I know most of us need new HIPAA/HITECH rules like we need bird flu, but they’re here. Yesterday, the US Department of Health and Human Services released the HIPAA Omnibus Rule, affectionately dubbed by some the “Mega Rule.”
The document is over 500 pages long, so I imagine it’ll be some time before we see a lot of in-depth interpretations. There is already much buzz, however, about the official change to the responsibilities of Business Associates (don’t know what that is? See “What is a HIPAA Business Associate Agreement?“), some changes to the definition of “protected health information,” and one thing that I think is very important to us mental health clinicians: security breach reporting.
Before the Omnibus Rule, we had the Interim Final Breach Notification Rule, which stated that we must report any breaches of our clients’ sensitive information to both the client(s) and to the Department of Health and Human Services. If there were more than 500 records breached, we would also need to make media announcements and set up services to help affected clients with subsequent damages, such as having their credit harmed by fraudulent charges, etc.
The rule was a big deal, and I’ve met several people who say they’ve received more than one notice from a health care provider stating that their health info had been breached. It became apparent that over-reporting of breaches was a real risk, and that would lead to overworked health care workers (and DHHS workers) and apathy among consumers.
The Omnibus Rule gave security breach reporting a big treatment. A huge addition is the provision that before reporting a breach, the provider should perform a risk assessment around the breach to decide if the danger to the client(s) is large enough to merit reporting.
The breach risk assessment concept requires us to apply four areas of consideration to breaches to decide if they need to be reported to the client and to the Department of Health and Human Services:
- Exactly what kind of info was breached? Is it something like a client name and the date they started therapy? Is it the client’s full 5-axis diagnosis along with their name and address? How deep is the breach? It’s very important to note that mental health treatment is seen as especially sensitive, so the nature of our profession makes most of our breaches already bumped up a notch on the risk scale when we consider this dimension.
- Who was it breached to? Did you accidentally FAX a release form to the wrong health care colleague? Or did an identity thief get ahold of a client’s demographic information? Clearly, these are different situations in terms of danger to the client.
- Do you know if the breacher actually got their hands on or clearly saw the information? Sometimes breaches are just situations where someone could access or use your clients’ sensitive info without permission. If you can demonstrate clearly that the information wasn’t retained in any way by the breacher, that significantly affects the actual level of danger to the client and thus your decision to report the breach.
- How was the breach handled? Did you or any associated colleagues take action to reduce the breach in some way? E.g. if you FAXed a document to the wrong colleague, did they immediately destroy it and contact you? Or did it float around the office for a while before it was discovered? That would significantly affect the actual level of danger to the client that comes from the breach.
The burden is on us to do the assessment and to prove that the risk to the client is low before deciding not to report.
“Risk assessment?” That sounds familiar
It should! HIPAA Security already requires us all to perform regular formal risk assessments of our whole practice. That means going through all the doodads and services we have that contain clinical information and determining how risky those doodads and services are to our clients’ sensitive information.
The new breach rule adds yet another kind of risk assessment we need to be prepared to do.
But I’m not really in a position to do a risk assessment for a lot of my stuff, like email or texting
Yep. That’s a problem, right? Email, for example, travels unprotected through the public Internet and thus the contents of emails are technically breached by 10s to 100s of individuals every time you send one (for more info, see our article, “Is Email HIPAA Compliant?“) The vast majority of those breaches are low-risk (and therefore don’t need to be reported according to the new rule!) However, we have absolutely no way to know that, and thus no way to prove it. Boo.
The phone company may be able to provide some information about breached text messages, but they don’t have to and often won’t. Also, they can’t help with every kind of possible breach.
Skype has been asked on many occasions to be more transparent and forthcoming with information that can help clinicians track what is going on behind the scenes, but they haven’t cooperated so far.
As communications tech and health care security standards develop, the need for us to use communications systems that provide audit trails and reliable security only grows.
You always say encrypted email is okay. Is that still true?
Encryption works. So does encrypted email. (If you’re not sure about encryption, see “What is Encryption?“) When the data you send is reliably encrypted, it can’t technically be “breached.” A breach only occurs if an authorized person gets access or makes use of unprotected protected health information. Properly encrypted information is not unprotected, readable protected health information, but rather it’s just a big jumbled mess.
For those of us that just want to help our clients and not worry about things like this, any new rules are clearly a big pain. Most of these new rules are helpful to us, however, as they clarify a number of vague points and reduce situations where we are required to make painful reports. I’m sure more information will be forthcoming as the greater community gets through that 500+ page document.