On August 24, 2009, the Department of Heath and Human Services (“HHS”) published its highly anticipated guidance on the requirement to provide notification of breaches of unsecured protected health information, which was enacted under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act part of the American Recovery and Reinvestment Act of 2009 (“ARRA”). As discussed in our April 2009 issue, the HITECH Act mandated the Secretary of HHS to issue guidance on this notification requirement within 180 days of the HITECH Act’s enactment. Accordingly, this new guidance, issued in the form of an interim final rule (the “interim rule”) with a request for comments on the rule, clarifies this requirement for HIPAA-covered entities and their business associates that access, maintain, retain, modify, record, store, destroy or otherwise hold, use, or disclose “unsecured PHI.” The interim rule also updates earlier guidance issued on April 17, 2009, which specified the kind of information that is considered “unsecured protected health information” and, therefore, subject to this new notification requirement.
Because the interim rule (45 CFR Parts 160 and 164, § 164.400 et seq.) takes effect September 23, 2009, covered entities — including health plans, healthcare clearinghouses, and healthcare providers — that transmit health information electronically (and their business associates) will need to act quickly to ensure compliance. Comments on the interim rule may be submitted to the Department of Health and Human Services, Office for Civil Rights on or before October 23, 2009. The following summarizes the key provisions of the interim rule.
Clarification on the Meaning of “Unsecured PHI”
The HITECH Act states that the requirement to provide breach notification only applies if the breach involves “unsecured PHI.” PHI is individually identifiable information that is transmitted or maintained in any form or medium, including electronic information. Under the HITECH Act, unsecured PHI is defined as PHI that is not secured by technology or methodology that renders the PHI unreadable, unusable or indecipherable to unauthorized individuals. On April 17, 2009, HHS released guidance that explained the acceptable methods to secure PHI for purposes of the new notification requirement. The guidance listed and described encryption and destruction as the technologies and methodologies for rendering PHI unreadable, unusable or indecipherable to unauthorized individuals. The new guidance includes some of the following clarifications:
- Redaction, in lieu of destruction, is not an acceptable method to secure paper-based PHI
- If encryption is used to secure PHI, the encryption keys must be kept on a separate device from the data being encrypted or decrypted
Additional guidance regarding data storage on enterprise-level storage devices is expected to be issued in updates to this guidance.
We note that the preamble to the interim rule also clarifies that the rule does not require covered entities to implement encryption as a method for safeguarding electronic PHI. Covered entities are only required to consider implementing encryption as a method for safeguarding electronic PHI to comply with the HIPAA Security Rule.
Clarification on the Meaning of “Breach”
Under the HITECH Act, “breach” is defined as the “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” This new guidance provides several important clarifications and additions to this definition of “breach.”
First, the guidance clarifies that the reference to “unauthorized” acquisition, access, use, or disclosure of PHI means an impermissible use or disclosure of PHI under the HIPAA Privacy Rule. The guidance further emphasizes that not all violations of the HIPAA Privacy Rule will constitute a “breach.” Instead, in the event of a HIPAA Privacy Rule violation, the covered entity must determine if the violation also constitutes a breach that triggers the notification requirements.
Second, the guidance states that the security or privacy of the protected health PHI will be considered compromised only if it “poses a significant risk of financial, reputational, or other harm to the individual.” To determine if this significant harm threshold is met, covered entities must perform a risk assessment of the impermissible use or disclosure. In conducting a risk assessment, the guidance states that covered entities should consider the following factors, among others:
- Who impermissibly used the information or to whom the information was impermissibly disclosed
- Whether immediate steps were taken to mitigate an impermissible use or disclosure such that the risk of harm to the individual is less than a “significant risk”
- Whether impermissibly disclosed PHI is returned before being accessed for an improper purpose
- Whether the type and amount of PHI impermissibly used or disclosed poses a significant risk of financial, reputational, or other harm
While this significant harm threshold narrows the definition of “breach,” covered entities and business associates will have to cope with increased administrative requirements in performing risk assessments for each potential breach, as the guidance requires such assessments to be documented.
Third, the guidance clarifies that limited data sets, a form of partially de-identified PHI that excludes 16 direct identifiers like Social Security numbers, names and addresses, are subject to the breach notification requirements unless they also exclude dates of birth and zip codes.
Finally, the guidance modifies the exceptions to the notification requirement provided in the HITECH Act:
- Exception for Unintentional AccessUnder the HITECH Act, the notification requirement will not apply if there is an unintentional acquisition, access or use of PHI by an employee or individual acting under the authority of a covered entity or business associate, if done in good faith and within the scope of authority. The guidance modifies the exception by expanding its application to “workforce members” and not just “employees.” Workforce members are “employees, volunteers, trainees, and other persons whose conduct in the performance of work for a covered entity is under the direct control of such entity, whether or not they are paid by the covered entity.” Therefore, covered entities are afforded slightly broader protection under this guidance than originally provided under the HITECH Act.
- Exception for Inadvertent DisclosureUnder the HITECH Act, a “breach” does not occur for notification purposes if an individual who is authorized to access PHI at a covered entity or business associate inadvertently discloses the information to another person authorized to access PHI at the same covered entity or business associate. The guidance broadens the exception to also encompass inadvertent disclosures that are made to another authorized person in an organized healthcare arrangement in which the covered entity participates.
- Exception Where Disclosed PHI Would Not Reasonably Be RetainedAs initially enacted, a disclosure of PHI would not constitute a breach if an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. HHS slightly modified this language to except disclosures where a covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure of PHI was made would not reasonably have been able to retain the information, e.g., where a number of explanations of benefits were sent to the wrong individuals and were returned by the post office, unopened, as undeliverable. In this instance, the covered entity can conclude that the improper addressees could not reasonably have retained the information.
With any of the above exceptions, the covered entity bears the burden of proof to show why the breach notification was not required. Therefore, covered entities must carefully document any actions the fall within the exceptions above and why the applicable exception applies.
Notification Requirements in the Event of a Breach
Once a covered entity or business associate discovers that a breach has occurred, the notification requirement is triggered. Generally, notification must be provided to the following:
- Affected individuals
- The media, if 500 or more residents of a state or jurisdiction are affected
- The Secretary of HHS
- The covered entity, if the breach is discovered by the business associate
First and foremost, a covered entity is required to inform affected individuals about the breach “without reasonable delay,” but in no event later than 60 after the breach is discovered or should have been discovered by using reasonable diligence. Note that the 60-day period runs from the time of discovery or when the breach should have been discovered. This 60-day timeframe is not a safe harbor, but rather an outer limit for providing notice. In other words, if HHS discovers an unreasonable or intentional delay within the 60-day timeframe, the covered entity may be found in violation of the interim rule. Accordingly, covered entities should implement procedures to discover potential security breaches and train workforce members to identify and report possible security breaches.
The notice must be written in plain language, may be sent via first-class mail or email (provided the individual has agreed to electronic notice and has not withdrawn such agreement), and must include:
- a brief description of what happened, including the date of the breach and the date of the discovery of the breach (if known);
- a description of the types of unsecured PHI that were involved in the breach;
- any steps the individuals should take to protect themselves from potential harm;
- a brief description of what the covered entity is doing to investigate the breach, to mitigate harm to the individuals and protect against further breaches; and
- contact procedures for questions, including a toll-free number, email address, website or postal address.
In the event the covered entity knows that the affected individual is deceased, the notice must be sent to the next of kin or personal representative of the individual, if an address is available. Also, where the contact information for the affected individual is out of date or unavailable for 10 or more individuals, the interim rule requires the covered entity to provide substituted notice for a period of 90 days through a posting on the covered entity’s website homepage, or a conspicuous notice in major print or broadcast media in the geographic area where the affected individuals might reside. This substituted notice must also contain the content listed above and include a toll-free phone number for affected individuals to call for additional information.
If a breach involves 500 or more residents of a state or jurisdiction, the covered entity must notify a major media outlet of the breach within 60 days of the discovery of the breach. Media notification is intended only to supplement the individual notice described above, not to replace it. Also, media notification is only required if 500 or more residents of the same state or jurisdiction are affected. For example, if 200 residents of California, 200 residents of Colorado and 200 residents of New York are affected, media notification would not be required.
Notification to the Secretary of HHS is required regardless of the number of individuals affected. For breaches involving 500 or more individuals, regardless of their place of residency, the covered entity must notify the Secretary immediately, but no later than 60 days after the discovery of the breach. Where the breach affects fewer than 500 individuals, the covered entity is only required to keep an annual log of any breaches. The covered entity must provide HHS with the log no later than 60 days following the end of the calendar year to which the log relates. Instructions for notifying the Secretary of breaches will be posted on the HHS website.
Notification of a Breach by the Business Associate to the Covered Entity
Finally, business associates — which include third party administrators, claims processing or billing companies, transcription companies, pharmacy benefit managers, legal counsel, and actuarial, accounting or management services of a covered entity — have an obligation to inform the covered entity of a breach without unreasonable delay, but no later than 60 days from the date the business associate discovers the breach or should have discovered the breach. The interim rule specifically requires business associates to provide the covered entity (to the extent possible) with the identity of each individual whose unsecured PHI has been or is reasonably believed to have been used, accessed, acquired, or disclosed during the breach, and any other available information that the covered entity is required to include in the notification. Upon receiving notice of a breach from the business associate, the covered entity must provide the required notification referenced above (if applicable).
Covered Entities Must Take Immediate Action to Comply
As mentioned above, the interim rule will take effect on September 23, 2009. Although HHS has stated in the preamble to the interim rule that it will not impose sanctions for any failure to provide notification for breaches discovered before 180 calendar days from the publication of the interim rule on August 24, 2009 (February 22, 2010), affected organizations should act immediately to ensure compliance including, but not limited to, updating policies and procedures and the notice of privacy practices, training employees and other applicable workforce members on these requirements, and revising business associate agreements.
Please contact us if you need assistance in reviewing your PHI security procedures and in developing procedures to comply with this new guidance.