placeholder

HIPAA Final Rule: Breach Risk Assessment Factors for “Probability Standard”

January 29, 2013.  Today, we cover the four risk assessment factors pertaining to breach notification in the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules:  Final Rule that was published in the Federal Register on Friday, January 25, 2013.  As discussed in yesterday’s post, these risk assessment factors are used in assessing the probability of impermissible use or disclosure compromising protected health information, thereby requiring breach notification. This “probability standard” replaces the “harm standard,” becomes effective March 26, 2013, and requires compliance on September 23, 2013 by covered entities and business associates.

Risk Assessment Factors.  The four risk assessment factors that must be considered are in subsection two of the definition of breach.  “As we have modified and incorporated the factors that must be considered when performing a risk assessment into the regulatory text, covered entities and business associates should examine their policies to ensure that when evaluating the risk of an impermissible use or disclosure they consider all of the required factors.” [78 Federal Register 5695]  Note that these are the required factors that must be considered.  There may be others the covered entity or business associate should consider as necessary based on particular circumstances related to or characteristics of the covered entity or business associate.  [78 Federal Register 5642] Here are the factors [78 Federal Register 5695], following the opening statement:  (2) “Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [HIPAA Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrate that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors”:

(2)(i). “The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.”  In the risk assessment, examine the sensitivity of the identifiers involved and the likelihood of re-identification or linkage to other information to determine probability of impermissible use or disclosure.  The “identifiers of the individual or of relatives, employers, or household members of the individual” are at 45 CFR 164.514(b)(2)(i):

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

( 1 ) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

( 2 ) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code.

Note footnote 12 on page 5642 of the Final Rule:  ”Information that has been de-identified in accordance with 45 CFR 164.514(a)-(c) is not protected health information, and thus, any inadvertent or unauthorized use or disclosure of such information is not considered a breach for purposes of this rule.”  In other words, de-identified data are without any of the identifiers noted above in (a)-(r).

(2)(ii). “The unauthorized person who used the protected health information or to whom the disclosure was made.”  In the risk assessment, examine “whether the unauthorized person who received the information has obligations to protect the privacy and security of the information,” [78 Federal Register 5643] and the likelihood of re-identification, discussed above with respect to (2)(i), to determine probability of impermissible use or disclosure.  ”The final rule expressly includes a factor that would require consideration of the re-identifiability of the information, as well a factor that requires an assessment of the unauthorized person who used the protected health information or to whom the disclosure was made (i.e., whether this person has the ability to re-identify the affected individuals).” [78 Federal Register 5644]  For more on re-identification, see 45 CFR 164.514(c):  Implementation specifications:  re-identification.

(2)(iii). “Whether the protected health information was actually acquired or viewed.”  In the risk assessment, consider the distinction between actual acquisition or view of unsecured protected health information versus the opportunity for the information to be acquired or viewed, to determine the probability of impermissible use or disclosure, as the following example in the Final Rule illustrates:  “[I]f a laptop computer was stolen and later recovered and a forensic analysis shows that the protected health information on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised, the entity could determine that the information was not actually acquired by an unauthorized individual event though the opportunity existed.” [78 Federal Register 5643]

(2)(iv).  ”The extent to which the risk to the protected health information has been mitigated.”  In the risk assessment, “consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised,” [78 Federal Register 5643] as the following example in the Final Rule illustrates:  “Covered entities and business associates should attempt to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed,”… and “acknowledge that the recipient of the information will have an impact on whether the covered entity [or business associate] can conclude that an impermissible use or disclosure has been appropriately mitigated.”

Tomorrow, we will look at the definition of unsecured protected health information and the state of the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, and Indecipherable to Unauthorized Individuals, which may provide a safe harbor for breach notification.


Ed Jones, Author & Healthcare Authority

Filed Under: American Recovery and Reinvestment Act, Enforcement, HIPAA Law: Administrative Simplification, Health IT and HITECH, Privacy, Security 
YY