The risks associated with failing to notify individuals affected by data breaches are set to rise for healthcare providers, says Katherine Keefe from Beazley Breach Response Services.
A key change to the notification requirements for breaches involving protected health information (PHI) could make a significant difference to healthcare providers, health plans and their vendors, increasing the negative consequences of their failing to notify affected individuals.
The long-awaited final Health Insurance Portability and Accountability Act (HIPAA) rule readdresses the breach notification requirements first enacted under the Health Information Technology for Economic and Clinical Health Act (HITECH). The final rule formally came into effect on March 26 this year, although compliance by covered entities and business associates is required by September 23. The final rule changes the game materially.
Under the previous interim rule, a breach was defined as an inappropriate use or disclosure of PHI involving significant risk of financial, reputational or other harm. The final rule changes this definition by stating that an impermissible use or disclosure of PHI is presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised.
The final rule requires that four factors be considered when determining whether PHI has been compromised:
• The nature and extent of the PHI involved;
• The unauthorized person who used the PHI or to whom the disclosure of PHI was made;
• Whether the PHI was actually viewed or acquired; and
• The extent to which the risk to the PHI has been mitigated.
The federal government has made it very clear that each of these factors must be considered when evaluating impermissible uses or disclosures of PHI, and that compliance policies must include these factors.
The final rule will probably make healthcare providers and health plans (and their business associates, which are also covered by the rule) even more wary about failing to notify affected individuals of inappropriate uses or disclosures of PHI.
Even under the interim rule, in force since 2009, more than 21 million victims of ‘large’ healthcare breaches (affecting 500 people or more) have received notifications.
The pressure on the healthcare industry to safeguard patient data has never been greater. Regulators and private plaintiffs are much more sophisticated and aggressive in reacting to data breaches; their involvement extends the life of a breach and now frequently brings negative consequences. The number and severity of enforcement actions and penalties is on the rise, as are instances of fines being levied as the result of small breaches. These realities are sobering, but proactive steps can keep a healthcare data breach from springing back to life in a nasty way.
hackers, cyber security, PHI, data breaches, HIPAA, HITECH