Privacy Practice Alert: HHS Issues Interim Regulation on HITECH Act's Security Breach Notification Requirements
On August 24, 2009, the Office of Civil Rights, U.S. Department of Health and Human Services (HHS) issued its interim final rule requiring notification of breaches of unsecured protected health information (PHI). The interim final rule imposes notification obligations on covered entities and business associates. (Pursuant to §13407 of the HITECH Act, the Federal Trade Commission has issued its Health Breach Notification Rule, which addresses security breach notification requirements for vendors and related entities of personal health records.) Covered entities are health plans, health care clearinghouses, and health care providers that conduct certain transactions electronically. Business associates are persons (other than members of covered entities' workforces) who, on behalf of a covered entity, perform or assist in the performance of functions or activities involving the use or disclosure of individually identifiable health information or other services (e.g., claims processing, legal services, and accounting services).
The effective date of the HHS interim final rule was September 23, 2009. Due to a statutory ambiguity in the HITECH Act, HHS will use its enforcement discretion and will not impose sanctions for failure to provide the required notification for breaches that are discovered before February 22, 2010. Between September 23, 2009 and February 22, 2010, covered entities are expected to comply and HHS will work with covered entities through technical assistance and voluntary corrective action.
What is a breach? Subject to certain exceptions, "breach" is the acquisition, access, use, or disclosure of PHI (in any format, not just electronic PHI) in a manner that is not permitted by the HIPAA Privacy Rule and that "compromises the security or privacy of the PHI" or, more specifically, in a manner that "poses a significant risk of financial, reputational, or other harm to the individual."
Therefore, in order for an acquisition, access, use, or disclosure of PHI to constitute a breach, it must first constitute a violation of the HIPAA Privacy Rule. If a violation of the HIPAA Privacy Rule has occurred, then the next inquiry is whether a use or disclosure "compromises the security or privacy of the PHI" which, as noted above, requires an inquiry into whether there is a significant risk of financial, reputational, or other harm to the individual. Finally, the covered entity must determine whether an exception applies.
When must the notice be provided? In the event of a breach of unsecured PHI, a covered entity must notify each individual whose unsecured PHI it believes has been or is reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach. Generally, the notification must be provided without unreasonable delay and, in any event, no later than sixty (60) days after discovery of the breach (or the date on which the breach would have been known to the covered entity by exercising reasonable diligence).
What information must the notice include? The notice must include the following:
• A brief description of the breach, including the date of the breach and the date that the breach was discovered, if known;
• A description of the types of unsecured PHI involved in the breach;
• Any steps that individuals should take to protect themselves from potential harm;
• A brief description of the covered entity's efforts to investigate the breach, to mitigate harm to individuals, and to protect against future breaches; and
• Contact information (i.e., toll-free telephone number, e-mail address, web site, or postal address) for individuals to obtain additional information.
Not only must a covered entity notify each individual whose unsecured PHI it believes has been or is reasonably believed to have been accessed, acquired, used, or disclosed as a result of a breach, but the covered entity must also notify HHS and may have to notify media outlets (see discussion below).
How must the notice be sent? Written notice must be provided by first class mail at each affected individual's last known address. Email notification is acceptable if the individual agrees. If the covered entity knows that the individual is deceased, notification may be provided to the individual's next of kin or personal representative. Substitute notice must be provided in the event that an individual's contact information is insufficient or out-of-date.
Are there any additional notice requirements? In the event that the breach involves the PHI of more than 500 residents of a state or jurisdiction, a covered entity is required to promptly (and, in any event, no later than 60 days) notify prominent media outlets serving the state or jurisdiction. The interim final rule also requires notification to the HHS Secretary. Specifically, in the event that the breach involves 500 or more individuals, the covered entity must notify the HHS Secretary. For breaches involving less than 500 individuals, the covered entity must maintain a log/documentation of the breach(es) and provide a notification to the HHS Secretary within 60 days of the end of each calendar year. Notification delays are permitted in the event that a law enforcement official notifies the covered entity or business associate that notification would impede a criminal investigation or damage national security.
Are there any additional compliance requirements? Covered entities must also comply with the following HIPAA Privacy Rule administrative requirements: provide workforce training; establish a complaint process; implement and apply workforce sanctions; refrain from intimidating or retaliating against individuals for exercising their rights under this rule; not require individuals to waive their rights as a condition of treatment, payment, enrollment in a health plan, or eligibility for benefits; implement policies and procedures to comply with the Rule; and maintain required documentation.
Susan H. Pauley
Chase Center - Second Floor
1000 Fifth Avenue, Suite 250
Huntington, WV 25701
304.526.8131
susan.pauley@steptoe-johnson.com
This alert is a periodic publication of Steptoe & Johnson PLLC and should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The content is intended for general information purposes only, and you are urged to consult your own lawyer concerning your own situation and any specific legal questions that you may have. For further information about these contents, please contact Steptoe & Johnson PLLC.