In the first part of this post, we briefly covered the four factors that must be considered when performing a risk assessment to determine the probability that exposed PHI has been compromised and in fact poses a risk to the affected population. This is a departure from the Interim Rule as it replaces the “risk of harm” standard. For the most part, the factors are straightforward but there are a few issues that CEs and BAs need to consider:
- The first factor is intended to help entities determine the probability that the PHI could be used in a manner adverse to the individual or otherwise used to further the unauthorized recipient’s own interests (similar to the previous risk of harm standard).
- For the second factor, use or disclosure to a person under a legal obligation to protect the information, such as another healthcare entity or a federal agency subject to the Privacy Act, would lower the probability that the PHI has been compromised.
- Determining the third factor may be as simple as the unauthorized recipient notifying the entity that they received the PHI in error, since the recipient would have to open and read the information to the extent that they recognized it was sent in error. However, in many instances, it is this third factor that will prove most vexing in the event of a potential data breach. An investigator’s ability to determine whether patient files left unattended in a public space for a period of time or PHI stored on a server found to be infected with malware were “actually acquired or viewed” often hinges on the investigator’s access to sources of affirmative evidence such as security camera footage, server access logs or firewall logs for the relevant time period. As before, if the available evidence confirms that the PHI was “acquired or viewed”, notification is required. However, under the new rule, absence of affirmative evidence of exposure is likely insufficient to rebut the presumption of PHI exposure. Instead, in order to avert notification, an entity must produce a forensic report based on available evidence concluding that such exposure did not occur. HHS reiterated that entities cannot delay notification in the hope that affirmative evidence will be found supporting the conclusion that no actual exposure occurred.
- Finally, for the mitigation factor, confidentiality agreements or similar formal assurances from the unauthorized recipient that information will not be further used or disclosed were given as an example of appropriate mitigation. The effectiveness of this form of mitigation obviously depends on the identity of the unauthorized recipient. While assurances from employees, affiliated entities, or BAs could be relied on, the Final Rule cautions that assurances from certain third parties may not be sufficient.
The Final Rule is available here and is effective March 26, 2013, with a 180-day grace period for entities to become compliant.
By Kroll Editorial Team