Beginning on September 23, 2009, HIPAA covered entities (health care providers, health plans, and health care clearinghouses) and business associates have new notification requirements for a breach of unsecured protected health information ("PHI"). This new HIPAA obligation arose from the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), enacted on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009. The U.S. Department of Health and Human Services ("HHS") issued an interim rule on August 24, 2009 implementing this requirement. The HITECH Act requires covered entities to notify individuals without unreasonable delay, and in no case later than 60 calendar days, after discovery that unsecured PHI of patients has been, or is reasonably believed to have been, inappropriately accessed, acquired, or disclosed in a breach. The new breach notification provisions are broader than the consumer breach laws of many states, and since HIPAA does not preempt state laws that are more stringent, covered entities face the added challenge of evaluating the notification requirements of state consumer breach laws against those in HIPAA to ensure compliance with both HIPAA and applicable state laws.
1. Determining Whether a Breach Occurred.
To determine whether a covered entity must notify patients of a breach, it must first determine whether a breach of unsecured PHI has occurred. "Unsecured PHI" is PHI in paper or electronic form that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology approved by HHS. The specified technologies and methodologies serve as a safe harbor, but are not required to be implemented. In April 2009, HHS issued guidance outlining encryption and destruction as the only two safe harbors (the "Safe Harbors") currently available for rendering PHI secure. See the HHS guidance for the specific Safe Harbor standards.
A "breach" is defined as the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of such information. "Compromise the security or privacy" of the PHI means an act that poses a significant risk of financial, reputational, or other harm to the individual. Determining whether a use or disclosure poses a significant risk of financial, reputational, or other harm to the patients will require entities to perform a risk assessment involving the consideration of various factors, including (i) to whom the information was impermissibly disclosed; (ii) the type and amount of PHI disclosed; and (iii) whether immediate mitigation steps are possible to reduce the risk, such as by obtaining the recipient's satisfactory assurance that the information will not be further used or disclosed. The covered entity and business associate will have the burden of demonstrating that notifications were made as required, so documentation of the entity's risk assessment is crucial. The HITECH Act and HHS regulations also exclude certain actions from the definition of breach, including any unintentional use of PHI by a workforce member, if made in good faith and within the course and scope of the employment or other professional relationship and such information is not further used or disclosed in violation of the HIPAA Privacy Rule (see 45 CFR § 164.402 for a complete list of the exceptions, collectively, the "Exceptions"). The Exceptions will likely cover a significant number of unintentional acts, such as patient records unintentionally accessed due to a mistyped medical record search. To rely on an Exception, covered entities and business associates should document that any misdirected PHI was reacquired by the covered entity or business associate, or destroyed to ensure that it is not further used or disclosed.
The following is offered as a starting point for determining whether a breach that triggers the HIPAA notice obligations has occurred:
| |
A.
|
Determine whether the information used or disclosed is PHI. If it is not PHI, HIPAA is not implicated.
|
| |
B.
|
If it is PHI, determine whether the use or disclosure was prohibited by the HIPAA Privacy Rule.
|
| |
C.
|
If the use or disclosure is prohibited by the HIPAA Privacy Rule, determine how many patients' PHI was acquired, accessed, used or disclosed; the circumstances surrounding the acquisition, access, use, or disclosure; and whether the PHI is in electronic or paper form.
|
| |
D.
|
Next, determine whether any of the PHI meets a Safe Harbor.
|
| |
E.
|
If a Safe Harbor is not met, determine whether the use or disclosure falls within one of the Exceptions discussed above.
|
| |
F.
|
If an Exception is not met, determine whether the use or disclosure poses a significant risk of financial, reputational, or other harm to the patients.
|
If the Safe Harbors or Exceptions are not met and the breach poses a significant risk of harm to the patient, the covered entity is responsible for notifying all patients whose PHI was unsecured in the breach. If the breach is discovered by a business associate, the business associate is responsible for notifying the covered entity, and the covered entity is required to notify patients. Regardless of whether the HIPAA breach notification obligations are triggered, however, covered entities are still obligated to comply with other HIPAA Privacy Rule standards, including mitigating any harmful effects from the use or disclosure of PHI and applying appropriate sanctions against workforce members who failed to comply with the covered entity's policies and procedures.
2. Notification Obligations if There Is a Breach.
If a patient's unsecure PHI is affected by a breach, or there is reason to believe a patient's unsecure PHI was affected, covered entities must send written notification via first-class mail to all affected patients. Business associates are obligated to notify the covered entity, but not the affected patients, after discovery of a breach of unsecured PHI; the covered entity is then required to notify the patients. The minimum content requirements for the notice to patients are set forth in the HHS regulations at 45 CFR § 164.404(c). If the covered entity has insufficient or out-of-date contact information for 10 or more patients affected by the breach, it must provide substitute notice as set forth in the HHS regulations.
In addition to contacting patients affected by a breach, covered entities must notify HHS and the media under certain circumstances. If the breach involves 500 or more patients, the covered entity must immediately notify HHS of the breach; if 500 or fewer patients are affected, the covered entity must keep a log of the breach and submit the log annually to HHS. HHS will post on its website a list of all entities involved in a breach of 500 or more patients. If the breach involves more than 500 residents of a state, the covered entity must also notify a prominent media outlet in the state about the breach.
Considerations: If you have not already done so, consider the following steps to address compliance with the new HIPAA breach notification obligations: (i) develop and implement training for all workforce members on identifying and reporting suspected or known breaches of unsecured PHI; (ii) draft or update policies and procedures to address and ensure compliance with the new breach notification obligations; (iii) review your business associate agreement to determine whether it should be amended to cover the business associate's obligation to report breaches of unsecured PHI to the covered entity and include appropriate indemnification provisions so that the covered entity is not left paying the costs for responding to a breach for which the business associate was responsible; and (iv) develop an internal process and identify stakeholders to evaluate potential breaches of unsecured PHI of which the covered entity or business associate becomes aware. Any process should take into account any current procedures for responding to existing state consumer breach notification requirements.