Harm Standard: Gone But Not Forgotten? New Factors Mimic Current Breach Regs

Although covered entities (CEs) have been required since 2009 to notify affected individuals and the gov­ernment, when appropriate, of breaches of unsecured protected health information (PHI), the so-called “harm” standard that triggers notice no longer exists under the new final regulations. Or does it?

Are CEs really starting over when it comes to assess­ing whether an incident is a reportable breach under the final regulations issued on Jan. 25, which have a compli­ance deadline of Sept. 23?

Just how hard CEs will have to work in the next few months to implement the new regulations on breaches may well depend on how thoroughly they absorbed the 2009 interim final regulation — including its chatty preamble. Another factor is whether they have a detailed process in place already that they use to assess whether incidents have to be announced, or if they’ve been just kind of winging that part of it.

“If the CE had decided to look at the breach notifica­tion rule as a serious matter, and has attempted to com­ply,…used the interim final rule and followed the spirit of the rule, you are in pretty good shape,” Mahmood Sher-Jan, vice president of product management for ID Experts, breach prevention, assessment, and mitigation firm based in Portland, Ore., tells RPP.

To be sure, there’s one big difference between the old and new breach regulations: The new regulation requires a presumption that an incident is a reportable breach, un­less the CE’s analysis proves the data probably hasn’t been, and won’t be, misused (RPP 2/13, p. 1). And while the “harm” standard has been replaced with another that relies on a “low probability of compromise,” there’s much that’s the same, such as three exceptions in the old rule that are also found in the new rule, with the one dealing with limited data sets now omitted.

Harm: New Regs Pose Few New Problems

Sher-Jan and other privacy experts point out that the preamble to the 2009 regulation used some of the exact language to describe the analysis based on the risk of harm that now appears in the new regulation in the form of four factors under the “low probability” standard that CEs, and now business associates, must consider to de­termine if a breach meets the legal definition of an inci­dent requiring notice.

As in the old regulation, the new regulation states, “Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permit­ted under subpart E of this part which compromises the security or privacy of the protected health information.” The old regulation also said the following, which is now gone from the new regs: “For purposes of this definition, compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”

In its place is the following, which describes the four new factors to be used instead of the harm standard:

“(2) Except as provided in paragraph (1) of this defi­nition, an acquisition, access, use, or disclosure of protect­ed health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk as­sessment of at least the following factors:

“(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

“(ii) The unauthorized person who used the pro­tected health information or to whom the disclosure was made;

“(iii) Whether the protected health information was actually acquired or viewed; and

“(iv) The extent to which the risk to the protected health information has been mitigated.”

Lisa Sotto, who heads the privacy and information management practice for the New York-based law firm of Hunton & Williams, LLP, says the health care commu­nity can make a “seamless shift” to the new standard and the assessment process. “I don’t think it matters” that the standard was changed, she says. “When you are faced with the breach, you conduct an analysis based on the relevant requirements.”

What CEs are doing now, she says, “is pulling out their incident response procedure and revising it to re­move the ‘risk of harm’ and inserting the new standard.”

Sotto termed it “good and bad” news that the lan­guage from the preamble of the 2009 regulation has been reframed into the four factors now present in the new regulation. “Very good in that we have a clearer descrip­tion” of what goes into a risk analysis, she says, “but the negative, I venture to guess, [is] that those will be the only ones to be considered.”

Many CEs already have experience complying with state data breach laws, many of which include similar standards, and allow for, or even require, mitigation, she says.

Sher-Jan cautions that “no single factor should deter­mine” whether a reportable breach has occurred or not, and he warns CEs against a “tendency to drop to factor three, if it was viewed or acquired — ‘Yes’ — then it’s a breach.”

“Mitigation will be the biggest question in my mind,” he says. “The final rule says ‘if you take the prop­er steps’…what are the proper steps? I think that will be an area” of need for greater clarification by OCR.

It will be important for CEs and BAs to develop mitigation strategies since the opportunity to engage in such actions is now spelled out in the regulation, he adds. OCR, in the final rules, “recognized that there can, and should, be mitigation. Even though the word ‘harm’ has been removed, there is an obligation to minimize the adverse effect,” Sher-Jan adds. “Ensuring that the PHI is secured or is no longer misused or abused is part of pro­tecting the patient,” he says.

Regardless of where CEs are in their efforts to com­ply with the new four-factor standard, Sher-Jan says they need to be certain that whatever they do is part of an overall breach management program, with consistent policies and procedures, “metrics” and a process for de­tecting potential breaches. “How many are you [seeing]? How are you classifying them — breach or not? Are those going up or down?” he asks.

Admitting he has a “bias toward automation,” Sher- Jan stresses that while his company has a product that will provide assistance with compliance and documenta­tion of analysis, the ultimate decisions are up to the CE. If investigated, “You can’t say, ‘a tool told me what to do.’”

ID Experts’ flagship product, RADAR, is a software decision-support program that “plots an incident’s risk level on a heat-map using a proprietary incident risk in­dex.” The program “takes into consideration the severity of the incident, as well as the financial, reputational, and medical risk levels associated with the exposed [informa­tion],” and compares the resulting score against federal and state breach notification laws, he says.

Sher-Jan says the weight assigned to the various fac­tors may be “adjusted” if necessary based on the forth­coming guidance, which he hopes will “give us some scenarios” for when breach notification is required.

So far, there is no consensus on whether the new regulation will result in more or fewer breach notifica­tions. Some organizations have made public notification of incidents, along with how they disciplined employees, in cases that some saw as marginal.

Of course, some notifications might have had less to do with a strict interpretation of the harm standard and more to do with a CE’s desire to set an example for its workforce or fear that the Office for Civil Rights could conclude the CE erred in not treating an incident as a breach, perhaps subjecting the organization to more ca­lamitous actions than the actual breach would.

“In many cases, CEs just notify whether there is knowledge [of a breach] in or outside. There is often a weighing in favor of notification because there can be less risk associated with it,” Sotto says, as opposed to later being second-guessed or investigated and then penalized if it is determined notice should have been made.

“We have handled over 900 data breaches and everyone is unique. Everyone has to be separately [assessed],” Sotto says. Of these, entities have ended up notifying af­fected individuals more than 90% of the time, a percent­age she does not expect will change.

When the incident is “murky,” entities tend to notify, Sotto says. Circumstances in which they might not in­clude when the PHI was sent “to a single trusted partner, maybe another CE,” when it involved “innocuous data-name, address” — that is sent, and when a valid affi­davit is obtained attesting to the return or secure destruc­tion of the data, she says.

The new standard “will be a big deal,” says Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP, who adds that, of the new changes in the rule, this will have “definitely the biggest impact.”

He disputes the final rule’s assertions that no breach­es will be reportable under the new regulation that isn’t currently reportable, and its premise that the new stan­dard is more exacting than the 2009 harm standard.

“The new rule is no more ‘objective’ — or less ‘sub­jective’ — than the old rule. It’s still a judgment call,” says Drummond, who predicts an uptick in reported breaches.

“For anyone with a possible breach incident that is using the new standards, unless you meet one of the three statutory exceptions, it will be very, very difficult to come to the conclusion that there is no reporting require­ment,” he says. “This is very troubling, potentially, since something as little as a breach of the minimum necessary standard could (should, will) require notification to af­fected individuals.”

“We may see a spike,” Sher-Jan agrees, “but I don’t think it will be [among those] who were already compli­ant,” but among “people who were really on the fence [in the past], who didn’t follow the rules before.”

“Maybe they had a process that was far more subjec­tive” than that spelled out in the new final rule, he adds. Breach notification hasn’t fully matured, Sher-Jan says, adding that more time is needed now that the four factors are in place for that process to continue, and for some, to perhaps get underway for the first time. “Breach is still in its teenage years,” he says. “It may get a little more rambunctious before it settles down.”