Collateral Effects of the Omnibus Rule: Exercise Caution in Using Past OCR Summaries on Large PHI Breaches as a Roadmap for Future Guidance
In the wake of the post-Omnibus Rule (the “Rule”) frenzy, it is necessary to consider some collateral effects that the Rule may have brought about with respect to compliance with HIPAA/HITECH. The Office of Civil Rights (“OCR”) summaries of closed investigations (the “Summaries”) posted on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”) has been a source of meaningful guidance as discussed in previous posts on this blog. For example, the summary (the “Tennessee Summary”) for a State of Tennessee Sponsored Group Health Plan breach (the “Tennessee Breach”) continues to provide an excellent road map of pre-Omnibus Rule actions for covered entities (“CEs”) or business associates (“BAs”) that suffer List Breaches or PHI breaches of any size.
While the Tennessee Breach itself dealt with mishandling of paper PHI and not electronic health records, the Tennessee Summary does give direction for early intervention by affected CEs or BAs before HHS knocks on their door. However, while there was excellent compliance in the aftermath of the Tennessee Breach, advice from pre-Rule Summaries cannot be used without carefully taking into account the new requirements respecting PHI breaches under the Rule. As will be further discussed below, the most important new requirement in this regard is the necessity for a CE, BA or subcontractor to analyze the level of risk of compromise of the affected PHI.
The Tennessee Breach occurred on October 6, 2011 and involved approximately 1,770 enrollees with respect to names, addresses, birth dates and social security numbers. According to the Tennessee Summary, an equipment operator at the state’s postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope.
The Tennessee Summary states that the CE did the following (with some parenthetical observations from the blog author):
1. Retrained the equipment operator (suggesting that suspension and/or termination are not the only actions in appropriate cases with respect to dealing with employees involved with a PHI breach where rehabilitation is possible).
2. Submitted a breach report to HHS (resulting in the posting on the HHS List).
3. Provided notice to affected individuals.
4. Notified the media.
5. Created a toll-free number for information regarding the incident.
6. Posted notice on the CE’s website.
7. Modified policies to remove the social security number on templates for future mailings (a good policy whether paper or electronic PHI is involved).
8. Offered identity theft protection to the affected individuals (a common decision for CEs and BAs based on the type of information that may have been compromised).
9. Following the OCR investigation, reviewed its policies and procedures to ensure adequate safeguards are in place (with this disclosure in the Tennessee Summary, there is a suggestion that OCR continued to exercise some oversight or received reports after the investigation was finished).
There was no discussion in the Tennessee Summary of any analysis by the CE of the probable “risk of harm” from the Tennessee Breach under the proposed rule standards that prevailed prior to the Rule. However, it is clear that, in the post-Rule period, a risk analysis of the probability that the PHI “has been compromised” would be necessary for the CE; failure to do such an analysis may be a violation in itself. Under the Rule, there is a presumption that a breach of PHI has taken place unless there is a low probability that the PHI has been compromised. The four factor analysis that would have been required of the CE in the Tennessee Breach case had it happened after the effectiveness of the Rule encompasses the following (with parenthetical comments):
(i) Identifying the nature and extent of the PHI involved, including types of identifiers and risk of re-identification (i.e., names, addresses, birth dates and social security numbers);
(ii) Identifying the unauthorized person(s) who impermissibly used the PHI or to whom the disclosure was made (in the case of the Tennessee Breach, subscribers to the health plan who were not individuals that had an obligation of their own to comply with HIPAA/HITECH);
(iii) Determining whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the PHI to be acquired or viewed (in the case of the Tennessee Breach, there is a likelihood that numerous recipients of the PHI or others without the right to view such PHI did in fact view it); and
(iv) The extent to which risk to the PHI was mitigated (items 3, 4, 5, 6 and 8 above appear to be potential mitigating factors).
As stated in an earlier postings here and here, no Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011. While the Summaries continue to provide highly useful information for CEs, BAs and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the Rule. It may be that a concern of OCR about potential confusion which could be created by publishing pre-Rule Summaries has prevented OCR from making recent postings of Summaries on the HHS List.