ILNews

New HIPAA rule revises breach notification process

Back to TopCommentsE-mailPrintBookmark and Share
Indiana Lawyer Focus

Financial institutions sending letters and emails alerting customers of possible unauthorized access to their bank accounts or credit cards are more common that anyone would like. Soon, however, such notices may come from hospitals and medical insurance companies.

The change is being ushered in by the new Health Insurance Portability and Accountability Act of 1996 rule announced in January by the U.S. Department of Health and Human Services. At 563 pages, the regulation is being touted as finalizing a number of provisions in the Health Information Technology for Economic and Clinical Health Act and strengthening the privacy and security protections for health information provided under HIPAA.

eckhardt-chad-mug Eckhardt

When the omnibus rule was unveiled, Kathleen Sebelius, HHS secretary, pointed to the growing use of electronic medical records as part of the cause for the new rule.

“Much has changed in health care since HIPAA was enacted over 15 years ago,” Sebelius stated in a press release. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

Attorneys agreed with the government’s assessment that these are “sweeping changes.”

“It’s a significant piece of regulation enforcing a patient’s privacy rights,” said Chad Eckhardt, an associate in Frost Brown Todd LLC’s Cincinnati office. “It’s going to take a while for covered entities to get their arms around.”

The final omnibus rule addresses four regulatory areas. It provides the final modifications to the HIPAA privacy, security and enforcement rules; sets the final rule adopting the increased civil money penalty structure; issues the final standard on breach notification for unsecured protected health information; and modifies the HIPAA privacy rule that prevents most health plans from using or disclosing genetic information for underwriting purposes.

Most of the regulations have been public for some time and the language of the final rule was expected. Although few surprises were contained in the document, Eckhardt said, the change to the breach notification provision has turned many heads.

ziels-susan-mug Ziel

Namely, the standard of “significant harm” has been dropped which could lead to more people getting letters from their doctors and insurance companies that their medical records may have been compromised.

Breach notification

The push toward electronic medical records was accelerated by the Patient Protection and Affordable Care Act. Early projections that billions of dollars would be saved by moving to electronic records have been dampened, but computerized health information still has advantages. Some can alert physicians to tests a patient needs, reduce mistakes in prescriptions, and aid in research.

Yet, as with bank records and credit card information, going online brings new risks.

“Privacy is a big issue because if health records are more accessible to doctors, they’re also more accessible to everybody else,” said David Orentlicher, professor at the Indiana University Robert H. McKinney School of Law.

Medical records contain a great deal of information from details of a patient’s health to financial account numbers and Social Security numbers.

With an apparent eye on the increased potential health information being lost or stolen, the HHS revised the Breach Notification Rule first published in the 2009 HITECH Act.

Under the initial provision, patients did not have to be notified of any breach if the covered entity, such as health care provider or health insurance company, determined the information improperly accessed did not pose a “significant risk of harm” to those patients.

The covered entities were required to perform a risk assessment to examine elements such as who accessed the information and what type of information was disclosed. Then, if that analysis indicated the breach did not put the patient’s financial or personal wellbeing at risk, no notification had to be sent.

Advocates supporting the significant harm standard pointed to the increased costs and burden that covered entities and their business associates would have to bear if the threshold for notification was lowered. In addition, alerting consumers when there was no risk of damage could cause unnecessary anxiety and, eventually, apathy.

However, opponents countered the significant harm provision set the standard too high.

In the final rule just released, the HHS removed the harm standard and modified the risk assessment. Now, the focus has shifted from assessing the risk to the individual to proving that the improper disclosure did not compromise the protected health information. The HHS is also providing more objective guidelines for doing the risk assessment to determine if a notification is necessary.

Penalties

Accordingly, costs for covered entities and business associates will likely rise because they will have to pay for not only the alert but also repairing the breach and offering any mitigating services like credit monitoring.

Also, since enforcement happens after the breach has occurred, the notification could become even more costly.

The financial penalties were unveiled in the HITECH Act. Fines for improper releases of protected health information have long been a part of HIPAA, but the new reparations are substantially higher.

Prior to HITECH, the fine could not be more than $100 per violation and the total penalty could not exceed $25,000 a year. Attorneys said the dollar amounts were so low that hardly anyone paid them much attention.

zoccola-christine-mug Zoccola

They are paying attention now. The civil money penalty provision divides the violations into four tiers, ranging from “Did Not Know” to “Willful Neglect – Not Corrected.” The fines for each violation go from a low $100 to a high $50,000, and the total penalty could reach $1.5 million per violation of HIPAA rules within a calendar year.

“I think that’s probably what it takes to get people’s attention sometimes, or so the government thinks,” said Susan Ziel, partner at Krieg Devault LLP’s Minneapolis office.

Moreover, the new rule expands the liability. Now, not only are covered entities liable to HIPAA violations but so are their business associates, which includes anyone who has access to medical records like lawyers, transcribers and accountants.

Enforcement activity has been increasing.

In September, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc., reached a settlement agreement with the HHS to pay $1.5 million for potential HIPAA violations. The settlement came after the infirmary filed a breach notification, reporting the theft of an unencrypted personal laptop containing the electronic protected health information of patients and research subjects.

Getting started

The final omnibus rule was published Jan. 25 and goes into effect March 26. Compliance must be met by Sept. 23.

Many health care providers and insurance companies have not updated their HIPAA policies since the act took effect in 2003. Christine Zoccola, partner at Bose McKinney & Evans LLP in Indianapolis, noted attorneys will be working not only to educate their clients on the final rule but also to revise procedures, forms and contracts to meet the new provisions.

“It is a big change,” Zoccola said. “It is a massive overhaul.”•

ADVERTISEMENT

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in Indiana Lawyer editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by

facebook - twitter on Facebook & Twitter

Indiana State Bar Association

Indianapolis Bar Association

Evansville Bar Association

Allen County Bar Association

Indiana Lawyer on Facebook

facebook
ADVERTISEMENT
Subscribe to Indiana Lawyer
  1. He called our nation a nation of cowards because we didn't want to talk about race. That was a cheap shot coming from the top cop. The man who decides who gets the federal government indicts. Wow. Not a gentleman if that is the measure. More importantly, this insult delivered as we all understand, to white people-- without him or anybody needing to explain that is precisely what he meant-- but this is an insult to timid white persons who fear the government and don't want to say anything about race for fear of being accused a racist. With all the legal heat that can come down on somebody if they say something which can be construed by a prosecutor like Mr Holder as racist, is it any wonder white people-- that's who he meant obviously-- is there any surprise that white people don't want to talk about race? And as lawyers we have even less freedom lest our remarks be considered violations of the rules. Mr Holder also demonstrated his bias by publically visiting with the family of the young man who was killed by a police offering in the line of duty, which was a very strong indicator of bias agains the offer who is under investigation, and was a failure to lead properly by letting his investigators do their job without him predetermining the proper outcome. He also has potentially biased the jury pool. All in all this worsens race relations by feeding into the perception shared by whites as well as blacks that justice will not be impartial. I will say this much, I do not blame Obama for all of HOlder's missteps. Obama has done a lot of things to stay above the fray and try and be a leader for all Americans. Maybe he should have reigned Holder in some but Obama's got his hands full with other problelms. Oh did I mention HOlder is a bank crony who will probably get a job in a silkstocking law firm working for millions of bucks a year defending bankers whom he didn't have the integrity or courage to hold to account for their acts of fraud on the United States, other financial institutions, and the people. His tenure will be regarded by history as a failure of leadership at one of the most important jobs in our nation. Finally and most importantly besides him insulting the public and letting off the big financial cheats, he has been at the forefront of over-prosecuting the secrecy laws to punish whistleblowers and chill free speech. What has Holder done to vindicate the rights of privacy of the American public against the illegal snooping of the NSA? He could have charged NSA personnel with violations of law for their warrantless wiretapping which has been done millions of times and instead he did not persecute a single soul. That is a defalcation of historical proportions and it signals to the public that the government DOJ under him was not willing to do a damn thing to protect the public against the rapid growth of the illegal surveillance state. Who else could have done this? Nobody. And for that omission Obama deserves the blame too. Here were are sliding into a police state and Eric Holder made it go all the faster.

  2. JOE CLAYPOOL candidate for Superior Court in Harrison County - Indiana This candidate is misleading voters to think he is a Judge by putting Elect Judge Joe Claypool on his campaign literature. paragraphs 2 and 9 below clearly indicate this injustice to voting public to gain employment. What can we do? Indiana Code - Section 35-43-5-3: Deception (a) A person who: (1) being an officer, manager, or other person participating in the direction of a credit institution, knowingly or intentionally receives or permits the receipt of a deposit or other investment, knowing that the institution is insolvent; (2) knowingly or intentionally makes a false or misleading written statement with intent to obtain property, employment, or an educational opportunity; (3) misapplies entrusted property, property of a governmental entity, or property of a credit institution in a manner that the person knows is unlawful or that the person knows involves substantial risk of loss or detriment to either the owner of the property or to a person for whose benefit the property was entrusted; (4) knowingly or intentionally, in the regular course of business, either: (A) uses or possesses for use a false weight or measure or other device for falsely determining or recording the quality or quantity of any commodity; or (B) sells, offers, or displays for sale or delivers less than the represented quality or quantity of any commodity; (5) with intent to defraud another person furnishing electricity, gas, water, telecommunication, or any other utility service, avoids a lawful charge for that service by scheme or device or by tampering with facilities or equipment of the person furnishing the service; (6) with intent to defraud, misrepresents the identity of the person or another person or the identity or quality of property; (7) with intent to defraud an owner of a coin machine, deposits a slug in that machine; (8) with intent to enable the person or another person to deposit a slug in a coin machine, makes, possesses, or disposes of a slug; (9) disseminates to the public an advertisement that the person knows is false, misleading, or deceptive, with intent to promote the purchase or sale of property or the acceptance of employment;

  3. The story that you have shared is quite interesting and also the information is very helpful. Thanks for sharing the article. For more info: http://www.treasurecoastbailbonds.com/

  4. I grew up on a farm and live in the county and it's interesting that the big industrial farmers like Jeff Shoaf don't live next to their industrial operations...

  5. So that none are misinformed by my posting wihtout a non de plume here, please allow me to state that I am NOT an Indiana licensed attorney, although I am an Indiana resident approved to practice law and represent clients in Indiana's fed court of Nth Dist and before the 7th circuit. I remain licensed in KS, since 1996, no discipline. This must be clarified since the IN court records will reveal that I did sit for and pass the Indiana bar last February. Yet be not confused by the fact that I was so allowed to be tested .... I am not, to be clear in the service of my duty to be absolutely candid about this, I AM NOT a member of the Indiana bar, and might never be so licensed given my unrepented from errors of thought documented in this opinion, at fn2, which likely supports Mr Smith's initial post in this thread: http://caselaw.findlaw.com/us-7th-circuit/1592921.html

ADVERTISEMENT