HIPAA Mandates PHI Breach Notification
Health care providers, health plans, and other entities covered under the Health Insurance Portability and Accountability Act (HIPAA) will soon be required to notify individuals in the event their unsecured personal health information (PHI) is breached. The U.S. Department of Health and Human Services (HHS) published an interim final rule with comment period Aug. 24 providing new regulations regarding the HIPAA notice of breach requirements.
The new breach notification regulations should come as no surprise. “We new they were coming,” Allen Killworth, J.D., of Bricker & Eckler LLP, said about the regulations. It is “not too much of a surprise” because they were written into the Health Information Technology for Economic and Clinical Health (HITECH) Act (the Act), contained within the American Recovery and Reinvestment Act of 2009 (ARRA), published Feb. 17.
The Act defines “unsecured protected health information” as PHI that is not secured through the use of a technology or methodology specified by the Secretary in guidance. HHS has updated its guidance, specifying encryption and destruction as technologies and methodologies that render protected health information “unusable, unreadable, or indecipherable to unauthorized individuals.” In other words: secured.
Entities subject to HHS and Federal Trade Commission (FTC ) regulations that secure health information as specified by the guidance through encryption (see 45 CFR 164.304 for a definition of encryption) or destruction (such as paper shredding and media sterilization) can create a “safe harbor,” liberating themselves from HHS breach notification regulations.
HIPAA covered entities and business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI must uphold the new breach notification regulations.
“Breach” is defined in the Act as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
The fact that the Act includes exceptions in this definition, essentially creating a “harm threshold,” is the biggest news and a welcome surprise, said Killworth of the Columbus, Ohio law firm.
The way it is written, covered entities are responsible for determining whether a breach poses a “significant” risk and warrants notification. Covered entities will want to do a risk assesment, says Killworth, answering questions such as: How much information was released; what was it; and can we get it back?
In the event that a covered entity determines unsecured PHI has been significantly breached, it must notify affected individuals, HHS, and possibly the media within 60 days. Notification guidelines are as follows:
Send a written notice to the individual (or next of kin, if the individual is deceased) at the last known address by first-class or electronic mail.
Post a conspicuous message (for a period determined by HHS) on your Web site’s home page or with major print or broadcast media when insufficient or out-of-date contact information prevents direct contact.
Call individuals whose unsecured health information was breached when there is an imminent threat of misuse.
- Notify prominent media outlets within the state or jurisdiction if a breach of unsecured PHI affects or is reasonably believed to affect more than 500 residents.
- Notify HHS immediately for breaches involving more than 500 individuals and annually for all other breaches.
A list identifying each covered entity involved in an unsecured PHI breach of more than 500 individuals will also be posted annually on the HHS Web site.
Breach notifications should include:
A brief description of what happened, including the date of the breach (if known) and the date it was discovered;
A description of the types of unsecured PHI that were involved in the breach (eg, name, address, Social Security number, etc.);
The steps individuals should take to protect themselves from potential harm resulting from the breach;
A brief description of what the covered entity is doing to rectify the situation, and
Contact information for individuals who wish to ask you questions or obtain further information about the breach. You may include a toll-free number, e-mail address, Web site, or mailing address as your preferred contact method.
The HHS interim final rule is effective Sept. 23, but regulations won’t be enforced until Feb. 22, 2010. This will give covered entities the breathing room they need to get up to speed, Killworth said.
Note: HHS guidance is not intended to instruct covered entities on how to prevent PHI breaches. For instruction, see HIPAA Privacy and Security Rules. Also see National Institute of Standards and Technology (NIST) Special Publication 800-66-Revision 1, “An Introductory Resource Guide for Implementing the HIPAA Security Rule.”