Site moved to, redirecting in 1 second...

« December 2012 | Main | February 2013 »

4 posts from January 2013

January 29, 2013

Final HIPAA Breach Notification Rule

FierceHealthIT is running my commentary on the HIPAA Breach Notification Rule. Here's an excerpt, highlighting the final regulation text, and the shift from the harm standard in the interim final rule (IFR). Please follow the link to read the rest of the post

The IFR required a risk assessment to be done in order to determine whether the risk of harm was present. The feds observe in the commentary to the final rule that some folks "may have interpreted the risk of harm standard in the [IFR] as setting a much higher threshold for breach notification than we intended to set." Hence the "clarification" in the final rule that:

an acquisition, access, use, or disclosure of protected health information in a manner not [otherwise] permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

45 CFR 164.402 (emphasis added).

This revision is intended to provide a more objective standard, in response to comments filed in connection with the IFR.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting


January 23, 2013

HIPAA Omnibus Rule - Google+ Hangout

For a first look at the HIPAA omnibus rule, I had a Google+ Hangout on Air with Brian Ahier and Deven McGraw this afternoon. We talked through the changes made to the privacy and security rules, the breach notification rule, the enforcement rule, and the harmonization of HIPAA and GINA. The video runs about an hour, and we got some pretty good reviews live and in the hours since this ran. Check out the HIPAA discussion on Google+ concurrent with and immediately after the hangout, too.

HIPAA Omnibus Rule Hangout


One viewer, Ben Watts, posted his notes almost immediately after we were through, on his blog EMRSoap. (Thank you, Ben!) Here's an excerpt from his post:

EMRSoap Write-up of the HIPAA Hangout by Industry Leaders

Below are our notes from the discussion – they’re not specifically tied to the individual speaker.

  • Most of the final rule was the same.  Except for the Marketing provision – that was quite a bit different than the proposed rule.
  • We’re still not done. Even though this is the ‘Omnibus rule’, there’s still 2 new rules that need to come out.
  • Bus related puns abound.
  • What do providers need to watch out for?  One thing: Primary liability of BA’s and subcontractors.  You really can’t sub out responsibility entirely.
  • There’s a community of small providers and Business Assocaites who aren’t aware of the reality of HIPAA and haven’t completed Risk Assessments (and more).  They’re just not familiar enough with their obligations and the HIPAA environment.  They’ll have till September 23rd to comply with this rule.
  • Date by which new BAA and NPP need to be entered into is a year after that September 23rd.  The agency will be issuing further guidelines throughout this timeline.
  • The government is committed to more audits and fines.  The fines they collect will fund the audit process.  We’re going to have audits of Business Associates and their subcontractors, not just Covered Entities.
  • Enforcement is moving to Penalty base, and away from voluntary compliance.
  • But not entirely, says Devin.  Rule was pretty clear – informal resolution and voluntary compliance would still play a factor in enforcement.  HHS will have discretion.
  • HHS has been going after the smaller groups as well, even without the Omnibus rule.
  • Environment of ‘Hands off’ has led to people being careless.  Behavior has been beyond what’s acceptable for building up trust in EMRs.
  • Why should patients be excited?  People most bugged by marketing – that’ll be limited by HIPAA Omnibus rule.  Also, breach notification provision much more clear means that institution are going to pay a lot more attention to encryption.
  • Discussion on the ‘conduit’ exemption – very narrow exemption.  Really only works for courier-like firms (ISP and postal services, for example).  Only making sense in cases of random or intermittent access to ePHI.  As opposed to entities that store data – would be a BA, even if the intention is to not to look at it.
  • Failing to sign a BAA doesn’t exempt you from BA status.
  • Researchers are now permitted to give people conditional treatment if they agree to research.
  • Now allowed to have authorizes for future research as long as the description is rich enough to give patient a general idea of the types of research that’ll be enacted.  No need for individual study approval.  Requirement is somewhere in between ‘all research’ and ‘one study’.
  • Patients can request records in forms that makes sense for them.  If you can’t technically do it in the form (5.5 in floppy, for example?) then the provider will have to reach an agreement with the patient.
  • Is it possible to segment your record, and keep some info off of your Health record?  Yes.  It’ll probably be hard for a fair amount of providers.  If a patients says ‘don’t send this to my payer’, you can’t do it.
  • Patient right to get data trumps security requirement.  If the patient is notified of risks of transmitting ePHI over email, then the ePHI can be transmitted to the patient.  Requirement of alerting patients is fairly low.  Bi-lateral communication is a different realm, however.
  • Changes to enforcement rule – bottom line is there’s a max of 1.5 million per violation.  Likelihood of greater fines in the future?  Maybe.  Largest fine to date was against a bankrupt company.
  • There’s more breaches reported…not necessarily more breaches in total.  Now, with our digital health system, we know who’s seen what.  We’ll see more breaches in total, but that’s not necessarily a bad thing.
  • BA’s right to use data is explicitly limited.  BA’s are directly liability, but they’re still subordinate to Covered Entities.
  • Breach Notification – we’ve moved away from the ‘harm standard’ – moved away from the subjective value of the underlying data.  We’ve moved to an examination of ‘what happened in this instance?’  Presumption being if we don’t know what happened, then there was  a breach.  Notion of ‘if it’s info about your big toe then it’s not harmful’ is gone, as is underlying subjective value judgment of data.  Faxing info to Doctor X instead of Doctor Y, maybe less of a big deal.  As long as that mistake is handled appropriately, it’s not that big of a deal.  If there’s greater than a low probability that the ePHI was breached, then there needs to be a notification.  There’s a 4 pronged set of standards that need to be examined in that investigation to determine if there was a breach.   But if you know that there was a breach, you don’t need to do an investigation.
  • Everybody: gotta revise your Notice of Privacy Practices.  Remember that you have until September.

We enjoyed using the Google+ Hangout on Air platform, though it was a little bumpy as it was our first time. We are considering putting together future hangouts on the HIPAA omnibus rule, and would welcome your input regarding which issues warrant a closer look.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting


January 18, 2013

HIPAA Final Rule on Privacy, Security, Breach Notification and Enforcement Issued, Finally

The HIPAA omnibus regulation is finally out as a final reg. The HIPAA Privacy, Security, Enforcement, and Breach Notification Rules were released late yesterday, and are expected to be published in the Federal Register on January 25 here: HIPAA Final Regulation. (See the end of this post for info about an upcoming online event.)

UPDATE 1/21/2013: Join Brian Ahier, Deven McGraw and me, David Harlow, for a Google+ Hangout on Air Wednesday, January 23, 2013, at 11 AM PT, 2 PM ET, where we will discuss the HIPAA Final Rule. Leave us your questions as comments to this post.

Here's the whole 563 pages:

HIPAA Privacy, Security, Enforcement, and Breach Notification Rules 

The accompanying presser details a few of the highlights:

The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius.  “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The changes in the final rulemaking provide the public with increased protection and control of personal health information.  The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims.  The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

Individual rights are expanded in important ways.  Patients can ask for a copy of their electronic medical record in an electronic form.   When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.  The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

 “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez.   “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes.  The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

Most of the revisions are familiar to those of us who have tracked the proposed rules and interim final rules issued over the past several years, though there are some new ideas here, too, the result of plenty of percolating, as well as review of some of the comments filed. The effects are wide ranging, touching everything from marketing to big data to app development and beyond.  

The compliance date for the new rules will be September 23, 2013.  (The rules are effective 60 days after publication, and the compliance date is 180 days after that.)  So there will be plenty of time for OCR to issue some guidance documents as promised in the rule and for Covered Entities to get their acts together and pull together revised Notices of Privacy Practices and Business Associate Agreements, among other things. Business Associates and their subcontractors will have their share of work to do as well, now that they are within the ambit of the rule.

I am planning to present a discussion of the final rule live, on line, in the next week, together with other experts.  Watch this space for details.  If you have any questions you would like us to address, please post them as comments.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

January 15, 2013

Meaningful Use Stage 3 – Society for Participatory Medicine Comments on Proposed Objectives

The Health IT Policy Committee of the Office of the National Coordinator of Health IT released its proposed Stage 3 objectives for Meaningful Use.  "Eligible Providers" that meet these objectives share in the federal electronic health record incentive program under the HITECH Act.  (Learn more at; here's some more background on the Stage 1 Meaningful Use regs.)

The Committee wrote that it saw the release of these draft objectives as an opportunity “to begin to transition from a setting-specific focus to a collaborative, patient- and family-centric approach.”

The Society for Participatory Medicine filed comments on the draft Meaningful Use  Stage 3 objectives, saying: "We endorse the proposals that further this goal, and offer some focused recommendations intended to ensure that the final regulations are in fact designed to help achieve this goal."

One of the key issues presented in this draft is the opportunity afforded to patients to correct misinformation in their medical records.  The Society's comment:

We feel that patients should be involved in amending, reconciling, and correcting errors in their medical records. Making this possible will require EHRs that support patient assistance, patient portals or other mechanisms for patients to do this online, and workflow tools for both providers and patients. We propose that ONC establish additional working groups or technical expert panels to study these issues and establish relevant standards.

The Society also responded to the Committee's request for information on the use of patient-generated data, endorsing its use, and noting that: "The patient is the most highly qualified expert on his or her own health, and his or her own experience of the health care system."

I invite you to peruse the proposal and comment letter linked to above. Again, the perspective on these matters espoused by the U.S. government agency is that we need to focus on enabling provider-patient collaboration. The Society approves.

A special thanks to Adrian Gropper, M.D., of the Society's Public Policy Committee, and to the members of the Society's Executive Committee, for their contributions to the review and comment process.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

This post first appeared on, the blog of the Society for Participatory MedicineDavid Harlow chairs the Society's Pulic Policy Committee.