by Lauren Gailey, Staff Writer (Op-Ed)
On January 17, 2013, the
Department of Health and Human Services (HHS) unveiled a “final omnibus rule”
intended to tighten the privacy regulations of the Health Insurance Portability
and Accountability Act (HIPAA). This
rule, HHS declared, “greatly enhances a patient’s privacy protections, provides
individuals new rights to their health information, and strengthens the
government’s ability to enforce the law.”
Even before its new regulations went into effect on March 26, however,
the omnibus rule had an additional, unintended effect: it showed how far HHS has strayed from
Congress’ goal when it enacted HIPAA in 1996 to help employees maintain health
insurance coverage when changing jobs.
 |
| © aafp.org |
The original privacy
rules represented just one small section of HIPAA before HHS took over in 2000,
and the agency has expanded its requirements ever since. The omnibus rule goes even further. It represents a major departure from the
previous approach to when a breach–the unauthorized use, access, or disclosure
of a patient’s protected health information (PHI)–is reportable to HHS, the
patient, or even the media. Under the
proposed rules’ standard, the need to report an actual breach depended
whether it was likely to harm the patient.
The omnibus rule, however, presumes that PHI has been breached
and is reportable unless an analysis of four factors–the nature of the
disclosure, the recipient of the PHI, whether the PHI was actually seen, and
whether the disclosure was mitigated–indicates otherwise. The net result is that, even when a breach is
merely possible, health care providers must assume the worst-case scenario.
The omnibus rule seems to
assume that every breach, no matter how slight, is inherently harmful until
proven otherwise. According to its
advocates, such a strict approach is necessary to protect patient privacy. From a philosophical standpoint, this goal is
a noble one, but it raises the question:
at what cost?
This question is not a
rhetorical one. The administrative costs
of the additional reporting necessitated by the omnibus rule’s stricter
standards are significant. Dealing with
a large increase in the number of reportable incidents requires a larger
bureaucracy staffed by more administrators.
Those administrators will require more supervisors, and those
supervisors will, in turn, require additional–and highly paid–upper-level
managers. These increased personnel
costs are far from negligible, especially when added to the expenses providers
must incur in the name of having to report potential breaches, irrespective of
whether those breaches caused any real harm or even occurred at all.
Where a breach may not
have actually happened, or, even if it did, the affected patient experienced no
harm as a result, another question arises:
who cares? Where a patient has no
“skeletons in the closet” to be revealed, a breach–potential or actual–is
the very definition of de minimis.
Even if the compromised PHI does contain a “skeleton,” if that skeleton
never sees the light of day and no harm results to the patient, why expend
additional resources to report it?
Another argument in favor
of replacing the harm-based standard with the omnibus rule’s stricter breach
notification requirements–the inherent value of the patient’s reputation–is
unconvincing for similar reasons. This
scenario is akin to the age-old proverbial question: If a tree falls in the forest, and no one is
around to hear it, does it make a sound?
If a breach occurs when, for example, a physician who is not treating a
particular patient glances at the patient’s chart out of academic curiosity,
and the physician neither knows who the patient is nor thinks any less of him
or her as a result, does this breach really need to be reported?
In 1884, the Scientific
American concluded that the tree-in-the-forest question in fact had an
answer: no. Because the definition of “sound” involved
the effect of sound waves on the eardrum, the article reasoned, the falling
tree could not have made a sound without an ear for the sound waves to
act upon. Merriam-Webster defines a
person’s reputation as his or her “place in public esteem or regard” or “good
name.” It follows, then, that a person’s
reputation cannot be compromised when a breach has no public dimension, is not
associated with any name at all by the unauthorized viewer of the PHI, and no
one involved makes a value judgment as to the patient’s “esteem or
regard.” Like the tree-in-the-forest
riddle, the answer to the HIPAA riddle–“Do harmless breaches need to be
reported?”–is no.
