Healthcare Breaches Under the Final Omnibus Rule
By Theodore P. Augustinos, CIPP/US
Among the changes facing healthcare providers upon the September 23 compliance date of the Final Omnibus Rule adopted by the Department of Health and Human Services (HHS) to modify the HIPAA privacy, security and enforcement rules, the most burdensome and significant may be the expansion of the universe of reportable data breaches by reversing—or clarifying—presumption under the harm threshold and the imposition of liability for business associates that act as agents of the covered entity. The HHS Office for Civil Rights characterizes the rule as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” These changes will, among other things, increase the exposure of covered entities and business associates in data breaches.
Presumption of Harm
Since it became effective in 2009, the interim HIPAA breach notification rule has contained a so-called harm threshold. Essentially, a potential compromise of the privacy or security of protected health information (PHI) has not been reportable as a breach unless there was a “significant risk of financial, reputational or other harm to [an] individual.” Under this standard, many inadvertent and inconsequential disclosures of PHI and other detected vulnerabilities have not been reported.
Under the Final Omnibus Rule, however, the definition of breach is “clarified” in a way that turns the presumption of the harm threshold around. In contrast to the interim HIPAA breach notification rule, the rule presumes that any unauthorized access, use or disclosure of PHI is a reportable breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification,
- The unauthorized person who used the protected health information or to whom the disclosure was made,
- Whether the PHI was actually acquired or viewed,
- The extent to which the risk to the PHI has been mitigated.
As a result of this change in presumption, events that would have been screened out under the old harm threshold because they did not present a “significant risk” of harm to an individual will now be reported as breaches to affected individuals and HHS.
Liability for BAs
On the enforcement side, prior to the rule, if a covered entity complied with the business associate provisions of the HIPAA Rules and with the HIPAA privacy and security rules, the covered entity would not be liable for the actions of its business associate unless the covered entity knew of a pattern or practice of the business associate in violation of the business associate agreement.
The rule, however, removes this exception. Therefore, a business associate will be liable for the acts of its business associates, including for breaches related to violations of the privacy and security rules, if it is determined that the business associate acted in the capacity of agent of the covered entity. This liability will also extend to sub-business associates. The determination of which business associates and sub-business associates are agents of the covered entity for this purpose will be fact-specific but will turn principally on the extent to which the covered entity has the right or authority to exercise control over the conduct of the business associate.
Although this change follows general principles of federal common law on agency, it represents a significant change, and potential exposure, for covered entities in the context of data breaches. Covered entities should take care to scrutinize their agreements with business associates that could be deemed to be agents, given the heightened level of potential exposure, especially in view of the fact that the 60-day notification clock begins when the agent knew of the breach, not when the covered entity is notified.
Ted Augustinos is a partner at Edwards Wildman Palmer LLP and a member of the Steering Committee of the firm’s Privacy and Data Protection Group and its Breach Response Team. He advises clients in the healthcare, financial services, retail, hospitality and other industries in the investigation of and response to data security incidents and in the development of policies and procedures related to privacy and data protection.