New HIPAA regs require notice of a ‘data breach’

By Julia Reischel

Yet another set of data breach regulations has fallen on the shoulders of Massachusetts businesses that work with health information under the federal Health Insurance Portability and Accountability Act, known as HIPAA.

As part of the stimulus package passed by the Obama administration earlier this year, any company that comes in contact with so-called “protected health information” must comply with HIPAA’s famously restrictive set of privacy rules.

The new regulation, which was issued by the Department of Health and Human Services in August and goes into effect Sept. 23, effectively extends HIPAA coverage to the “business associates” of hospitals and other health care providers.

“It could be an accountant; it could be an IT provider that does data aggregation; it could be really anyone that does services for the health care industry,” said Ellen L. Janos, a partner in the health law practice group at Mintz, Levin, Cohn, Ferris, Glovsky & Popeo in Boston.

The privacy rule requires these entities to implement a specific set of security protocols for health information and, in the case of an accidental breach, to determine whether it is necessary to notify the patient and the general public.

It is left up to the businesses themselves to decide whether notification is necessary, based on whether there seems to be a “significant risk of financial, reputational or other harm” to patients.

According to Jeffrey W. Mittleman of Holland & Knight in Boston, there are plenty of shades of gray involved in that decision.

“If just the fact that Jeff Mittleman received service in a hospital is breached, is that something really worthwhile to tell me about?” he asks. “But if the breach shows that I am having a tummy-tuck, or that I have something wrong with my prostate, that would likely be worth reporting.”

David S. Szabo, a partner at Edwards, Angell, Palmer & Dodge in Boston, pointed out that the new regulation orders businesses to perform their own risk evaluations to determine whether someone has been harmed by a breach.

“What they’ve done here is created a requirement to do a kind of multi-fact analysis,” he said.

As an added pressure, Mittleman noted, the exact definition of “harm” is murky and will likely vary from patient to patient.

“Some people are really sensitive about this kind of thing,” he said.

To ease the transition, HHS will refrain from enforcing the rule until Feb. 10, 2010. After that, companies will be forced to live in a world in which the loss of a medical file or a laptop computer will require them to make a daunting set of decisions that could expose them to civil and criminal penalties.

An unintended side effect of the new rule might be a rise in the price of health care, noted Szabo.

“There absolutely are going to be some administrative costs,” he said.

Further, the notification requirement will do little to tangibly help a patient once his or her private information has been released.

“If someone sent me a notice today that my protected health information had been breached, what am I going to do with it?” Mittleman asked. “Nothing. As an individual person, the only thing I’m probably going to do is get an upset stomach.”

Szabo agreed.

“I don’t know how you un-ring the bell,” he said.

Questions or comments should be directed to the editor at: reni.gertner@mamedicallaw.com