A lawyer and panelist at last week's 17th annual national HIPAA Summit called HHS' new "harm threshold" in its interim final rule on breach notification a "huge weakness."
Gerry Hinkley, Esq., partner and chair of HIT practice group for Davis Wright Tremaine in San Francisco, presented a talk on breach notification and the new components of HIPAA in the HITECH Act on Day 3 of the conference at the Wardman Park Hotel in Washington, DC, Friday.
Perhaps his most telling comment came about the new "harm threshold" in the HHS interim final rule on breach notification.
Hinkley called it a "huge weakness." If he's a patient, Hinkley said he wants to be the one determining whether information that was disclosed inappropriately could cause significant harm–and not the covered entity.
HHS says in the interim final rule that many commenters on the draft guidance in April suggested HHS add a "harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual."
HHS agreed. Hinkley necessarily does not.
HealthLeaders Media asked Hinkley at the Summit Friday if he sees instances where HHS will overrule a covered entity's determination of significant harm to a patient.
"You always have that risk because if your determination is not reasonable, you've got a HIPAA violation," Hinkley said. "You're going to be second-guessed so you want to be balanced and conservative in making that determination."
According to the interim final rule, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.
According to the interim final rule, the important questions are:
- In whose hands did the PHI land?
- Can the information disclosed cause "significant risk of financial, reputational, or other harm to the individual"?
- Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer's data was not accessed?
In certain cases, if the information includes only a patient's name and the fact they've had services at the hospital, that's no harm, no breach. But what if the information includes the patient's oncology treatments? Lots of potential harm there. And that's a breach.
On Day 1 of the conference Wednesday, HealthLeaders Media asked David Blumenthal, MD, MPH, national coordinator for HHS' Health Information Technology, whether the government is concerned about the harm threshold's subjective nature.
Blumenthal deferred the question to the OCR office, but said, "We know there is a balance between practicality and protection in that regard."
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ, told HealthLeaders Media that facilities must conduct a risk assessment to determine harm.
Ruelas presented on breach notification on Day 1 of the HIPAA Summit.
"It is certainly reasonable to conclude that given the requirement to document its risk assessment with respect to this harm threshold, each covered entity will likely adopt its own unique perspective on the level of risk it would assign," Ruelas said in an e-mail to HealthLeaders Media Monday. "This same uniqueness will also likely be one determinant on how the same type of incident might be rated differently across the covered entity community."
Ruelas says a risk assessment is "vital so that breach notifications are triggered appropriately. It is the variability of how these risk assessments will be done which is what is drawing my attention. Without clear guidance or a tool to use, each covered entity is left to its own devices."