By Gary Siller and Kathleen Quiroz, Strasburger & Price, LLP
The HIPAA Final Omnibus Rule (“Omnibus Rule”)1establishes new standards for evaluating and addressing potential breaches of unsecured protected health information (“PHI”). Entities subject to HIPAA, or “Covered Entities,” must comply with these standards by September 23, 2013. This means that you may encounter consequences well beyond what you ever expected if your laptop that contains unsecured PHI is lost or stolen.
The federal government -- itself victim to the periodic inability to secure its own sensitive and confidential information -- continues an unrelenting pursuit against anyone who inadvertently puts PHI at risk of disclosure. In an attempt to prevent the potential breach of unsecured PHI, the Omnibus Rule now imposes more penalties and burdensome regulations than ever before, contributing to the continual increase in the cost of healthcare.
When a Covered Entity discovers a breach of its unsecured PHI, the HITECH Act2 mandates that the Covered Entity provide notice of the breach to all individuals whose PHI was subject to the breach. Covered Entities must also provide notice to the Secretary of the Department of Health and Human Services (“HHS”) and, in some instances, to one or more prominent media outlets.3
The term “unsecured” does not simply mean that your stolen laptop, or other electronic data, was not password-protected. PHI is unsecured anytime it is not rendered “unusable, unreadable or indecipherable to unauthorized individuals through use of a technology or methodology” specified by the Secretary of HHS. To date, the only way to secure PHI is to encrypt it or destroy it.
HHS initially issued the Interim Final Rule4 for breach notifications in August 2009. This interim rule set forth the requirements to determine when a breach of unsecured PHI occurred as well as how, when, and to whom to report such a breach. With the January 2013 publication of the Omnibus Rule, HHS implements sweeping changes to HIPAA and its privacy, security and enforcement rules, including the breach notification requirements.
The most notable change made by the Omnibus Rule to the Interim Final Rule is the change in the standard for determining what constitutes a “breach” of unsecured PHI. The HITECH Act itself defines a “breach” as the acquisition, access, use or disclosure of PHI in a manner not permitted by HIPAA that otherwise compromises the security or privacy of the PHI. The standard established by the Interim Final Rule for determining whether an individual’s PHI has been compromised (a standard which is commonly referred to as the “harm threshold”) requires a risk analysis on the potential financial, reputational or other harm to the individual.
After September 23, 2013, the “harm threshold” no longer applies. Any acquisition, access, use or disclosure of unsecured PHI in a manner not permitted by HIPAA will be presumed to be a breach. To overcome this presumption, the Covered Entity or business associate must demonstrate (and document) the low probability that the PHI was compromised. The factors to be weighed in assessing the probability of compromise must include the following four factors at a minimum:
The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• the unauthorized person who used the PHI or to whom the disclosure was made;
• whether the PHI was actually acquired or viewed; and
• the extent to which the risk of harm to the affected individuals has been mitigated.
Another important change after September 23 involves the acquisition, access, use or disclosure of limited data sets that do not include any dates of birth or zip codes. Under the Interim Final Rule, any such acquisition, access, use or disclosure of such limited data sets would not constitute a breach that would trigger the breach notification requirements. But under the Omnibus Rule, any acquisition, access, use or disclosure of limited data sets, including those that do not involve dates of birth or zip codes, will be subject to the default presumption that a breach has occurred.
Potential sanctions for failing to provide notice required by the Omnibus Rule, or by the corresponding provisions in the Texas Business and Commerce Code, are significant. In fact, state law notification requirements could be more extensive than the HITECH breach notification requirements, so any evaluation of whether a breach has occurred and, if so, how, when and to whom such a breach must be reported, should include an analysis of all applicable state and federal laws. Moreover, Covered Entities and business associates must be proactive and institute the necessary protections to avoid a potential breach of PHI.
 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) (to be codified at 45 CFR pts. 160 & 164).  The Health Information Technology for Economic and Clinical Health Act, Pub. L. 111-5 (2009), Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009.  If a business associate becomes aware of such a breach, the HITECH Act also requires the business associate to notify the Covered Entity of the breach.  The interim final rule with requests for comments on the Breach Notification for Unsecured Protected Health Information, 74 Fed. Reg. 42740 (Aug. 24, 2009).