Many cloud companies have taken the view that they are not business associates under HIPAA, but some of them now will be, Belfort asserts. The rules change the definition of a BA to include any entity that maintains protected health information. An Internet service provider, such as a cloud company, is not a BA if it does not maintain or at times access PHI, but acts as a conduit with data just passing through, he explains. “But a company that maintains data is a BA even if it doesn’t access the data. I think that will have implications for the cloud industry.”
The rules also have important changes to marketing definitions affecting pharmaceutical firms, Belfort says. HIPAA previously permitted subsidized marketing, meaning a drug firm could pay pharmacies to send out information about their drug. The information would be sent under the pharmacy name but paid by the drug company. Now, pharma-subsidized communications by drug stores is permitted only to encourage treatment adherence--to alert consumers to refill a drug they are currently taking, which could include notification of its generic substitutes.
New changes also prohibit use of clinical data to send fundraising solicitations to patients. A hospital under previous rules could use demographic data gathered when a patient was in the hospital, but not data about services or the patient’s doctor. However, there is a carrot thrown to the hospitals--a department, such as the oncology unit, may send a fundraising letter to a patient with the letter signed by the patient’s physician. “This will give more flexibility to non-profit community hospitals,” Belfort says.
The revamped breach notification rule gives a new standard for when a breach must be reported, but could be confusing, Belfort notes. The existing “harm threshold” which determined if financial, reputational or other harm to an individual would compel reporting is replaced with a requirement to conduct a risk assessment on the probability of data being compromised.
So, the target has changed--from focusing on harm to focusing on data compromise--but the factors to consider either threshold remain similar, Belfort believes. Under the new rules, a breach need not be reported if a risk assessment determines a “low” probability of data compromise. Federal officials made the change to adopt a more objective criterion for breach reporting, but it remains a matter of interpretation as to what it means for data to be compromised, he says.
So, there remains no “bright line” on what constitutes a reportable breach and judgment calls will continue to be made, according to Belfort. He does believe, however, that a risk assessment standard will result in more breaches reported than otherwise would have been under the harm threshold.