Current HIPAA regulations require covered entities to identify and respond to suspected or known security incidents and mitigate, to the extent practicable, the harm caused by security incidents of which the covered entity is aware. Covered entities also are required to document security incidents and their outcomes. But the security rules do not require entities to notify affected individuals of the breach, and entities that comply with HIPAA do not have to comply with most state and federal breach notification laws either. As a result, there is no legal obligation for covered entities to provide notification when personal information, including protected health information (PHI), is lost or stolen in a breach.
The HITECH Act changes this situation by providing new provisions for notifying about breaches, which apply to business associates and covered entities that access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose unsecured PHI. A breach is defined as an
unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information…
A breach does not include the unintentional acquisition, access or use of PHI by an employee or individual acting under the authority of a covered entity when made in good faith and within the course and scope of employment or other professional relationship and there are no further actions to acquire, access or use the information. It also does not apply to inadvertent disclosures of PHI within the same facility operated by a covered entity or business associate when the disclosure is from one individual to another and both are authorized to access the PHI.
The term "unsecured" essentially means that the information is unencrypted. Under the HITECH Act, unsecured PHI is not secured by a technology standard that renders PHI unusable, unreadable or indecipherable to unauthorized individuals. Encryption guidelines are to be specified by the secretary of the U.S. Department of Health and Human Services (HHS) or otherwise must meet standards developed or endorsed by the American National Standards Institute.
Discovery of a Breach
Breaches will be treated as "discovered" by a covered entity or a business associate as of the day on which the breach is known or the entity or associate reasonably should have known it had occurred. A breach can be discovered by any person, other than the individual committing the breach, that is an employee, officer or other agent of the covered entity or business associate. Unless delayed for law enforcement purposes, notifications are to be prompt and in no case later than 60 calendar days after discovery of the breach.
Breaches Involving a Covered Entity
Following the discovery of a breach, a covered entity that knows or reasonably believes that unsecured PHI has been accessed, acquired or disclosed as a result of a breach shall notify all affected persons. Notice provided by a covered entity shall include:
- a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
- a description of the types of unsecured PHI that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number or disability code)
- the steps an individual should take to protect themselves from potential harm resulting from the breach
- a brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches, and
- contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, and e-mail address, Web site or postal address.
Notice may be provided in several ways. First, a written notification may be sent by mail or e-mail. If mailing or e-mail addresses are unknown for 10 or more individuals, substitute notice may be provided. This is accomplished by the covered entity’s conspicuous posting on the home page of its Web site or by using major print or broadcast media. When the possible imminent misuse of unsecured PHI creates urgency, notice may be provided to individuals by telephone or other appropriate means. Notice to the media is acceptable when the breach is likely to have included more than 500 individuals.
Breaches involving more than 500 individuals are to be reported immediately to the HHS secretary and will be posted on that agency’s Web site. Covered entities will log breaches of fewer than 500 individuals and annually submit the logs to the secretary. The secretary will provide annual notice of all reported breaches to specified House committees.
Breaches Involving a Business Associate
The current security rule provides that a business associate must report to the covered entity any security incident of which it becomes aware. This is very similar to the amended provisions found in the HITECH Act, which provide that following the discovery of a breach, a business associate must notify the covered entity of the breach. The content of the notice is to include the identification of each individual whose unsecured PHI has been (or is reasonably believed by the business associate to have been) accessed, acquired or disclosed during the breach.
Regulations and Effective Date
Interim final regulations on breach notifications are to be published no later than August 16, 2009. The provisions will become effective and apply to any breach 30 days after publication of the regulations, which is scheduled to be September 15, 2009.
Getting Ready for the New Notification Requirements
To prepare for the new breach notification requirements, covered entities and business associates should begin by reviewing and updating their current security incident procedures. These procedures should name persons responsible for dealing with incidents involving breaches and clearly describe every person’s responsibilities during a breach, including:
- methods for providing internal notification of a suspected breach
- steps for taking compromised servers and computers off-line while preserving evidence
- breach investigations, including forensic investigations of computers to determine that a breach occurred, identifying potential causes of the breach and obtaining the names and contact information of people potentially affected
- internal assessment of the breach and determining steps to better prevent future incidents
- analysis of relevant laws to determine the appropriate response and potential liability created by the breach including potential litigation, agency investigations and actions by applicable attorneys general
- preparation of notice response, including determination of the appropriate method of notice (i.e., written or substitute notice) and the notice content for private notification (for individuals), public notification (to the HHS secretary) and, when applicable, notification by a business associate to the covered entity
- steps for the delivery of the notifications of the breach
- methods to respond to inquiries pertaining to the breach and other public relations needs, and
- procedures for responding to litigation or agency investigations.
M. Peter Adler
