On January 17, 2013, the Department of Health and Human Services (HHS) unveiled a “final omnibus rule” intended to tighten the privacy regulations of the Health Insurance Portability and Accountability Act (HIPAA). This rule, HHS declared, “greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.” Even before its new regulations went into effect on March 26, however, the omnibus rule had an additional, unintended effect: it showed how far HHS has strayed from Congress’ goal when it enacted HIPAA in 1996 to help employees maintain health insurance coverage when changing jobs.
The original privacy rules represented just one small section of HIPAA before HHS took over in 2000, and the agency has expanded its requirements ever since. The omnibus rule goes even further. It represents a major departure from the previous approach to when a breach–the unauthorized use, access, or disclosure of a patient’s protected health information (PHI)–is reportable to HHS, the patient, or even the media. Under the proposed rules’ standard, the need to report an actual breach depended whether it was likely to harm the patient. The omnibus rule, however, presumes that PHI has been breached and is reportable unless an analysis of four factors–the nature of the disclosure, the recipient of the PHI, whether the PHI was actually seen, and whether the disclosure was mitigated–indicates otherwise. The net result is that, even when a breach is merely possible, health care providers must assume the worst-case scenario.
The omnibus rule seems to assume that every breach, no matter how slight, is inherently harmful until proven otherwise. According to its advocates, such a strict approach is necessary to protect patient privacy. From a philosophical standpoint, this goal is a noble one, but it raises the question: at what cost?
This question is not a rhetorical one. The administrative costs of the additional reporting necessitated by the omnibus rule’s stricter standards are significant. Dealing with a large increase in the number of reportable incidents requires a larger bureaucracy staffed by more administrators. Those administrators will require more supervisors, and those supervisors will, in turn, require additional–and highly paid–upper-level managers. These increased personnel costs are far from negligible, especially when added to the expenses providers must incur in the name of having to report potential breaches, irrespective of whether those breaches caused any real harm or even occurred at all.
Where a breach may not have actually happened, or, even if it did, the affected patient experienced no harm as a result, another question arises: who cares? Where a patient has no “skeletons in the closet” to be revealed, a breach–potential or actual–is the very definition of de minimis. Even if the compromised PHI does contain a “skeleton,” if that skeleton never sees the light of day and no harm results to the patient, why expend additional resources to report it?
Another argument in favor of replacing the harm-based standard with the omnibus rule’s stricter breach notification requirements–the inherent value of the patient’s reputation–is unconvincing for similar reasons. This scenario is akin to the age-old proverbial question: If a tree falls in the forest, and no one is around to hear it, does it make a sound? If a breach occurs when, for example, a physician who is not treating a particular patient glances at the patient’s chart out of academic curiosity, and the physician neither knows who the patient is nor thinks any less of him or her as a result, does this breach really need to be reported?
In 1884, the Scientific American concluded that the tree-in-the-forest question in fact had an answer: no. Because the definition of “sound” involved the effect of sound waves on the eardrum, the article reasoned, the falling tree could not have made a sound without an ear for the sound waves to act upon. Merriam-Webster defines a person’s reputation as his or her “place in public esteem or regard” or “good name.” It follows, then, that a person’s reputation cannot be compromised when a breach has no public dimension, is not associated with any name at all by the unauthorized viewer of the PHI, and no one involved makes a value judgment as to the patient’s “esteem or regard.” Like the tree-in-the-forest riddle, the answer to the HIPAA riddle–“Do harmless breaches need to be reported?”–is no.