On August 19, 2009, the federal Department of Health and Human Services (HHS) issued the interim final rule regarding notification of breaches of unsecured protected health information under the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The rule refines and narrows key concepts in a manner that will limit the notification obligations of covered entities. In connection with the rule, HHS also updated its April 17, 2009, guidance specifying technologies and methodologies that render protected health information unusuable, unreadable or indecipherable to unauthorized individuals, and therefore exempt from the notice requirements.
Background: ARRA Adds Breach Notice Requirement to HIPAA
The American Recovery and Reinvestment Act (ARRA) made several changes to HIPAA, including the addition of a requirement that covered entities give notice to individuals of breaches of unsecured protected health information that compromise the privacy or security of the information. In addition, if the breach involves 500 or more individuals, the covered entity must immediately give notice to HHS and a prominent media outlet.
Business associates are also subject to a notification requirement, although they must notify the covered entity rather than the individual.
Rule Effective for Breaches Discovered 30 Days From Publication
ARRA required HHS to issue an interim final rule on the notification requirement within 180 days of the February 17, 2009, enactment date. The rule will be effective for breaches discovered on or after 30 days from publication of the rule in the Federal Register.
With an expected publication date of August 24, 2009, the rule would take effect September 23, 2009. However, HHS has stated that the first six months after the rule takes effect will be a compliance-oriented enforcement period during which HHS will not impose sanctions for violations of the rule, but will instead work with covered entities through technical assistance and voluntary corrective actions.
Key Refinements Made to Notification Obligations
Breaches Involve Privacy Rule Violations. ARRA defines a breach as the "unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of the protected health information." The rule refines that concept by stating that a breach occurs only if the protected health information is used or disclosed in a manner not permitted under the existing HIPAA privacy regulations. If the access, use or disclosure of the information is unauthorized, but consistent with the HIPAA privacy regulations, no reportable breach occurs.
Significant Risk of Harm. The rule also clarifies that the privacy and security of protected health information is compromised and the notification requirement is triggered only if the acquisition, access, use, or disclosure of the information poses a significant risk of financial, reputational, or other harm to the individual. The covered entity or business associate therefore must conduct a risk assessment to determine whether there is a significant risk to the individual. Factors to consider include who impermissibly used or obtained the information, the type of information involved, whether the covered entity took immediate steps that eliminated or reduced the risk of harm, and whether the information was returned prior to being used for an improper purpose.
Limited Data Sets. The rule provides that limited data sets, a form of partially de-identified protected health information that exclude direct identifiers like names and addresses, are subject to the breach notification requirement unless they exclude ZIP codes and the birth dates of the individuals. Covered entities and business associates will have to give notice of unauthorized acquisition, access, use, or disclosure of limited data sets that include ZIP codes or birth dates if the other requirements for notice apply.
Uses Within a Covered Entity, Business Associate or OHCA. Inadvertent disclosures by a person authorized to access protected health information at a covered entity, business associate or organized health care arrangement to another person within that entity who is authorized to access protected health information is not a breach if any further acquisition, access, use or disclosure of the information complies with the HIPAA privacy regulations.
Notice Requirements. The rule also refines the requirements for providing notice. Among other things:
- Notices should be written in plain language.
- Notices should not include a listing of the actual protected health information that was breached, such as Social Security numbers.
- Notices should inform the individual how to mitigate harm to the individual.
- Notices involving minors, incapacitated persons and deceased persons may be made to their personal representatives.
- Substitute notice for breaches involving fewer than 10 people may include alternative forms of written notice, telephone, email or other means.
- Covered entities providing substitute notice to more than 10 individuals must have a toll-free telephone number available for at least 90 days.
Notice to Media. There is no uniform definition of a prominent local media outlet. Depending on circumstances, an appropriate media outlet may include a local newspaper or a major general interest newspaper with a daily circulation throughout an entire state. Notices to the media must supplement individual notices provided to the affected individuals. HHS expects that most notices to the media will take the form of a press release.
Burden of Proof. When unauthorized acquisitions, access, use or disclosures of unsecured protected health information occur, covered entities and business associates have the burden of demonstrating as appropriate either that no notice was required or that notice was properly given. In addition, covered entities and business associates must exercise reasonable diligence in attempting to determine whether a breach has occurred. Covered entities must document their risk assessments and notifications.
Preemption. Like other provisions of the HIPAA privacy regulations, the rule will preempt contrary state law. HHS was careful to note that state law is contrary only if a covered entity would find it impossible to comply with both the state and HIPAA requirements. It is anticipated that in most circumstances, covered entities will be able to comply with applicable state security breach notification laws as well as the HIPAA security breach notification rule.
Security Guidance. HHS affirmed that the only method to render electronic protected health information unusable, unreadable, or indecipherable to unauthorized persons is through encryption. Access controls and firewalls are helpful, but do not meet this standard. HHS also added detail concerning encryption methods and the storage of encryption keys, which should be kept on separate devices from the information they encrypt or decrypt. In the non-electronic context, HHS stated that only destruction of paper records, and not redaction, will satisfy the requirements to avoid breach notification.
Affected Organizations Will Need to Act Quickly
As noted above, the rule applies to breaches that are discovered 30 or more days after the rule's publication. Affected organizations must act quickly to implement the rule. Steps to take include the following:
- Identify unsecured protected health information within the organization.
- Decide whether and if so, how, to secure protected health information to avoid the possibility of having to provide breach notifications.
- Develop policies and procedures regarding securing protected health information.
- Develop policies and procedures for breach notifications, including guidelines for determining whether a breach that requires notice has occurred.
- Assign responsibility for drafting and approving breach notices.
- Revise business associate agreements to address breach notice obligations.
- Train workforce members regarding the new breach notice requirements and document the training.