HHS’ “harm threshold” standard in its interim final rule on breach notification will prevent healthcare organizations from overwhelming patients with unnecessary breach notification responses, according to providers who work with privacy and security.
At the 18th annual National HIPAA Summit Friday, February 5, Judi Hofman, CAP, CHP, CHSS, privacy/information security officer for Cascade Healthcare Community at St. Charles Medical Center in Bend, OR, and Debbie Mikels, corporate manager, confidentiality for Partners Healthcare System in Boston, said the provision published August 24 in the Federal Register gives covered entities the power to prevent unnecessary notifications.
“If you flood your patients with huge concerns, you’re going to open up a floodgate of problems in your organization where you really may not have had a risk to start with,” Hofman said.
The panelists at the three-day seminar at the Wardman Park Hotel in Washington, DC, responded to a question from an attendee on the controversial harm threshold.
HHS says in the interim final rule that many commenters on its draft guidance in April suggested that HHS add a “harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual.”
Now, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.
According to the interim final rule, the important questions are:
- In whose hands did the PHI land?
- Can the information disclosed cause “significant risk of financial, reputational, or other harm to the individual”?
- Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer’s data was not accessed?
Some Congressmen disagree with the standard.
Six members of the House of Representatives signed a letter on October 1 written to HHS Secretary Kathleen Sebelius that urges HHS to repeal or revise the harm standard provision in HHS’ interim final rule on breach notification.
The Congressmen, all but one of whom are Democrats, wrote they are “deeply concerned” about the harm provision because it gives covered entities and business associates (BAs) a “breadth of discretion” as they determine the level of harm to an individual whose PHI was inappropriately disclosed.
Congress explicitly rejected a harm standard when it crafted the American Recovery and Reinvestment Act of 2009 (ARRA), which includes tougher HIPAA enforcement and greater breach notification requirements.
Mikels, of Partners in Boston, said Friday her team is already prepared to conduct its harm risk assessment.
“We have to look at those harm questions,” she said.
For instance:
- Was it a release that went to a person inside your organization to another person that didn’t need to know?
- Does your organization have reason to believe that the PHI wasn’t accessed?
“What do I think about [the harm threshold]? Again, it’s a balance thing,” Mikels said. “I think it makes sense to do a risk assessment. Whoever’s the closest to the issue is the one who is best able to look at it and best able to figure out what happened.”
Without a risk assessment and determination of harm, patients would be “inundated with so many letters that the letter of the law would be meaningless,” Mikels said. “I’m kind of leaning toward I think it makes sense to do a risk analysis if we do it well and with the intent of the law. We tend to err on the side of caution and notify patients. Down the road, we wouldn’t want patients to say, ‘OK, my identity was stolen,’ and we didn’t do anything about it.”
At the last HIPAA Summit—in September—Gerry Hinkley, Esq., partner and chair of HIT practice group for Davis Wright Tremaine in San Francisco, called the harm threshold a “huge weakness.” He said if he’s a patient, he wants to be the one determining whether information that was disclosed inappropriately could cause significant harm—and not the covered entity. Some also say it allows organizations to choose at their own discretion their own breaches.
“I don’t think this is a get-out-of-jail-free card,” Hofman of Cascade Healthcare Community said Friday. “With legal, compliance and with ethics, you would hope most organizations would have a higher standard of ethics, and that we’d do our best for our patients.”
The deadline for business associates to comply with the HIPAA Security Rule and breach notification enforcement is a little more than a week away – February 17. Are you ready to comply with these HITECH regulations?
Please take 5-10 minutes of your time to complete this 11-question survey regarding HIPAA and HITECH. By completing the survey, you will become eligible for a $50 cash prize.
To take the survey, please click here.
Some of you are probably familiar with the Medicaid Integrity Contractors (MICs), specifically the audit MICs, which are conducting Medicaid post-payment audits similar to the RAC initiative for Medicare.
Has your organization undergone a MIC audit? Are you or someone else on your team involved in handling this process? If so, we’d love to hear about your experience. Please e-mail Mike Iarrobino at miarrobino@hcpro.com if you’d be willing to share.
This morning at the 18th Annual National HIPAA Summit, William R. Braithwaite, MD, PhD, “Doctor HIPAA”, Chief Medical Officer, Anakam, Inc., former Senior Advisor on Health Information Policy, DHHS, Washington, DC, says you can’t just hire any old security expert “from MIT.”
It has to be someone with managerial experience and someone who is really going to work for your organization.
Q. A patient comes into the ED and a technician x-rays his injured leg. The radiologist noted a discrepancy in the reading of radiology films the next day. When ED staff members attempt to contact the patient, they find that he provided incorrect contact information and are unable to reach him. A nurse in the ED knows the patient’s family and calls the patient’s father. The nurse informs the father that his son needs to have another x-ray taken and asks him to relay the message to his son. Has the nurse violated patient privacy?
A. Sharing this information with the patient’s father violated the patient’s privacy. If contact information for the patient could not be obtained via other means (e.g., previous hospital records, the telephone directory, or electronic searches), the nurse could have contacted the patient’s father without revealing that he had been treated at the hospital and simply said she was trying to reach him.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. This is not legal advice. Consult your attorney regarding legal matters.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!