HIPAA BREACH NOTIFICATION UPDATE
On August 19, 2009, the U.S. Department of Health and Human Services ("HHS") released an interim final rule implementing the breach notification provisions of the Health Information Technology for Economic and Clinical Health ("HITECH") Act, which was passed as part of the American Recovery and Reinvestment Act of 2009. While the new regulation takes effect September 23, 2009, HHS will not impose sanctions for failure to provide notifications for breaches discovered before February 22, 2010. The good news, therefore, is that covered entities have additional time to become compliant.
As explained further below, the HITECH breach notification law requires healthcare providers, health plans, and other covered entities subject to the Health Insurance Portability and Accountability Act ("HIPAA") to notify individuals promptly if their unsecured electronic health information has been breached. Prompt notification must also be made to the Secretary of HHS and the media when a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be annually reported to HHS. The rule further requires "business associates" of HIPAA covered entities to notify the covered entity of breaches by the business associate. Unlike covered entities, however, business associates are not required to notify individuals whose electronic health information has been breached.
The regulation contains two particularly important provisions:
- A "risk of harm" trigger on the duty to report breaches; and
- Clarification that encryption and destruction of protected health information ("PHI") in accordance with the guidance issued by HHS at 74 Fed. Reg. 19006 (April 27, 2009), although not required, means that the PHI will not be considered "unsecured" and, thus, will not be subject to the breach notification rules.
HHS developed this regulation after close consultation with the Federal Trade Commission ("FTC"), which has issued its own breach notification regulations that apply to vendors of personal health records and certain other entities not covered by HIPAA. Despite the consultation between the two agencies, the FTC has not adopted an explicit "risk of harm" threshold for notification.
OVERVIEW OF HITECH BREACH NOTIFICATION PROVISIONS
Although HIPAA previously imposed a duty to mitigate the effects of a breach of PHI, it did not require covered entities to notify affected persons. HITECH adds a provision requiring covered entities to notify individuals whose "unsecured PHI" has been or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach.
HITECH defines a "breach" as an unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information. A breach does not include:
- any unintentional acquisition, access, or use of PHI by an employee or someone acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of employment or other professional relationship with the covered entity or business associate, and the PHI was not further acquired, accessed, used, or disclosed; or
- an inadvertent disclosure that occurs by an individual authorized to access PHI at a facility operated by a covered entity to another similarly situated individual at the same facility, so long as the PHI is not further acquired, accessed, used, or disclosed without authorization.
The breach notification provisions are only triggered if there is a breach of "unsecured PHI," which HITECH defines as PHI that is not secured through the use of a technology or methodology specified by HHS. The final rule reiterates previous guidance to the effect that encryption of electronic PHI and destruction of electronic or paper PHI in accordance with the standards set forth in the guidance create the functional equivalent of a safe harbor, and thus, absolve covered entities and business associates of the duty to provide notification of a breach.
The most important provision in the new regulation is the "risk of harm threshold," implemented, according to HHS, to avoid unnecessary notifications and to make its rule consistent with many state breach notification laws. The threshold limits the definition of a breach to those situations where there is a significant risk of financial, reputational, or other harm to the individual. By way of examples, HHS cites several situations that would not be a risk of harm, including instances in which: (1) impermissibly disclosed PHI (such as within a stolen or lost laptop) is returned prior to it being accessed or (2) a covered entity takes immediate steps to mitigate the harm of a breach, such as by obtaining the recipient's assurance that the information will not be further disclosed. HHS makes it clear, however, that a covered entity must conduct a risk assessment before concluding that a particular breach did not cause a risk of harm.
All required notifications must be made without "unreasonable delay" and in no case later than 60 days after the discovery of the breach. A breach is treated as "discovered" as of the first day the breach is known or reasonably should have been known to the covered entity or business associate. Business associates must notify covered entities of any breaches they have discovered, however, neither HITECH nor the regulation provides a timeline for such notification. The covered entity must then notify the affected individuals.
NEXT STEPS
Currently, 45 states have their own breach notification laws, which may have criteria and methods of notification that differ from HITECH's requirements. Thus, it is important to become familiar with your state's breach notification laws as well as HITECH's. Although HITECH preempts state law as to health information, many state laws encompass other "personal information." Therefore, if the breach included a social security number, for example, covered entities could be required to comply with both HITECH and the state law.
Note also, that HITECH requires business associates to inform the covered entity of a breach; however, it provides no timeline as to when this must be done. As the 60 day timeline for notification to individuals of a breach begins to run from the time the breach is first discovered by either the covered entity or business associate, covered entities may need to negotiate and include in their business associate agreements a timeframe within which the business associate must inform the covered entity of a breach.
Also, because compliance with the data encryption and data destruction standards is the functional equivalent of a safe harbor, covered entities should move now toward meeting those standards to secure their PHI.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
