ILNews

New HIPAA rule revises breach notification process

Back to TopCommentsE-mailPrintBookmark and Share
Indiana Lawyer Focus

Financial institutions sending letters and emails alerting customers of possible unauthorized access to their bank accounts or credit cards are more common that anyone would like. Soon, however, such notices may come from hospitals and medical insurance companies.

The change is being ushered in by the new Health Insurance Portability and Accountability Act of 1996 rule announced in January by the U.S. Department of Health and Human Services. At 563 pages, the regulation is being touted as finalizing a number of provisions in the Health Information Technology for Economic and Clinical Health Act and strengthening the privacy and security protections for health information provided under HIPAA.

eckhardt-chad-mug Eckhardt

When the omnibus rule was unveiled, Kathleen Sebelius, HHS secretary, pointed to the growing use of electronic medical records as part of the cause for the new rule.

“Much has changed in health care since HIPAA was enacted over 15 years ago,” Sebelius stated in a press release. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

Attorneys agreed with the government’s assessment that these are “sweeping changes.”

“It’s a significant piece of regulation enforcing a patient’s privacy rights,” said Chad Eckhardt, an associate in Frost Brown Todd LLC’s Cincinnati office. “It’s going to take a while for covered entities to get their arms around.”

The final omnibus rule addresses four regulatory areas. It provides the final modifications to the HIPAA privacy, security and enforcement rules; sets the final rule adopting the increased civil money penalty structure; issues the final standard on breach notification for unsecured protected health information; and modifies the HIPAA privacy rule that prevents most health plans from using or disclosing genetic information for underwriting purposes.

Most of the regulations have been public for some time and the language of the final rule was expected. Although few surprises were contained in the document, Eckhardt said, the change to the breach notification provision has turned many heads.

ziels-susan-mug Ziel

Namely, the standard of “significant harm” has been dropped which could lead to more people getting letters from their doctors and insurance companies that their medical records may have been compromised.

Breach notification

The push toward electronic medical records was accelerated by the Patient Protection and Affordable Care Act. Early projections that billions of dollars would be saved by moving to electronic records have been dampened, but computerized health information still has advantages. Some can alert physicians to tests a patient needs, reduce mistakes in prescriptions, and aid in research.

Yet, as with bank records and credit card information, going online brings new risks.

“Privacy is a big issue because if health records are more accessible to doctors, they’re also more accessible to everybody else,” said David Orentlicher, professor at the Indiana University Robert H. McKinney School of Law.

Medical records contain a great deal of information from details of a patient’s health to financial account numbers and Social Security numbers.

With an apparent eye on the increased potential health information being lost or stolen, the HHS revised the Breach Notification Rule first published in the 2009 HITECH Act.

Under the initial provision, patients did not have to be notified of any breach if the covered entity, such as health care provider or health insurance company, determined the information improperly accessed did not pose a “significant risk of harm” to those patients.

The covered entities were required to perform a risk assessment to examine elements such as who accessed the information and what type of information was disclosed. Then, if that analysis indicated the breach did not put the patient’s financial or personal wellbeing at risk, no notification had to be sent.

Advocates supporting the significant harm standard pointed to the increased costs and burden that covered entities and their business associates would have to bear if the threshold for notification was lowered. In addition, alerting consumers when there was no risk of damage could cause unnecessary anxiety and, eventually, apathy.

However, opponents countered the significant harm provision set the standard too high.

In the final rule just released, the HHS removed the harm standard and modified the risk assessment. Now, the focus has shifted from assessing the risk to the individual to proving that the improper disclosure did not compromise the protected health information. The HHS is also providing more objective guidelines for doing the risk assessment to determine if a notification is necessary.

Penalties

Accordingly, costs for covered entities and business associates will likely rise because they will have to pay for not only the alert but also repairing the breach and offering any mitigating services like credit monitoring.

Also, since enforcement happens after the breach has occurred, the notification could become even more costly.

The financial penalties were unveiled in the HITECH Act. Fines for improper releases of protected health information have long been a part of HIPAA, but the new reparations are substantially higher.

Prior to HITECH, the fine could not be more than $100 per violation and the total penalty could not exceed $25,000 a year. Attorneys said the dollar amounts were so low that hardly anyone paid them much attention.

zoccola-christine-mug Zoccola

They are paying attention now. The civil money penalty provision divides the violations into four tiers, ranging from “Did Not Know” to “Willful Neglect – Not Corrected.” The fines for each violation go from a low $100 to a high $50,000, and the total penalty could reach $1.5 million per violation of HIPAA rules within a calendar year.

“I think that’s probably what it takes to get people’s attention sometimes, or so the government thinks,” said Susan Ziel, partner at Krieg Devault LLP’s Minneapolis office.

Moreover, the new rule expands the liability. Now, not only are covered entities liable to HIPAA violations but so are their business associates, which includes anyone who has access to medical records like lawyers, transcribers and accountants.

Enforcement activity has been increasing.

In September, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc., reached a settlement agreement with the HHS to pay $1.5 million for potential HIPAA violations. The settlement came after the infirmary filed a breach notification, reporting the theft of an unencrypted personal laptop containing the electronic protected health information of patients and research subjects.

Getting started

The final omnibus rule was published Jan. 25 and goes into effect March 26. Compliance must be met by Sept. 23.

Many health care providers and insurance companies have not updated their HIPAA policies since the act took effect in 2003. Christine Zoccola, partner at Bose McKinney & Evans LLP in Indianapolis, noted attorneys will be working not only to educate their clients on the final rule but also to revise procedures, forms and contracts to meet the new provisions.

“It is a big change,” Zoccola said. “It is a massive overhaul.”•

ADVERTISEMENT

  • Very upset about hippos laws
    I have tried everywhere trying to get help and all I get is the run around I should able to protect my son from people I have to work with they think they can do what they want with personal information.

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in Indiana Lawyer editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
ADVERTISEMENT
Subscribe to Indiana Lawyer
  1. OK, take notice. Those wondering just how corrupt the Indiana system is can see the picture in this post. Attorney Donald James did not criticize any judges, he merely, it would seem, caused some clients to file against him and then ignored his own defense. James thus disrespected the system via ignoring all and was also ordered to reimburse the commission $525.88 for the costs of prosecuting the first case against him. Yes, nearly $526 for all the costs, the state having proved it all. Ouch, right? Now consider whistleblower and constitutionalist and citizen journalist Paul Ogden who criticized a judge, defended himself in such a professional fashion as to have half the case against him thrown out by the ISC and was then handed a career ending $10,000 bill as "half the costs" of the state crucifying him. http://www.theindianalawyer.com/ogden-quitting-law-citing-high-disciplinary-fine/PARAMS/article/35323 THE TAKEAWAY MESSAGE for any who have ears to hear ... resist Star Chamber and pay with your career ... welcome to the Indiana system of (cough) justice.

  2. GMA Ranger, I, too, was warned against posting on how the Ind govt was attempting to destroy me professionally, and visit great costs and even destitution upon my family through their processing. No doubt the discussion in Indy today is likely how to ban me from this site (I expect I soon will be), just as they have banned me from emailing them at the BLE and Office of Bar Admission and ADA coordinator -- or, if that fails, whether they can file a complaint against my Kansas or SCOTUS law license for telling just how they operate and offering all of my files over the past decade to any of good will. The elitist insiders running the Hoosier social control mechanisms realize that knowledge and a unified response will be the end of their unjust reign. They fear exposure and accountability. I was banned for life from the Indiana bar for questioning government processing, that is, for being a whistleblower. Hoosier whistleblowers suffer much. I have no doubt, Gma Ranger, of what you report. They fear us, but realize as long as they keep us in fear of them, they can control us. Kinda like the kids' show Ants. Tyrannical governments the world over are being shaken by empowered citizens. Hoosiers dealing with The Capitol are often dealing with tyranny. Time to rise up: https://www.theguardian.com/technology/2017/jan/17/governments-struggling-to-retain-trust-of-citizens-global-survey-finds Back to the Founders! MAGA!

  3. Science is showing us the root of addiction is the lack of connection (with people). Criminalizing people who are lonely is a gross misinterpretation of what data is revealing and the approach we must take to combat mental health. Harsher crimes from drug dealers? where there is a demand there is a market, so make it legal and encourage these citizens to be functioning members of a society with competitive market opportunities. Legalize are "drugs" and quit wasting tax payer dollars on frivolous incarceration. The system is destroying lives and doing it in the name of privatized profits. To demonize loneliness and destroy lives in the land of opportunity is not freedom.

  4. Good luck, but as I have documented in three Hail Mary's to the SCOTUS, two applications (2007 & 2013),a civil rights suit and my own kicked-to-the-curb prayer for mandamus. all supported in detailed affidavits with full legal briefing (never considered), the ISC knows that the BLE operates "above the law" (i.e. unconstitutionally) and does not give a damn. In fact, that is how it was designed to control the lawyers. IU Law Prof. Patrick Baude blew the whistle while he was Ind Bar Examiner President back in 1993, even he was shut down. It is a masonic system that blackballs those whom the elite disdain. Here is the basic thrust:https://en.wikipedia.org/wiki/Blackballing When I asked why I was initially denied, the court's foremost jester wrote back that the ten examiners all voted, and I did not gain the needed votes for approval (whatever that is, probably ten) and thus I was not in .. nothing written, no explanation, just go away or appeal ... and if you appeal and disagree with their system .. proof positive you lack character and fitness. It is both arbitrary and capricious by its very design. The Hoosier legal elites are monarchical minded, and rejected me for life for ostensibly failing to sufficiently respect man's law (due to my stated regard for God's law -- which they questioned me on, after remanding me for a psych eval for holding such Higher Law beliefs) while breaking their own rules, breaking federal statutory law, and violating federal and state constitutions and ancient due process standards .. all well documented as they "processed me" over many years.... yes years ... they have few standards that they will not bulldoze to get to the end desired. And the ISC knows this, and they keep it in play. So sad, And the fed courts refuse to do anything, and so the blackballing show goes on ... it is the Indy way. My final experience here: https://www.scribd.com/document/299040062/Brown-ind-Bar-memo-Pet-cert I will open my files to anyone interested in seeing justice dawn over Indy. My cases are an open book, just ask.

  5. Looks like 2017 will be another notable year for these cases. I have a Grandson involved in a CHINS case that should never have been. He and the whole family are being held hostage by CPS and the 'current mood' of the CPS caseworker. If the parents disagree with a decision, they are penalized. I, along with other were posting on Jasper County Online News, but all were quickly warned to remove posts. I totally understand that some children need these services, but in this case, it was mistakes, covered by coorcement of father to sign papers, lies and cover-ups. The most astonishing thing was within 2 weeks of this child being placed with CPS, a private adoption agency was asking questions regarding child's family in the area. I believe a photo that was taken by CPS manager at the very onset during the CHINS co-ocerment and the intent was to make money. I have even been warned not to post or speak to anyone regarding this case. Parents have completed all requirements, met foster parents, get visitation 2 days a week, and still the next court date is all the way out till May 1, which gives them(CPS) plenty of to time make further demands (which I expect) No trust of these 'seasoned' case managers, as I have already learned too much about their dirty little tricks. If they discover that I have posted here, I expect they will not be happy and penalized parents again. Still a Hostage.

ADVERTISEMENT