Government Health IT Features Manatt Partner in Final HIPAA Rule Article
"Q&A: On Remaining Ambiguities in the Final HIPAA Rule"
Government Health IT
January 21, 2013 - Government Health IT interviewed Manatt's Robert Belfort, a partner in the firm's Healthcare Division, for a special Q&A feature article discussing the omnibus HIPAA Privacy and Security final rule that the U.S. Department of Health and Human Services recently issued.
Government Health IT reports that the final rule answered some questions, but fails to provide clear guidance on other issues, such as data breach notification. The publication's editor spoke to Belfort, who works with states and providers on health IT and related public policy issues, about the changes to data breach notification, alterations to patient privacy, and the lack of a bright line test.
When asked what the main points he looked for in the final rule, Belfort said, "The one that will probably get the most attention is the definition of a breach. There's been a lot of controversy over the risk of harm standard. In the proposed rule there would be no breach unless there was significant risk of harm to the individual. [HHS] announced a while ago that they were rethinking that standard and in this rule they back off the risk of harm standard and replaced with an assessment of whether the improper disclosure compromised the privacy and security of protected health information so basically the burden is on the covered entity to show that there's a low probability that the information has been compromised."
"There are two changes there. First, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, second, the burden of proof is clearly on the covered entity so if that can't be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach."
"HHS tried to navigate a middle ground between privacy advocates who were arguing that any improper disclosure should be treated as a breach and opponents in the industry who were basically okay with the risk of harm standard and wanted to retain that and HHS staked that middle ground between those two. So I think that's going to have a big impact on how incidents are assessed for breach notification purposes."
Belfort also addressed what the rule means for business associates of covered entities and why the common lost laptop scenario is not going to be any easier.