Guest post by Roy Bossen, partner, Hinshaw and Culbertson.
With the implementation of the Affordable Care Act pushing hospitals and health systems to provide services more efficiently, a significant number of hospitals, health systems and providers are sharing secure patient information through health information exchanges (“HIEs”), and accountable care organizations (“ACOs”). The advent of both the HIEs and the ACOs are additional opportunities for protected health information to be shared by hospitals, doctors and other providers.
HIEs allow for patient information, including lab tests, imaging tests, prescriptions and treatments, to be shared by the participants in the HIE. The development of these electronic HIEs allow for the secure exchange of health information among entities participating in the HIE. Generally, the rights and responsibilities of those entitled to share the information is governed by participation agreements. Many providers believe that sharing data will improve healthcare and promote not only quality of care, but efficient care, as well. Similarly, the development of ACOs by otherwise independent providers results in more patient information shared in electronic fashion. The advent of both HIEs and ACOs provide another medium for possible breaches of the privacy rule.
The privacy rule requires that covered entities verify the identity and authority of persons requesting Protected Health Information (“PHI”) if the individual requesting it is not known to the entity. The Rule, however, does not specify in great detail the verification that must be made and, thus, there is flexibility that can be applied with regard to HIEs and ACOs.
Generally, in a HIE, the participants agree, by contract or otherwise, to provide to the HIE a list of authorized persons so the HIE can appropriately authenticate users of the network. Documentation required for uses and disclosures may be provided in electronic form, and documentation requiring signatures may be provided as scanned images. It is important from an HIE perspective for the various participants to agree on a common set of privacy safeguards that are appropriate to the risk associated with exchanging PHI to and through the HIE. Similarly, with ACOs, the ACO should establish a common set of privacy safeguards that are appropriate to the privacy risks associated with multiple providers using PHI. These common standards would include a breach notification policy or procedure. To fully understand what must be done, one must have a basic understanding of what is considered a breach.
The United States Department of Health and Human Services issued its HIPAA Omnibus Final Rule on January 25, 2013, to become effective March 26, 2013. Covered entities and business associates had until September 23, 2013, to come into compliance with the final rule. Among other things, this rule modified the breach notification requirements. Prior to the final rule being implemented, there were three assessments to be made to determine whether a breach occurred that would trigger the notification requirements. The first involved the PHI being unintentionally accepted by a workforce member performing his or her duties. Second, the PHI was inadvertently disclosed from one workforce member to another. The third, however, provided that the PHI was disclosed to a person who reasonably would not have been able to obtain that information.
The test to determine whether a breach occurred under the third assessment has been substantially modified by the final rule. The Department of Health and Human Services (“HHS”) modified the risk assessment approach that was used to determine whether the impermissible use or disclosure posed a significant risk of financial, reputational, or other harm to the individual. That standard was replaced by the presumption that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate can demonstrate a “low probability” that the PHI has been compromised. Unless a covered entity or business associate can show that either the workforce exceptions briefly mentioned above apply, or that there is a low probability of use and disclosure, notification would apply.
Entities — particularly those participating in HIEs — should have a breach notification policy that applies to unsecured PHI, that is, Protected Health Information that is not secured through technology or methodology that HHS has stated renders the PHI unusable, unreadable, or indecipherable to unauthorized individuals. If a covered entity or business associate could not show that either of the first two exceptions apply, they must be able to determine there is a low probability that the PHI was compromised, otherwise a notification would be required. How does one determine whether there is a low probability of the PHI being compromised?
The final rule specifies that there is a four-factor test to be considered when conducting a risk assessment to determine whether there is a low probability of disclosure. This test applies to both covered entities and business associates. It should be noted that all four factors must be considered.
First, one must consider the nature and extent of the PHI involved, which may include the type of identifiers and likelihood of re-identification. Does the disclosure involve the description of the type of services or other information? Does it involve detailed clinical information? These considerations should help the covered entity or business associate determine the probability that the PHI could be reused by an unauthorized recipient in a manner adverse to the individual involved.
The second factor requires covered entities and business associates to determine the identity of the unauthorized person who impermissibly used PHI, and to whom that impermissible disclosure was made. If it was made to another covered entity obligated to comply with the HIPAA requirements, that would affect the analysis with regard to the probability that the PHI would be compromised, since the recipient is also obligated to protect PHI.
The third factor to assess requires covered entities and business associates to determine that the PHI was actually acquired or viewed, or whether the opportunity existed for the information to be acquired or viewed. If a laptop is stolen and later recovered, and it is determined that the PHI was never accessed, viewed, acquired, transferred or otherwise compromised, the covered entity or business associate could determine that there was a low probability of disclosure. However, if information is faxed to a different provider, or the PHI is mailed to the wrong individual, the unauthorized recipient would have an opportunity to review the information.
Finally, the last factor to consider requires covered entities and business associates to consider the extent to which the risk has been mitigated. For instance, if a law firm, acting as a business associate, provides PHI to an insurance company that is not involved in the matter, that situation could be mitigated. The individual who received the information could submit an affidavit that they were advised that the information was sent, that they immediately deleted the information from their system, and that they did not access or read the information. Similarly, there can be a Confidentiality Agreement that specified that if it went to another covered entity, that the information would not be disclosed or used.
It should be noted that the mitigation factor, or the last factor, must be considered in combination with the other three factors, regarding the unauthorized receipt of the PHI disclosed. Each of these four factors must be addressed by the covered entity or business associate in their analysis of the probability of PHI being compromised. Without each factor being considered, the covered entity or business associate cannot determine that there was a low probability that the PHI had been compromised and, thus, a breach occurred.
If a breach has occurred, and the covered entity or business associate cannot indicate that there is a low probability of the information being disclosed or reused, there are several breach notification requirements that must be complied with. With regard to the timing of the notification, the following should be noted. All notifications must be made without unreasonable delay, and they must be made no later than 60 calendar days after discovery. The counting period starts from the date of the discovery of the breach, and a breach is deemed discovered on the first date it is known to a business associate or a covered entity, or known to an employee, officer or other agent of the entity.
Once it is determined that a breach has been discovered, and the clock has started to run with respect to notification, the notice must be in writing, sent by first class mail to the last known address of the individual or next of kin or by email, if the individual has specified a preference for email notification. If there is no address, and there is a telephone number, a telephone or alternative written notice may be provided, or there may be a possibility for conspicuous posting on the web, or by notice to media, if 10 or more individuals are involved.
The content of the notice must include a description of what happened, including: the date of the breach and the date of discovery, if known; a description of the types of PHI involved; the steps the individuals should take to protect themselves from harm resulting from the breach; a brief description of the entity’s actions to investigate the breach, mitigate harm to individuals, and prevent further breaches; and an individual to contact to ask questions, including toll-free telephone number, email address, website, or portal address.
It should be noted that business associates must notify the covered entity, or for subcontractors, the next business associate in the chain. Such notice must include all of the information discussed above, if available, along with the identification of each affected individual, to the extent possible.
Finally, it should be noted that if more than 500 individuals are involved in the breach, then notice must be made to the Secretary of HHS no later than 60 days after discovery of the breach. If the breach involves fewer than 500 individuals, the covered entity or business associate must maintain a log to be produced to HHS annually, no later than 60 days after the end of the year that the breach was discovered. Lastly, if more than 500 residents of a state or jurisdiction are affected, then notification must be made to a prominent media outlet in such state or jurisdiction.
To accomplish the above, the Breach Notification Policy should include a Breach Notification Plan that addresses the following: the list of persons to be notified; how communication will be made; the type of content to include in notification, with perhaps a model template specified in the notice; and a determination of remedial services that will be provided to the affected persons.
With the increased use of electronic health information because of the advent of HIEs, ACOs, and incentives provided in the Affordable Care Act, entities that share PHI for treatment, health care operations and payment purposes are being held to more rigorous standards and, thus, must take such steps not only to avoid potential breaches, but if privacy requirements are not met, determine whether a breach has occurred and, if so, determine the appropriate notification process.
James M. Hofert, Linnea L. Schramm and Michael A. Dowell also contributed to this post.