Breach Notification: Omnibus Style

June 24, 2013

Under the Omnibus Rule, breach notification received more than just a face-lift. The new rule went into effect on March 26, 2013 so Covered Entities and Business Associates alike should have updated their incident response and notification procedures in preparation. The harm provision, which had received much negative reaction and scrutiny, did not survive after all. In its place a more traditional approach was adopted focused on determining compromise of the information. While there is still considerable controversy over the definition of compromise the new approach is still much cleaner than its predecessor and should I believe lend itself to fewer controversial decisions around notification.

“Harm” Has Been Removed

The harm provision was controversial and contributed to the obfuscation of the facts. By focusing on proving the negative, “harm” to those affected by a breach, it made it just as easy to argue that no harm was likely. By doing so it completely ignored the fact that protection and control of access to patient information had been lost or perhaps compromised. The new rule seeks to address that shortfall. To do this it provides a four-factor system of analyzing the incident to determine if compromise occurred. The four factors for consideration when there is a breach seek to define the probability of compromise. In so doing this process also provides a better way to measure potential for harm. This provides a more balanced and appropriate way to measure compliance and accountability.

The Four Factors

That said, the new rule and its four considerations of risk are not devoid of any consideration for potential harm. The first consideration, the nature and amount of protected health information (PHI) suggests that not all breaches are considered equal in their potential for impact. Meaning a breach involving 20,000 records containing multiple elements of PHI and social security numbers is potentially more harmful than a single record compromised. The second consideration, knowledge of who used or received the information, also suggests that there is a difference between another covered entity or healthcare professional who inadvertently receives patient information not intended for them and that same information going unaccounted for or ending up in the hands of someone engaged in identity theft. The third consideration, what that person did with the information, recognizes that there is a difference between the person who acknowledges they received the information erroneously and returns or destroys it and the person who passes it on to others or uses it inappropriately. Lastly, the fourth consideration, the presence or absence of mitigating measures, recognizes that not all compromises or losses are equal with respect to how likely they can be exploited. In fact one could argue when analyzing this approach that thoughtful consideration of these four questions as part of a risk analysis will develop a clearer understanding of the breach and its potential for harm.

Notifications Have Changed Slightly

Actual notifications under the final rule have not changed. Incidents involving more than 500 individual records still must be reported without undue delay and within 60 days of becoming known. Incidents involving less than 500 records may be reported when discovered or up to 60 days after the end of the calendar year. One slight change here, smaller breaches may be reported in the year discovered as opposed to the year in which the event happened. Business Associates are still only required to make notifications to the covered entity. One other change, in the new rule, is organizations that experience a breach and decide notification is required do not have to complete a risk analysis. The risk analysis is only required when an organization is not convinced whether the likelihood of compromise is certain.

OCR will not begin to enforce the Rules until September, specifically September 24^th, but I would not wait until then to revise incident response procedures or to apply them as I have heard some suggest. Smart organizations will take advantage of the period before enforcement to do the following: