“HIPAA is a valve, not a blockage.” At least, that’s what Office of Civil Rights (OCR) director Leon Rodriguez has said about the Health Insurance Portability and Accountability Act of 1996. Discussions of the national health information privacy and security act often revolve around the ways it limits access to patient health information, rather than the ways in which it makes that information available to patients themselves.
The new 563-page HIPAA omnibus final rule, released last week by the Department for Health and Human Services (HHS), clarifies and expands patients’ rights pertaining to their health information, while also toughening providers’ responsibility to keep that data safe and secure. The new rule, which is the first major update to the 15-year-old law, incorporates provisions laid out in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.
Easier access to electronic records for patients
For patients, the biggest difference under the new rule is a change in the process of requesting their electronic health records: the default format is changed from a hard copy to an electronic copy.
“The old rule was ‘an individual is entitled to receive a copy in the form or format requested if readily producible,’” said Adam Greene, an attorney with Davis Wright Tremaine who formerly worked at OCR. “If the requested format was not readily producible, than the old rule was ‘you get a hard copy.’ Under the new rule, you continue to have a right to choose the format if readily producible, but now, if the information is maintained electronically and the covered entity is not able to provide the requested form and format, than the default is an electronic copy.”
Greene also said patients can now request that another copy of the records be sent to a third party designee, something that, under the old rules, required a special authorization form. That third party could be a caregiver or a school, but the provision could also make it easier for health consumers to automatically send their health information to an app.
Additionally, the new rules allow individuals paying for a procedure entirely with cash to ask that the procedure not be shared with their health plan. The new rule prohibits protected health information from being sold and limits how it can be used in marketing and fundraising.
For care providers and their associates, tougher enforcement
The new rule includes a number of changes that clarify and, in some cases, increase the standards for protecting patient information. Although the amount that an organization can be fined for a security breach has not changed since 2009, changes in liability and enforcement still give the law some much-needed sharper teeth.
“My overall impression of what HHS did was to send a message to covered entities and business associates handling protected health information that HHS is going to be serious about enforcement,” said Brian Balow, a lawyer at Dickinson Wright LLC.
One major change is that liability for a breach of patient health information is now shared — not just among the covered entities (hospitals and other care providers) but also among their business associates, and subcontractors of those associates. Business associates include anyone who works with a provider in a capacity that requires them to access the protected information — for instance, cloud providers and HIPAA-secure messaging companies.
Balow said the emphasis of the new rule is on “willful neglect,” defined as “conscious violation or reckless indifference” to the law. Covered entities and business associates can be fined $50,000 per violation for cases where covered entities and business associates haven’t completed risk assessments or fail to have data safeguards in place. “Per violation” can mean “per patient with a compromised record” in some cases and “per day of noncompliance” in others, so the fines can add up very quickly.
Old “harm standard” vs. new “low probability of compromise”
As well as expanding the scope of the enforcement, the new rule changes what constitutes a breach. The breach notification threshold refers to the standard for determining whether a security breach is severe enough that a hospital or business associate should be required to report it to HHS, the affected patients and, in some cases, the media.
“The biggest surprise to the healthcare industry was the breach notification threshold, in that it went from ‘a significant risk of harm’ to ‘low probability of compromise,’” said Greene of Davis Wright. “I think not too many people, if any, were predicting that change, although everyone knew that the breach notification standard was in play. So everyone’s grappling with that. As subjective as the harm standard was before, the new standard, which OCR suggests is more objective, leaves huge question marks because people don’t know what it means to have been compromised.”
The final rule reads: “Thus, breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under the interim final rule.”
Balow said that tort law in general is designed for cases where individual harm is hard to establish. It’s hard for a patient to know his information has been breached if he isn’t told, and even if he is, it’s very difficult to seek restitution through a civil suit.
“There are, in my experience more and more people aware of this and believing that their rights are being violated,” Balow said. “I know there have been a couple of class action suits filed, but that law is not at present well developed in terms of the private right of individuals whose private health information has been disclosed. And the issue there is ‘What’s the damage?’ You have to show damage, and it’s very nebulous.”
So instead, the Office of Civil Rights conducts HIPAA audits, fining violators in amounts which could reach tens of millions of dollars. The OCR collects the money and, since the passage of the HITECH act, also receives the revenues to use for further enforcement efforts. But Greene said the department has actually been pretty conservative in leveraging the fines.
“If you look at the stats today, there are roughly 18,000 cases where HHS has investigated, found noncompliance, and closed it with productive actions, compared to only about 12 cases where they’ve brought a penalty and where money’s changed hands,” Greene said, adding that the department simply doesn’t have the resources to do a large number of settlements per year. “There’s definitely been heightened awareness, and I have expectations, but whether we’re ever going to see penalties handed out like traffic tickets, that remains to be seen.”
Greene also said a future rule facilitated by HITECH will allocate some of the money from HIPAA settlements to the patients who were directly affected by the breach.
Blue Button and apps
The provision that might have the most relevance for the Blue Button initiative is the one that facilitates easy sharing of health data to a third party by a patient. Although HIPAA might be strict on health care providers who are acting as stewards for patient information, it doesn’t put any restrictions at all on how the patient uses that data once they have it — including sharing it with an app.
It’s possible that other legislation will take over the security responsibilities at that point, however. Rep. Hank Johnson (D.-Ga.) recently posted draft legislation that would regulate how apps collect and use all kinds of user information. Called the Application Privacy, Protection, and Security Acts, or APPS Act, the draft legislation doesn’t talk about health information specifically. But it does make provisions for individuals to have more control over what information an app collects, require that apps meet a certain standard of information security and, perhaps most relevant, gives them the right to stop data collection and have any existing data deleted at any time.
If the Blue Button initiative succeeds in its mission for patients to have access to their health information in a meaningful and accessible way, then many patients will likely be storing their personal health information in apps on their mobile devices. A measure like this, that holds apps accountable for maintaining the security of that information, could be an important piece making the future ecosystem of patient information viable.