HIPAA Regulations: The Administrative Requirements: Mitigation - § 164.530(f)
As Contained in the HHS HIPAA Rules
HHS Regulations |
Standard: mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate.
HHS Description The Administrative Requirements: Mitigation |
In proposed § 164.518(f), we would have required covered entities to have policies and procedures for mitigating, to the extent practicable, any deleterious effect of a use or disclosure of protected health information in violation of the requirements of this subpart. The NPRM preamble also included specific language applying this requirement to harm caused by members of the covered entity's workforce and business associates.
With respect to business associates, the NPRM preamble but not the NPRM rule text, stated that covered entities would have a duty to take reasonable steps in response to breaches of contract terms. Covered entities generally would not be required to monitor the activities of their business associates, but would be required to take steps to address problems of which they become aware, and, where the breach was serious or repeated, would also be required to monitor the business associate's performance to ensure that the wrongful behavior had been remedied. Termination of the arrangement would be required only if it became clear that a business associate could not be relied upon to maintain the privacy of protected health information provided to it.
In the final rule, we clarify this requirement by imposing a duty for covered entities to mitigate any harmful effect of a use or disclosure of protected health information that is known to the covered entity. We apply the duty to mitigate to a violation of the covered entity's policies and procedures, not just a violation of the requirements of the subpart. We resolve the ambiguities in the NPRM by imposing this duty on covered entities for harm caused by either members of their workforce or by their business associates.
We eliminate the language regarding potential breaches of business associate contracts from this section. All other requirements with respect to business associates are stated in § 164.504.
HHS Response to Comments Received The Administrative Requirements: Mitigation |
Comments: A few commenters felt that any duty to mitigate would be onerous, especially for small entities. One commenter supported an affirmative duty to mitigate for employees of the covered entity , as long as there is no prescribed mitigation policy. One commenter stated that a requirement for mitigation is unnecessary because any prudent entity would do it.
Some practitioner organizations as well as a health plan, expressed concern about the obligation to mitigate in the context of the business associate relationship. Arguing that it is unnecessary for the regulation to explicitly extend the duty to mitigate to business associates, commenters noted that: any prudent entity would discipline a vendor or employee that violates a regulation; that the matter is best left to the terms of the contract, and that it is difficult and expensive for a business associate to have a separate set of procedures on mitigation for each client/provider. One commenter suggested that the federal government should fund the monitoring needed to administer the requirement.
Response: Eliminating the requirement to mitigate harm would undermine the purposes of this rule by reducing covered entities' accountability to their patients for failure to protect their confidential data. To minimize burden, we do not prescribe what mitigation policies and procedures must be implemented. We require only that the covered entity mitigate harm. We also assume that violations will be rare, and so the duty to mitigate harm will rarely be triggered. To the extent a covered entity already has methods for mitigating harm, this rule will not pose significant burden, since we don't require the covered entity to follow any prescribed method or set of rules.
We also modify the NPRM to impose the duty to mitigate only where the covered entity has actual knowledge of harm. Further reducing burden, the rule requires mitigation "to the extent practicable." It does not require the covered entity to eliminate the harm unless that is practicable. For example, if protected health information is advertently provided to a third party without authorization in a domestic abuse situation, the covered entity would be expected to promptly contact the patient as well as appropriate authorities and apprize them of the potential danger .
The harm to the individual is the same, whether the privacy breach was caused by a member of the covered entity's workforce, or by a contractor. We believe the cost of this requirement to be minimal for covered entities that engage in prudent business practices for exchanging protected health information with their business associates.
Comment: A few commenters noted that it is difficult to determine whether a violation has resulted in a deleterious effect, especially as the entity cannot know all places to which information has gone and uses that have been made of it. Consequently, there should be a duty to mitigate even if a deleterious effect cannot be shown, because the individual has no other redress.
Response: As noted above, this provision only applies if the covered entity has actual knowledge of the harm, and requires mitigation "to the extent practicable." The covered entity is expected to take reasonable steps based on knowledge of where the information has been disclosed, how it might be used to cause harm to the patient or another individual, and what steps can actually have a mitigating effect in that specific situation.
Comments: Commenters stated that the language of the regulation was in some places vague and imprecise thus providing covered entities with insufficient guidance and allowing variation in interpretation. Commenters also noted that this could result in inconsistency in implementation as well as permitting such inconsistency to be used as a defense by an offending entity. Particular language for which at least one commenter requested clarification included "reasonable steps" and what is entailed in the duty to mitigate.
Response: We considered ways in which we might increase specificity, including defining "to the extent practicable" and "reasonable steps" and relating the mitigating action to the deleterious impact. While this approach could remove from the covered entity the burden of decision-making about actions that need to be taken, we believe that other factors outweighed this potential benefit. Not only would there be a loss of desirable flexibility in implementation, but it would not be possible to define "to the extent practicable" in a way that makes sense for all types of covered entities. We believe that allowing flexibility and judgment by those familiar with the circumstances to dictate the approach is the best approach to mitigating harm.