Breach notification: Experts say to err on the side of caution

As reported in yesterday's FierceHealthcare, HHS is back at the drawing board working on new set of privacy rules, after quietly withdrawing its final HIPAA breach-notification rule earlier this month on advice from the White House.

At issue with the final rule HHS submitted for budget approval on May 14 is the so-called "harm standard," which qualifies the circumstances under which a covered entity must notify patients of a privacy breach. As written, healthcare providers and health insurance plans had to notify patients of a privacy breach only if they found that the violation posed "a significant risk of financial, reputational or other harm to the individual."

According to consumer rights advocates, as well as Congress, the problem isn't so much with having a harm standard--as many acknowledge a low end of the breach spectrum in which individuals may truly not be affected--but in the subjective nature of determining that threshold on a case-by-case basis. Moreover, putting those who made the breach in charge of deciding whether it's worth making a fuss about makes less-than-perfect sense. And in cases in which a breach occurs under a business associate's watch, covered entities may not be able to agree whether harm to a patient occurred, notes healthcare security and privacy expert Kate Borten, CISSP, CISM, founder of The Marblehead Group consultancy in Massachusetts.

"It gets complicated," says Borten, who's given numerous presentations to healthcare organizations on how to conduct the required assessment to determine patients' risk of harm following a privacy breach. "And certainly there is concern that organizations, instead of erring on the conservative side and making notification, will go the other way and not notify when they should. On the other hand, if you go strictly by the language of the HITECH act it, requires that notification be given when even a totally trivial incident occurs."

When the provision is rereleased this fall, Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore., expects to still see some standard of harm applied, but with a clearer definition of what constitutes harm. There's also a small possibility that the rule will emulate state breach notification laws (mostly dealing with financial information) and delegate the authority of determining harm to a third party, such as law enforcement, he says.

Borten, however, predicts an eventual black-and-white rule to notify patients of all privacy breaches. "I think that in the long run the rule should revert back to the position of Congress, just because of this danger that some covered entities will make an inappropriate decision that is self serving."

Regardless of what the revamped rules may require, both experts who spoke with FiercePracticeManagement caution to physician practices to err on the conservative side when determining whether a breach may have caused harm.

"People are far more forgiving if you tell them upfront rather than if you don't tell them and they find out some other way," Apgar says. As an example, he points to Providence Health System's voluntary notification of a 2005 theft of backup tapes and discs containing personal information on 365,000 patients, after which Providence also provided patients free credit reporting for one year.

"What that bought them was that when a class action lawsuit was filed, Providence prevailed and the case was dismissed because the judge said Providence exercised due diligence with its actions," Apgar says.

Borten's advice: "If [after performing your risk assessment] you think that there is any slim possibility [of harm], go through the notification process--because clearly Congress intended for this to occur in every instance." - Deb