HHS recently released the final regulations that revise certain provisions of HIPAA, including the HIPAA breach notification rule. Congress, in enacting the HiTech Act in 2009, included a statutory requirement that covered entities report breaches that involved the unauthorized access or loss of protected health information (“PHI”). HHS then promulgated an interim rule to implement this statutory provision. That interim rule required reporting of the breach under the “significant risk of financial, reputational or other harm” standard. Criticism was subsequently leveled at this standard as being too subjective. HHS just recently issued its final rule (effective on March 26, 2013) that changes the breach reporting rule in two ways.
First, if there is a breach that involves PHI, and the breach does not fall within a regulatory exception, the presumption of the regulation is that the breach must be reported. This means that a party that experiences a loss of PHI cannot assume, on the grounds that the loss was uncertain to cause significant harm to the patients, that notification of the breach was not required.
Second, the final regulation replaces the interim rule’s standard with a requirement that the party who experienced the loss must demonstrate that there is a low probability that the PHI has been compromised. In order to qualify under this new standard, the party must perform a risk assessment, taking into account at least the four factors outlined in the regulation. These factors are found in § 164.402(2):
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated.
So, let’s evaluate some typical hypothetical scenarios that involve the loss of PHI. The most common reported PHI breach involves data backup tapes that are lost. By design, a data backup tape is usually the entire database of patient records, because this entire dataset would normally be required to restore the data from the backup.
Under the first factor, such a loss would militate towards breach notification, because the dataset would almost certainly include patient identifiers and, if the backup was of an electronic health record, extensive health information on each patient. Under the second factor, if the tape was merely lost, there is no determination of who might have had unauthorized access to the PHI. If, for example, the backup tape was just simply lost by a contractor that stores the backup tapes in a vault for retrieval on demand, this factor might lean towards not making a notification. On the other hand, if the tape was in the trunk of the network administrator’s car, and the car was stolen, this factor might lean towards making a notification.
As to the third factor, a lost data tape alone, without more information, would not inform us whether the data was actually acquired by anyone, or viewed by someone. There is certainly the potential that a lost tape could be viewed, assuming that the person that obtained it had access to a compatible tape drive. But based on what we know, this factor is probably neutral.
As to the fourth factor, the question here is whether the backup tape itself was encrypted, or was stored in a locked storage box. A tape that is encrypted is much harder to access, even if the tape was intentionally stolen to obtain unauthorized access to PHI. A tape in a locked storage box that was merely lost may be less likely to be accessed by an unauthorized user. So this factor may swing either way based on what, if any, mitigations were in place to protect the data on the backup tape.
If we assumed that no mitigations were in place, the overall analysis would lean towards breach notification under the new rule. As you can see, however, the facts and circumstances matter greatly in evaluating whether a breach has occurred that requires notification.