{"id":85,"date":"2013-04-29T22:47:31","date_gmt":"2013-04-30T02:47:31","guid":{"rendered":"http:\/\/sites.law.duq.edu\/juris\/?p=85"},"modified":"2013-09-04T22:44:26","modified_gmt":"2013-09-05T02:44:26","slug":"the-price-of-privacy-hipaas-new-rules-raise-questions","status":"publish","type":"post","link":"https:\/\/sites.law.duq.edu\/juris\/2013\/04\/29\/the-price-of-privacy-hipaas-new-rules-raise-questions\/","title":{"rendered":"The Price of Privacy: HIPAA\u2019s New Rules Raise Questions"},"content":{"rendered":"
\"Photo<\/a>
Photo courtesy of aafp.org<\/figcaption><\/figure>\n

by Lauren Gailey, Op-Ed Contest Participant<\/p>\n

<\/div>\n

On January 17, 2013, the Department of Health and Human Services (HHS) unveiled a \u201cfinal omnibus rule\u201d intended to tighten the privacy regulations of the Health Insurance Portability and Accountability Act (HIPAA).\u00a0 This rule, HHS declared, \u201cgreatly enhances a patient\u2019s privacy protections, provides individuals new rights to their health information, and strengthens the government\u2019s ability to enforce the law.\u201d\u00a0 Even before its new regulations went into effect on March 26, however, the omnibus rule had an additional, unintended effect:\u00a0 it showed how far HHS has strayed from Congress\u2019 goal when it enacted HIPAA in 1996 to help employees maintain health insurance coverage when changing jobs.<\/p>\n

<\/div>\n
The original privacy rules represented just one small section of HIPAA before HHS took over in 2000, and the agency has expanded its requirements ever since.\u00a0 The omnibus rule goes even further.\u00a0 It represents a major departure from the previous approach to when a breach\u2013the unauthorized use, access, or disclosure of a patient\u2019s protected health information (PHI)\u2013is reportable to HHS, the patient, or even the media.\u00a0 Under the proposed rules\u2019 standard, the need to report an actual<\/i> breach depended whether it was likely to harm the patient.\u00a0 The omnibus rule, however, presumes<\/i> that PHI has been breached and is reportable unless an analysis of four factors\u2013the nature of the disclosure, the recipient of the PHI, whether the PHI was actually seen, and whether the disclosure was mitigated\u2013indicates otherwise.\u00a0 The net result is that, even when a breach is merely possible, health care providers must assume the worst-case scenario.<\/div>\n
<\/div>\n
The omnibus rule seems to assume that every breach, no matter how slight, is inherently harmful until proven otherwise.\u00a0 According to its advocates, such a strict approach is necessary to protect patient privacy.\u00a0 From a philosophical standpoint, this goal is a noble one, but it raises the question:\u00a0 at what cost?<\/div>\n
<\/div>\n
This question is not a rhetorical one.\u00a0 The administrative costs of the additional reporting necessitated by the omnibus rule\u2019s stricter standards are significant.\u00a0 Dealing with a large increase in the number of reportable incidents requires a larger bureaucracy staffed by more administrators.\u00a0 Those administrators will require more supervisors, and those supervisors will, in turn, require additional\u2013and highly paid\u2013upper-level managers.\u00a0 These increased personnel costs are far from negligible, especially when added to the expenses providers must incur in the name of having to report potential breaches, irrespective of whether those breaches caused any real harm or even occurred at all.<\/div>\n
<\/div>\n
Where a breach may not have actually happened, or, even if it did, the affected patient experienced no harm as a result, another question arises:\u00a0 who cares?\u00a0 Where a patient has no \u201cskeletons in the closet\u201d to be revealed, a breach\u2013potential or<\/i> actual\u2013is the very definition of de minimis<\/i>.\u00a0 Even if the compromised PHI does contain a \u201cskeleton,\u201d if that skeleton never sees the light of day and no harm results to the patient, why expend additional resources to report it?<\/div>\n
<\/div>\n
Another argument in favor of replacing the harm-based standard with the omnibus rule\u2019s stricter breach notification requirements\u2013the inherent value of the patient\u2019s reputation\u2013is unconvincing for similar reasons.\u00a0 This scenario is akin to the age-old proverbial question:\u00a0 If a tree falls in the forest, and no one is around to hear it, does it make a sound?\u00a0 If a breach occurs when, for example, a physician who is not treating a particular patient glances at the patient\u2019s chart out of academic curiosity, and the physician neither knows who the patient is nor thinks any less of him or her as a result, does this breach really need to be reported?<\/div>\n
<\/div>\n

In 1884, the Scientific American<\/i> concluded that the tree-in-the-forest question in fact had an answer:\u00a0 no.\u00a0 Because the definition of \u201csound\u201d involved the effect of sound waves on the eardrum, the article reasoned, the falling tree could not<\/i> have made a sound without an ear for the sound waves to act upon.\u00a0 Merriam-Webster defines a person\u2019s reputation as his or her \u201cplace in public esteem or regard\u201d or \u201cgood name.\u201d\u00a0 It follows, then, that a person\u2019s reputation cannot be compromised when a breach has no public dimension, is not associated with any name at all by the unauthorized viewer of the PHI, and no one involved makes a value judgment as to the patient\u2019s \u201cesteem or regard.\u201d\u00a0 Like the tree-in-the-forest riddle, the answer to the HIPAA riddle\u2013\u201cDo harmless breaches need to be reported?\u201d\u2013is no.<\/p>\n","protected":false},"excerpt":{"rendered":"

by Lauren Gailey, Op-Ed Contest Participant On January 17, 2013, the Department of Health and Human Services (HHS) unveiled a \u201cfinal omnibus rule\u201d intended to tighten the privacy regulations of the Health Insurance Portability and Accountability Act (HIPAA).\u00a0 This rule, HHS declared, \u201cgreatly enhances a patient\u2019s privacy protections, provides individuals [\u2026] <\/p>\n

<\/div>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":86,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,4],"tags":[],"class_list":["post-85","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-juris-blog","category-posts"],"_links":{"self":[{"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/posts\/85","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/comments?post=85"}],"version-history":[{"count":3,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/posts\/85\/revisions"}],"predecessor-version":[{"id":89,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/posts\/85\/revisions\/89"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/media\/86"}],"wp:attachment":[{"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/media?parent=85"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/categories?post=85"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sites.law.duq.edu\/juris\/wp-json\/wp\/v2\/tags?post=85"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}