Final HIPAA rule puts proof burden on covered entities

The HIPAA Privacy and Security final rule, released Jan. 17, to a large extent tracks what was in the proposed rule, but also brings some significant changes that will have impact on healthcare, according to industry observers.

Bob Belfort, partner in the healthcare practice at Manatt, Phelps & Phillips, which works with states and providers on health IT and related public policy issues, and frequently helps clients craft breach notifications, said, “The one that will probably get the most attention is the definition of a breach. There’s been a lot of controversy over the ‘risk of harm’ standard.”

Indeed, the proposed rule held that there would be no breach unless there was significant risk of harm to the individual, but the Department of Health & Human Services (HHS) indicated it might rethink that position. Belfort explained that the omnibus rule replaced the definition with an assessment of whether the improper disclosure compromises protected health information.

“The burden is on the covered entity to show that there’s a low probability that the information has been compromised. There are two changes there,” Belfort explained. “Number one, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, secondly, the burden of proof is clearly on the covered entity. So if it can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.”

Belfort views the final rule as HHS navigating the middle ground between privacy advocates arguing that any improper disclosure should be treated as a breach and those who wanted to retain the risk-of-harm standard.

Deven McGraw, director of the health privacy project at Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee, said this is a very positive development.

“It continues to give organizations the right to do an investigation about what happened in the breach, and to make a judgment call in circumstances where the likelihood that anyone else saw the data is very low that they can make a decision not to notify for breach purposes,” McGraw continued. “This addresses the notion of over-notification that many stakeholders commented on and does it in a way that doesn’t give the breaching entity the subjective judgment call about whether that information would harm you or not. It refines some of the gray area and is a response to some of the criticism after the interim final rule. That’s appropriate.”

Mac McMillan, CEO of security and regulatory specialist CynergisTek, commented that with publication of the omnibus rule, HHS' Office for Civil Rights (OCR) "will have what it needs to investigate their issues.” The rule arms OCR with the ability to continue audits and fines. “Third parties account for 40 percent of the breaches reported and 75 percent of the records exposed,” McMillan said.

Belfort expects a continuation of the uptick in audits and fines currently under way.

“We’re already seeing the beginning of more aggressive enforcement and stiffer penalties, more frequent penalties,” Belfort said. “And I think that trend will definitely accelerate.”

Government Health IT Senior Editor Mary Mosquera also reported on this story.