The new HIPAA Omnibus Rule from the Department of Health and Human Services (HHS) makes some changes to the Federal Code to account for the HITECH law as well as changes since then. This summary will be discussing changes to the Breach Notification Rule; we will also have a summary for changes to the Privacy Rule.
The major change to the Breach Notification Rule is that a breach requiring notification is assumed unless :
- the covered entity can show (through a risk assessment) that there is a low probability that the protected health information (PHI) has been compromised, or
- the compromise falls under one of three exceptions to the definition of “breach”.
Previously, covered entities only had to notify affected individuals if a risk assessment showed that the compromise of PHI “poses a significant risk of financial, reputational, or other harm to the individual” (aka “the harm standard”). HHS also lays out explicitly what factors a risk assessment must consider:
“(1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(2) the unauthorized person who used the protected health information or to whom the disclosure was made;
(3) whether the protected health information was actually acquired or viewed; and
(4) the extent to which the risk to the protected health information was mitigated.”
Each of these factors must be addressed and documented in order to avoid sending out a breach notification (if appropriate). A notification can be sent out without performing the risk assessment, but the costs of notification will usually be higher than the costs of a risk assessment. The primary difference is that HHS now sets out specific factors that all entities must consider in the risk assessment, instead of relying on the entities’ own judgement. It still leaves open the results of that risk assessment and whether the risk to an individual is “low” or not.
Another interesting fact (but not change) to note about the Breach Notification Rule is that covered entities are ultimately responsible for notifying individuals. They can contract that task out to the business associate that “caused” the breach, but ultimately, HHS is going to hold the covered entity responsible for notification in a timely manner.
The HHS’ definition of “timely manner” is that the covered entity has 60 days to notify folks from the first day the breach is known “or by exercising reasonable diligence would have been known”. When business associates are involved the timeframes may change. If the business associate is acting as an agent for the covered entity, then final notification to folks must happen within 60 days from when the business associate discovers the breach. If the business associate is not acting as an agent (according to Federal common law of agency), then the covered entity has 60 days from when the business associate notified them. At the same time, the business associate has 60 days to notify the covered entity once it discovers a breach. This extends the possible notification time frame to 120 days.
To ensure the “timely manner” is not violated, covered entities will need to ensure that their business associate agreements/contracts include what the expected timeframes and responsibilities are. Does the business associate have to notify the covered entity for every suspected breach and let the covered entity perform the risk assessment? Or will the business associate perform the risk assessment to determine if they should notify the covered entity? How long does the business associate have to notify the covered entity – especially in cases of agency? Who will pay for/execute the notification process? All of these questions (plus some) will need to be addressed in the contract between the two.
The final piece of interesting information from a security/audit perspective is the definition of “reasonable diligence” to have known about a breach. It’s defined in the Enforcement Rule explicitly as “business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances”. As someone who is down in the trenches with discovering attempted (and successful) attacks, what is care and prudence? If big company X with 250,000 employees has a new fancy IDS and SEIM system, does that mean that the small doctor’s office with maybe 10 people has to have the same system? They both need to be aware of breaches if they occur, but the resources available to each is vastly different. Does this require smaller companies to outsource a lot of their IT to companies that can support that type of system? I don’t think that this has been answered yet – and I think that asking a small company to provide the exact same type of auditing capabilities as a large company is unreasonable (but it is not unreasonable for smaller organizations to provide something to detect a compromise).
Whatever the size of the organization, Gemini Security Solutions can help risk assessments, either before or after a compromise. We specialize in helping companies determine what their risks are and prioritizing their security budget to make the most impact.
This article has been cross-posted from the Gemini Security Solutions website.