The New 2013 HIPAA Regulations, Part 2: Breach Notification Rules
Written by: Cindy Monak-Gagnon, RN, Clinical Designer & Peter Arbuthnot, Regulatory Analyst
Among the new 2013 HIPAA regulations discussed in a previous blog, one of the more important ones involves new rules for breach notification, e.g. the unauthorized release of protected health information (PHI). These new rules usher in a higher standard for breaches of PHI, along with stiffer enforcement. Here is an overview of how these new rules will affect you:
New rules for releases of identifiers
Prior to the new 2013 rules, there was no presumption of a breach unless there was significant risk present. Now the burden is on the facility to show that there is a low probability of harm based on a ‘risk assessment.’ This self- assessment process will then determine the outcome of the breach. This risk assessment includes a review of the following factors:
- The types of identifiers linking health information to individuals, such as names, medical record numbers or geographic information. A complete list of these identifiers is provided below.
- If these identifiers would be likely to be used in identification in other information
- Whether or not the exposure involved unauthorized persons in terms of access or in terms of disclosure to others
- Whether or not actual health information was obtained or viewed
- Finally, to what extent this disclosure was mitigated.
Here is a list of the kinds of identifiers that risk revealing an individual's PHI:
- All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code of an area greater than 20,000 people (unless blanked)
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Phone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
From an enforcement standpoint, civil monetary penalties for breaches of PHI can now be assessed based on 4 violation categories:
- “Unknowing”- where the provider or Business Associate did not know and could not have reasonably known of the violation. This carries a $100 to $50,000 fine for each violation.
- “Reasonable Cause” – where the provider or Business Associate knew or with reasonable diligence would have known but there was no sign of willful neglect. This carries a $1,000 to $50,000 fine for each violation.
- “Willful Neglect (Corrected)" – where the provider or Business Associate was conscious or intentionally acted negligent but corrected the violation within 30 days. This carries a $10,000 to $50,000 fine for each violation.
- “Willful Neglect (Not Corrected)" – where the provider does nothing to correct a violation 30 days after discovery. This carries a mandatory $50,000 fine for each violation.
The actual amount of the fine varies based on the number of individuals affected, the nature of the violation, history of compliance and whether the fine would jeopardize the business. Maximum fines per calendar year can reach as high as $1.5 million dollars.
A large part of the original vision for HIPAA was to protect patient information, in an era of increasing electronic data and online transmission. Now, more than 15 years after President Clinton signed this Act into law, this area has been tightened up in a way that provides even greater protection for patient information -- and a greater burden of responsibility on health care providers. Being aware of these new rules, more of which are summarized in a previous blog (link), is an important first step toward compliance in this new era of HIPAA.