HIPAA Breach Notification for Unsecured Protected Health Information - Regulations Issued
September 10, 2009
The American Recovery and Reinvestment Act of 2009 (ARRA) amended the Health Insurance Portability and Accountability Act (HIPAA) imposing new and more stringent requirements that broaden and enhance the impact of the HIPAA security and privacy rules on health care providers, business associates, and other organizations that provide services to covered entities.
Among the changes ARRA introduced is the requirement that covered entities notify individuals affected by a specific security breach. Generally, individuals must be notified via first class mail (or by telephone in urgent situations). However, if an individual cannot be contacted directly, other postings or media notices may be required. ARRA also requires that business associates notify the covered entity of any breach of unsecured protected health information (unsecured PHI). Finally, ARRA requires the Secretary of Health and Human Services (Secretary) to post on its Web site a list of covered entities that experience breaches of PHI involving more than 500 individuals.
ARRA delegated to the Secretary the task of issuing further regulatory action to implement the new requirements. The Secretary issued the interim final rule for notification of breaches of unsecured PHI which was published on August 24, 2009 and becomes effective on September 23, 2009. However, during the first six months (until March 2010), the enforcement of the new requirements will be only directed to increase compliance by providing technical assistance and encouraging self-corrective actions. The Secretary will not to impose penalties during this initial period.
The obligation to provide notice of a breach of unsecured PHI is only triggered if all of the following conditions are met:
- A breach has occurred. The interim final rule defines breach as the acquisition, access, use, or disclosure of protected health information in a manner not permitted by the HIPAA privacy rules (subpart E of Section 164 of Title 45 of the Code of Federal Regulations); but only if the breach compromises the security and privacy of the PHI.
- A significant risk exists. The final rule states that a breach compromises the security or privacy of PHI if it poses a significant risk of harm of financial or reputational nature, or other type of harm, to the individual.
- The PHI is unsecured. The final rule deems unsecured any information which has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology (e.g. encryption) as specified by the Secretary in previously issued guidance in compliance with ARRA.
The interim final rule also provides that, there will be no breach if:
- The acquisition, access, or use of PHI is unintentional by a workforce member or a person acting under the authority of a covered entity or business associate (if in good faith, within the scope of authority and no further use or disclosure of PHI occurs in a manner not permitted by HIPAA).
- The disclosure is done inadvertently, by a person who is authorized to access PHI at a covered entity or business associate, to another person authorized to access the PHI at the same covered entity or business associate (if no further use or disclosure of PHI occurs in a manner not permitted by HIPAA).
- The disclosure of PHI occurs and a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not have reasonably been able to retain the PHI.
Notice to Individuals. Individuals must be notified of any breach of their unsecured PHI without unreasonable delays, but in no event later than 60 calendar days after the breach is either first discovered, or would have been known to the covered entity, if reasonable diligence was exercised.
The notice to individuals must be in writing and in plain language. It should describe the circumstances of the breach (including when it occurred and when it was discovered); include a list of mitigating actions to reduce the harm that could result to the affected individuals; contact information at the covered entity or business associate to direct questions or request additional information (which must include a toll-free telephone number, an email address, a Web site, or postal address); etc. It may be provided by first-class mail, or by e-mail in situations where the participants have previously agreed to e-mail notification. If the covered entity does not have sufficient contact information for 10 or more individuals who were affected by the breach, it must provide notice to major print or broadcast media outlets or post notice to its Web site for at least 90 days.
Notice to HHS. If the breach involves more than 500 individuals, HHS must be notified simultaneously when the affected individuals are notified so that HHS can post notice of the breach on its Web site. Otherwise, HHS should be notified annually. Covered entities must maintain a log and submit it to HHS.
Notice by Business Associates. A business associate must also notify a covered entity of any breach. To the extent possible, the business associate should identify individuals who have been, or are reasonably believed to have been, affected by the breach. Such notice should be given without unreasonable delay, but no later than 60 days following the discovery of a breach.
Policies, Procedures, Training and Sanctions. A covered entity must implement policies and procedures or revise existing policies and procedures, to comply with the standards, implementation specifications and requirements of the new rule. All members of the covered entity workforce must be trained on the policies and procedures in effect. Covered entities must also have and apply appropriate sanctions against members of its workforce who fail to comply with the policies and procedures.