ILNews

New HIPAA rule revises breach notification process

Back to TopCommentsE-mailPrintBookmark and Share
Indiana Lawyer Focus

Financial institutions sending letters and emails alerting customers of possible unauthorized access to their bank accounts or credit cards are more common that anyone would like. Soon, however, such notices may come from hospitals and medical insurance companies.

The change is being ushered in by the new Health Insurance Portability and Accountability Act of 1996 rule announced in January by the U.S. Department of Health and Human Services. At 563 pages, the regulation is being touted as finalizing a number of provisions in the Health Information Technology for Economic and Clinical Health Act and strengthening the privacy and security protections for health information provided under HIPAA.

eckhardt-chad-mug Eckhardt

When the omnibus rule was unveiled, Kathleen Sebelius, HHS secretary, pointed to the growing use of electronic medical records as part of the cause for the new rule.

“Much has changed in health care since HIPAA was enacted over 15 years ago,” Sebelius stated in a press release. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

Attorneys agreed with the government’s assessment that these are “sweeping changes.”

“It’s a significant piece of regulation enforcing a patient’s privacy rights,” said Chad Eckhardt, an associate in Frost Brown Todd LLC’s Cincinnati office. “It’s going to take a while for covered entities to get their arms around.”

The final omnibus rule addresses four regulatory areas. It provides the final modifications to the HIPAA privacy, security and enforcement rules; sets the final rule adopting the increased civil money penalty structure; issues the final standard on breach notification for unsecured protected health information; and modifies the HIPAA privacy rule that prevents most health plans from using or disclosing genetic information for underwriting purposes.

Most of the regulations have been public for some time and the language of the final rule was expected. Although few surprises were contained in the document, Eckhardt said, the change to the breach notification provision has turned many heads.

ziels-susan-mug Ziel

Namely, the standard of “significant harm” has been dropped which could lead to more people getting letters from their doctors and insurance companies that their medical records may have been compromised.

Breach notification

The push toward electronic medical records was accelerated by the Patient Protection and Affordable Care Act. Early projections that billions of dollars would be saved by moving to electronic records have been dampened, but computerized health information still has advantages. Some can alert physicians to tests a patient needs, reduce mistakes in prescriptions, and aid in research.

Yet, as with bank records and credit card information, going online brings new risks.

“Privacy is a big issue because if health records are more accessible to doctors, they’re also more accessible to everybody else,” said David Orentlicher, professor at the Indiana University Robert H. McKinney School of Law.

Medical records contain a great deal of information from details of a patient’s health to financial account numbers and Social Security numbers.

With an apparent eye on the increased potential health information being lost or stolen, the HHS revised the Breach Notification Rule first published in the 2009 HITECH Act.

Under the initial provision, patients did not have to be notified of any breach if the covered entity, such as health care provider or health insurance company, determined the information improperly accessed did not pose a “significant risk of harm” to those patients.

The covered entities were required to perform a risk assessment to examine elements such as who accessed the information and what type of information was disclosed. Then, if that analysis indicated the breach did not put the patient’s financial or personal wellbeing at risk, no notification had to be sent.

Advocates supporting the significant harm standard pointed to the increased costs and burden that covered entities and their business associates would have to bear if the threshold for notification was lowered. In addition, alerting consumers when there was no risk of damage could cause unnecessary anxiety and, eventually, apathy.

However, opponents countered the significant harm provision set the standard too high.

In the final rule just released, the HHS removed the harm standard and modified the risk assessment. Now, the focus has shifted from assessing the risk to the individual to proving that the improper disclosure did not compromise the protected health information. The HHS is also providing more objective guidelines for doing the risk assessment to determine if a notification is necessary.

Penalties

Accordingly, costs for covered entities and business associates will likely rise because they will have to pay for not only the alert but also repairing the breach and offering any mitigating services like credit monitoring.

Also, since enforcement happens after the breach has occurred, the notification could become even more costly.

The financial penalties were unveiled in the HITECH Act. Fines for improper releases of protected health information have long been a part of HIPAA, but the new reparations are substantially higher.

Prior to HITECH, the fine could not be more than $100 per violation and the total penalty could not exceed $25,000 a year. Attorneys said the dollar amounts were so low that hardly anyone paid them much attention.

zoccola-christine-mug Zoccola

They are paying attention now. The civil money penalty provision divides the violations into four tiers, ranging from “Did Not Know” to “Willful Neglect – Not Corrected.” The fines for each violation go from a low $100 to a high $50,000, and the total penalty could reach $1.5 million per violation of HIPAA rules within a calendar year.

“I think that’s probably what it takes to get people’s attention sometimes, or so the government thinks,” said Susan Ziel, partner at Krieg Devault LLP’s Minneapolis office.

Moreover, the new rule expands the liability. Now, not only are covered entities liable to HIPAA violations but so are their business associates, which includes anyone who has access to medical records like lawyers, transcribers and accountants.

Enforcement activity has been increasing.

In September, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc., reached a settlement agreement with the HHS to pay $1.5 million for potential HIPAA violations. The settlement came after the infirmary filed a breach notification, reporting the theft of an unencrypted personal laptop containing the electronic protected health information of patients and research subjects.

Getting started

The final omnibus rule was published Jan. 25 and goes into effect March 26. Compliance must be met by Sept. 23.

Many health care providers and insurance companies have not updated their HIPAA policies since the act took effect in 2003. Christine Zoccola, partner at Bose McKinney & Evans LLP in Indianapolis, noted attorneys will be working not only to educate their clients on the final rule but also to revise procedures, forms and contracts to meet the new provisions.

“It is a big change,” Zoccola said. “It is a massive overhaul.”•

ADVERTISEMENT

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in Indiana Lawyer editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
ADVERTISEMENT
Subscribe to Indiana Lawyer
  1. I have been on this program while on parole from 2011-2013. No person should be forced mentally to share private details of their personal life with total strangers. Also giving permission for a mental therapist to report to your parole agent that your not participating in group therapy because you don't have the financial mean to be in the group therapy. I was personally singled out and sent back three times for not having money and also sent back within the six month when you aren't to be sent according to state law. I will work to het this INSOMM's removed from this state. I also had twelve or thirteen parole agents with a fifteen month period. Thanks for your time.

  2. Our nation produces very few jurists of the caliber of Justice DOUGLAS and his peers these days. Here is that great civil libertarian, who recognized government as both a blessing and, when corrupted by ideological interests, a curse: "Once the investigator has only the conscience of government as a guide, the conscience can become ‘ravenous,’ as Cromwell, bent on destroying Thomas More, said in Bolt, A Man For All Seasons (1960), p. 120. The First Amendment mirrors many episodes where men, harried and harassed by government, sought refuge in their conscience, as these lines of Thomas More show: ‘MORE: And when we stand before God, and you are sent to Paradise for doing according to your conscience, *575 and I am damned for not doing according to mine, will you come with me, for fellowship? ‘CRANMER: So those of us whose names are there are damned, Sir Thomas? ‘MORE: I don't know, Your Grace. I have no window to look into another man's conscience. I condemn no one. ‘CRANMER: Then the matter is capable of question? ‘MORE: Certainly. ‘CRANMER: But that you owe obedience to your King is not capable of question. So weigh a doubt against a certainty—and sign. ‘MORE: Some men think the Earth is round, others think it flat; it is a matter capable of question. But if it is flat, will the King's command make it round? And if it is round, will the King's command flatten it? No, I will not sign.’ Id., pp. 132—133. DOUGLAS THEN WROTE: Where government is the Big Brother,11 privacy gives way to surveillance. **909 But our commitment is otherwise. *576 By the First Amendment we have staked our security on freedom to promote a multiplicity of ideas, to associate at will with kindred spirits, and to defy governmental intrusion into these precincts" Gibson v. Florida Legislative Investigation Comm., 372 U.S. 539, 574-76, 83 S. Ct. 889, 908-09, 9 L. Ed. 2d 929 (1963) Mr. Justice DOUGLAS, concurring. I write: Happy Memorial Day to all -- God please bless our fallen who lived and died to preserve constitutional governance in our wonderful series of Republics. And God open the eyes of those government officials who denounce the constitutions of these Republics by arbitrary actions arising out capricious motives.

  3. From back in the day before secularism got a stranglehold on Hoosier jurists comes this great excerpt via Indiana federal court judge Allan Sharp, dedicated to those many Indiana government attorneys (with whom I have dealt) who count the law as a mere tool, an optional tool that is not to be used when political correctness compels a more acceptable result than merely following the path that the law directs: ALLEN SHARP, District Judge. I. In a scene following a visit by Henry VIII to the home of Sir Thomas More, playwriter Robert Bolt puts the following words into the mouths of his characters: Margaret: Father, that man's bad. MORE: There is no law against that. ROPER: There is! God's law! MORE: Then God can arrest him. ROPER: Sophistication upon sophistication! MORE: No, sheer simplicity. The law, Roper, the law. I know what's legal not what's right. And I'll stick to what's legal. ROPER: Then you set man's law above God's! MORE: No, far below; but let me draw your attention to a fact I'm not God. The currents and eddies of right and wrong, which you find such plain sailing, I can't navigate. I'm no voyager. But in the thickets of law, oh, there I'm a forester. I doubt if there's a man alive who could follow me there, thank God... ALICE: (Exasperated, pointing after Rich) While you talk, he's gone! MORE: And go he should, if he was the Devil himself, until he broke the law! ROPER: So now you'd give the Devil benefit of law! MORE: Yes. What would you do? Cut a great road through the law to get after the Devil? ROPER: I'd cut down every law in England to do that! MORE: (Roused and excited) Oh? (Advances on Roper) And when the last law was down, and the Devil turned round on you where would you hide, Roper, the laws being flat? (He leaves *1257 him) This country's planted thick with laws from coast to coast man's laws, not God's and if you cut them down and you're just the man to do it d'you really think you would stand upright in the winds that would blow then? (Quietly) Yes, I'd give the Devil benefit of law, for my own safety's sake. ROPER: I have long suspected this; this is the golden calf; the law's your god. MORE: (Wearily) Oh, Roper, you're a fool, God's my god... (Rather bitterly) But I find him rather too (Very bitterly) subtle... I don't know where he is nor what he wants. ROPER: My God wants service, to the end and unremitting; nothing else! MORE: (Dryly) Are you sure that's God! He sounds like Moloch. But indeed it may be God And whoever hunts for me, Roper, God or Devil, will find me hiding in the thickets of the law! And I'll hide my daughter with me! Not hoist her up the mainmast of your seagoing principles! They put about too nimbly! (Exit More. They all look after him). Pgs. 65-67, A MAN FOR ALL SEASONS A Play in Two Acts, Robert Bolt, Random House, New York, 1960. Linley E. Pearson, Atty. Gen. of Indiana, Indianapolis, for defendants. Childs v. Duckworth, 509 F. Supp. 1254, 1256 (N.D. Ind. 1981) aff'd, 705 F.2d 915 (7th Cir. 1983)

  4. "Meanwhile small- and mid-size firms are getting squeezed and likely will not survive unless they become a boutique firm." I've been a business attorney in small, and now mid-size firm for over 30 years, and for over 30 years legal consultants have been preaching this exact same mantra of impending doom for small and mid-sized firms -- verbatim. This claim apparently helps them gin up merger opportunities from smaller firms who become convinced that they need to become larger overnight. The claim that large corporations are interested in cost-saving and efficiency has likewise been preached for decades, and is likewise bunk. If large corporations had any real interest in saving money they wouldn't use large law firms whose rates are substantially higher than those of high-quality mid-sized firms.

  5. The family is the foundation of all human government. That is the Grand Design. Modern governments throw off this Design and make bureaucratic war against the family, as does Hollywood and cultural elitists such as third wave feminists. Since WWII we have been on a ship of fools that way, with both the elite and government and their social engineering hacks relentlessly attacking the very foundation of social order. And their success? See it in the streets of Fergusson, on the food stamp doles (mostly broken families)and in the above article. Reject the Grand Design for true social function, enter the Glorious State to manage social dysfunction. Our Brave New World will be a prison camp, and we will welcome it as the only way to manage given the anarchy without it.

ADVERTISEMENT