THIS IS AN ADVERTISEMENT
Firm Profile dots that separate navigation elements Practice Areas dots that separate navigation elements Attorneys dots that separate navigation elements Events dots that separate navigation elements ntracts dots that separate navigation elements Knowledge Center
Careers dots that separate navigation elementsContact
Knowledge Center
navigation arrow NEWS & HIGHLIGHTS
navigation arrow ARTICLES
navigation arrow NEWSLETTERS
 
Knowledge Center Search
Choose any combination of search options
to form your search.
KEYWORD 
OR, search by the terms below
ATTORNEY 
PRACTICE AREA 
 
Photo of library stacks and ceiling
 

HIPAA Breach Notification Rule

On August 24, 2009, the Department of Health and Human Services ("HHS") published its interim final rule regarding the breach notification requirements applicable to covered entities and their business associates under HIPAA (the "Rule"). HHS was required to issue the Rule pursuant to the Health Information Technology for Economic and Clinical Health ("HITECH") Act, part of the American Recovery and Reinvestment Act of 2009 ("ARRA").  The effective date for compliance is September 23, 2009.   However, HHS announced in the  Rule that it would forego imposing sanctions for breaches occurring before February 22, 2010.

The Rule closely follows the proposed rule issued back in April 2009, but added the requirement that covered entities conduct a "risk assessment" to determine if the breach compromises the privacy or security of PHI and added several details regarding the notification process.

GENERAL RULE

The Rule requires covered entities to notify affected individuals and HHS in the event of a breach of unsecured protected health information ("PHI") that compromises the security or privacy of the PHI, unless an exception applies.  Accordingly, in order to determine if notice is required under the Rule, a covered entity must make the following three determinations:  (1) whether a breach of PHI occurred; (2) whether the PHI was unsecured; and (3) whether an exception applies.

Did a Breach Occur?

The Rule defines a "breach" as the "acquisition, access, use, or disclosure of PHI in a manner not permitted [by the HIPAA Privacy Rule] which compromises the security or privacy of the PHI."  The Rule also indicates  that  the terms "acquisition" and "access" are encompassed within the current definitions of the terms "use" and "disclosure" under the Privacy Rule.  Accordingly, the first step in determining whether notification is necessary is to determine whether a use or disclosure violates the Privacy Rule.1

Once it has been determined that a use or disclosure violates the Privacy Rule, it must next be determined whether the violation compromises the security or privacy of the PHI.  The Rule provides that a violation compromises the security or privacy of PHI if the breach "poses a significant risk of financial, reputational, or other harm to the individual."  This essentially requires covered entities and business associates to perform a risk assessment to determine the likelihood that a breach could cause harm to the individual.   In conducting this risk assessment, HHS stated that a covered entity should consider the following factors:

  • Who impermissibly used the PHI or to whom was the PHI impermissibly disclosed?
  • What immediate steps were taken to mitigate the impermissible use or disclosure?
  • Was the PHI returned prior to being accessed for an improper use?
  • What type and amount of PHI was involved in the impermissible use or disclosure?
  • Did the use or disclosure involve sensitive information such as information regarding a sexually transmitted disease, mental health or substance abuse?

If the risk assessment indicates that a violation of the Privacy Rule does not pose a significant risk of financial, reputational, or other harm to the individual, then no notification is required.   

The Rule added another carve-out to the definition of "breach" - if the PHI at issue was only a "limited data set" (no direct identifiers) and also did not include dates of birth or zip codes, then a wrongful use or disclosure of such PHI would not be considered a breach.

Was the PHI Unsecured?

The next step in the analysis is to determine whether the PHI that was used or disclosed in violation of the Privacy Rule was "unsecured."  The Rule defines unsecured PHI as PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS.  In the Rule, HHS specified the same technologies and methodologies as it had in the proposed rule, which are:

  • Encryption of electronic data per National Institute Standards and Technology ("NIST") standards;
  • Destruction of electronic media per NIST standards; and
  • Shredding or destruction of paper, film or other hard copy media.

Accordingly, if PHI is secured by one of the methods or technologies listed above, notification is not required under the Rule, even if  the PHI was used or disclosed in violation of the HIPAA Privacy Rule.

Do Any Exceptions Apply?

The Rule clarified and reasserted the three exceptions contained in HITECH.  Those exceptions are as follows:

  • Unintentional acquisition, access, or use of PHI by a workforce member acting under the authority of a covered entity or business associate, if done in good faith and the information was not further used or disclosed;
  • Inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate, or organized health care arrangement, and the PHI was not further used or disclosed; and
  • A disclosure of PHI where there is a good-faith belief by the covered entity or business associate that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

If any of these exceptions applies, notification is not required under the Rule.  It is important to note that the covered entity or business associate has the burden of proof for showing that an exception applies in a given circumstance.

METHODS AND CONTENT OF NOTICE

A covered entity must notify affected individuals and HHS for all breaches under the Rule.  Depending on the size of the group  affected and  the availability of contact information, media notice may also be required.  All notifications must be given to the affected individual without "unreasonable delay," but no later than 60 days after discovery.  A breach is considered discovered on the first day the breach is known, or by reasonable diligence would have been known, to the covered entity.  Note that the Rule requires business associates to notify the covered entity under the same standard.  Business Associates are not required to provide the notifications themselves.

A covered entity must notify an affected individual via first-class mail at his or her last-known address or, if the individual has agreed to receive electronic notice, via e-mail.  The Rule specifies that for deceased individuals, the covered entity must provide the notification to the individual's next of kin or personal representative.

The notice must contain at least the following elements, in plain language:

  • A brief description of what happened, including the date of breach and the date of discovery of the breach;
  • A description of the types of unsecured PHI involved in the breach (i.e., whether full name, social security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved);
  • Any steps that individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of what the covered entity is doing to investigate the breach, to mitigate the harm to individuals and to protect against any further breaches; and
  • Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an e-mail address, Web site, or postal address.

The Rule specifies that the above information may be given in separate notices, if necessary.

For breaches involving more than 500 residents, a covered entity must also notify prominent media outlets.  In such instances, a covered entity must also notify HHS at the same time, in the manner and form to be prescribed on HHS's website.  For breaches affecting less than 500 individuals, a covered entity is required to maintain a log of each breach and submit the log to HHS on an annual basis.  The Rule specifies that such log must be submitted to HHS by March 1 of each year for breaches occurring during the previous calendar year.   

In the event that a covered entity is required to provide notice to an individual for whom the covered entity does not have sufficient contact information, the covered entity must provide substitute notice.  In cases where there are fewer than ten (10) such individuals, the Rule requires substitute notice through an alternative form of written notice, by telephone, or other means.  For groups of 10 or more such individuals with insufficient contact information, substitute notice must be in the form of a posting on the covered entity's website or in major print or broadcast media.  The Rule specifies that the postings must be "conspicuous" and the website posting must be for 90 days.  The Rule specifies that covered entities are not required to provide substitute notice to the next of kin or personal representatives of deceased individuals.       

ENFORCEMENT

Covered entities and business associates are required to comply with the Rule effective September 23, 2009.  However, in the Rule, HHS stated that it will use its enforcement discretion and not impose sanctions for failure to provide the required notification for breaches occurring before February 22, 2010.  During this initial time frame, HHS stated that it expects compliance and will work with covered entities through technical assistance and voluntary corrective action to achieve such compliance.

RECOMMENDATIONS

To prepare for the expected effective date of the Rule, covered entities and business associates should undertake the following steps:

  • Adopt new or revise existing policies and procedures regarding identifying and responding to security breaches;
  • Identify which types of PHI are "unsecured;"
  • Evaluate whether unsecured PHI can be made secure using approved technologies and methodologies;
  • Review e-security for all PHI; and
  • Create a process for breach response to ensure all breaches are appropriately handled in a timely fashion.

The Rule may be accessed at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

For additional articles on other HITECH changes to HIPAA, please see our "Impact Series" at www.hallrender.com/impact.

If you need additional information about this topic, please contact your regular Hall Render attorney or: Elizabeth Callahan-Morris at (248) 457-7854 or ecallahan@hallrender.com

1We note that in cases where notification is not required under the Rule, covered entities should still consider notification as a way to mitigate any harmful effect of a wrongful use or disclosure under the existing HIPAA Privacy Rule on "mitigation."

 

HIPAA Breach Notification Rule is a follow-up article to the original seven articles in the HIPAA goes HITECH series.To register for future updates to the Hall Render Impact Series, please visit hallrender.com/impact

as distributed Aug. 25, 2009 

HIPAA goes HITECH authors:

Elizabeth Callahan-Morris

Charise R. Frazier

Monica C. Hocum

Margaret Marchak

Melissa L. Markey

Mark J. Swearingen
 
Click here to return to the Impact Series homepage.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.

© 2002-2010. Hall, Render, Killian, Heath & Lyman, P.C. All Rights Reserved.