I keep chipping away at the issues related to the new final HIPAA rules (aka HIPAA2), looking for insights into the bottom-line question, "Just what needs to happen to become compliant with the new rules?" I provided a little bit of an outline in my last message, but the issues surrounding the changes to Breach Notification need a little more exploration at this point. In upcoming discussions I'm sure I'll be tackling the scope of the changes to the Privacy Rule, but for the moment I'll fill in a few blanks relating to the Security Rule and Breach Notification.
-- Security and Breach Rule Policies
For the most part, changes to the Security Rule consist of adding "...and Business Associates..." to many of the sections, and doing so probably won't affect your Information Security Policies. The changes may need to be reflected in your policy on Business Associates if the policy is specific about BA agreement contents and doesn't refer to the HHS regulations identifying required content (or even better, the Web page for that, http://tinyurl.com/7asm2qj ). If the policy does refer to the regulations, it's probably fine as is.
So, with a little review (make sure you do actually review your policies, please), you'll probably decide your Security policies need little, if any, modification to meet the new rules, except when it comes to Breach Notification. I suspect most policies refer to the old "harm standard" (I know the ones I've supplied in the past did), and those paragraphs will need to be replaced with consideration of the new four-factor risk assessment for probability of disclosure. It's well worth your taking a moment to read through the new definition of a breach, under §164.402, FR page 5695, or page 131 of the PDF version, http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf .
-- How to Evaluate a Breach
The key here is to change your thinking about breach evaluation. Instead of "we don't have to report unless there's harm," the new rules say "we have to report unless there's a defined exception, or unless there's a low probability of compromise." The process to decide whether an incident is a reportable breach is this:
Step 1) Was the data encrypted according to the HHS guidance with strong passwords and are the passwords still secure? If so, not a breach. Document and done. Note that if you did use some kind of encryption but it doesn't meet the official requirements, it may still get you some points to use in step 3.
Step 2) OK, so if it wasn't properly encrypted; does it meet one of the defined exclusions in §164.402's definition of Breach? i) For unintentional, good-faith acquisition or use within the scope of authority and no further use or disclosure, ii) for inadvertent disclosure by someone ordinarily authorized to access the information within the same covered entity, business associate, or organized health care arrangement, or iii) if the disclosed information could not be retained by the unauthorized recipient. If you meet an exclusion, document and done. But do note that the exclusion under ii applies only to the same entity. If you inadvertently fax to another office not part of the same entity, that does NOT qualify for the exclusion. But it may get you points to use in step 3, compared to faxing to the hardware store.
Step 3) Well, it wasn't encrypted according to the guidance, and it doesn't meet an exclusion, so it's a reportable breach, UNLESS you can show a "low probability of compromise" based on a risk assessment considering at least the four factors identified in the regulation. Whereas before it was, "there's a hole, do we have to jump in?" now it's "we're in a hole, how can we dig our way out of it?"
An issue with any one of the Four Factors (didn't they have a Motown hit back in the 60s?) can be enough to raise the risk of a compromise above the "low" level. All four must be well controlled. The factors are, 1) what is the data (nature and extent, and likelihood of identification), 2) to whom was the disclosure made, 3) was the information actually acquired or viewed, and 4) have the risks been mitigated.
-- How Can You Implement This?
I'd recommend your policy point to the regulation (45 CFR §164.400 et seq.), and you implement procedures to support the policy that will take you through the Three Steps and the Four Factors (is this becoming a battle of the bands?)
Let's run through a quick set of examples: Let's say someone in your office faxes some health information to another office within your covered entity, but it is not the intended office. Well, it's on the fax machine, so it's not secured, so go to step 2. In this case, it meets the exception under ii, so it's not a reportable breach. Document and done.
What if it's faxed to another doctor's office that happens to be a different covered entity from yours? In this case, you have to go to Step 3, and evaluate the Four Factors. Let's say this is information about a dermatology skin patch test that went to the wrong dermatologist, was not actually viewed, and was shredded.
- Factor 1: The data is not sensitive, not extensive, just one simple test result. Sounds OK, not too risky.
- Factor 2: The disclosure was to another doctor's office also under HIPAA rules to protect all PHI no matter the source. Sounds OK there, too.
- Factor 3: Was the information viewed? In this case, let's say the receiving person realized the fax was misdirected and did not look at the pages behind the cover sheet and learned nothing other than that a fax was sent from an office erroneously. In that case, sure, that sounds OK too.
- Factor 4: The fax was shredded and the risk was fully mitigated. Also good news.
In this case, document your analysis, and you'd be justified in coming to a conclusion of there being a "low risk or compromise".
-- Some Variations on the Factors
But how about if, instead of a skin patch test result, it's HIV/AIDS test results? BAM! There goes factor 1. VERY sensitive information. Must report. Likewise if it's a complete record with lots of detail.
Or, how about if it's the hardware store instead of a HIPAA-covered entity that receives the fax? BAM! There goes factor 2. Must report.
Or, if the person receiving the fax discusses the contents with someone in their office? BAM again. Factor 3. Report.
Or, if you don't actually know that the fax was shredded? Factor 4. Report.
Any one of the factors can push your risk assessment above the "low probability of compromise" level.
-- So What Does That Leave?
At this point, we've covered what needs to happen for Security and Breach Notification Rule compliance. Do note, though, that the new requirements do not go into effect until March 26, 2013, and are not required to be used until September 23, 2013. Until March 26, you must still use the "harm standard". Between March 26 and September 23 you can use EITHER the old standard, or the new process. After September 23, you must use the new rules.
Next time I'll start digging into some of the many Privacy Rule issues.
And, as always, let me know if you have any questions, and do keep up with my list of upcoming seminars and Webinars at http://www.lewiscreeksystems.com/upcoming_public_seminars.html
Thanks!
Jim