have an unauthorized use or disclosure of protected health information, you needed to figure out if [with] that disclosure, the unauthorized use or disclosure, there was a significant risk of harm to the affected individuals. If there was, you needed to notify; and if not, you didn't.
The department changed that standard in some very important ways, and now they're saying any unauthorized use of disclosure is going to be presumed to be a data breach unless you can show that there's a low probability that the data was compromised. There's a specific test that you need to apply. I think organizations are going to need help in the short term on figuring out what that new standard means, how to implement it and how to put in a process to do all of the risk assessments that are going to be required. We're going to see a lot more risk assessments that need to be done and documented.
Finally, I think some folks are going to need help in determining who is and is not a business associate. ... Like with any new regulation, there's often a need in the early stages for outside expertise. Then, as the compliance programs get up and running, that expertise comes in-house and they don't need to rely as much on outside counsel, and I think we're going to see that process over the next six months to a year.
Penalties Under Final Rule
MCGEE: What kinds of penalties will covered entities, business associates and subcontractors face now under the final rule?
WILDER: When Congress enacted the HITECH law, they greatly enhanced the types of penalties that HHS could impose for HIPAA violations. Now, civil monetary penalties can go up to $1.5 million per provision violated in a given year. Most data breaches, most violations and most HIPAA violations involve more than one provision. There are quite substantial fines that can accrue for HIPAA violations, including data breaches.
The Harm Standard
MCGEE: As you mentioned earlier, under the final rule, the breach notification rule changed from a standard of harm to one based on the probability of information being compromised. Under the new standard, how do you think the nature of breaches that get reported might change?
WILDER: I think we're going to see more breaches reported. It's clear HHS seems to have done two things. One, they wanted to move from a subjective standard to a more objective standard, and they're saying that the new standard is more objective, and they're thinking perhaps more straightforward to apply. I'm not sure I agree with that.
The second thing they did was they clearly lowered the threshold for reportable breaches, that more breaches will be reported now or will be required to be reported than before. I don't know that the nature of breaches will change; the nature of breaches is the nature of breaches. Bad things and unfortunate things happen. Laptops get stolen, devices get lost and hackers get in. The nature of the breaches I anticipate will stay the same. But the number of breaches or the types of breaches that are reported will likely increase. Also, significantly, because of this presumption that all unauthorized uses and disclosures are breaches, there are going to be more risk assessments and more documentation around those types of incidents than was required before.