Just when you thought you had heard the last about the Health Insurance Portability and Accountability Act (HIPAA), the Department of Health and Human Services (HHS) has promulgated new rules for notifying individuals when their protected health information has been breached. These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act (ARRA) of 2009. The regulations became effective in September.
The regulations require covered entities (health plans, healthcare clearing houses, and healthcare providers) to promptly notify individuals affected by a breach, as well as the HHS secretary and the media in cases in which a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to HHS annually. Notably, breaches will be posted on the HHS Web site. The regulations also require business associates to notify covered entities with whom they work of breaches.
All Breaches Not Equal
Any impermissible acquisition, access, use, or disclosure of unsecured protected health information that compromises the security or privacy of the information triggers the new breach notification requirement. Health information is unsecured only if it is not encrypted or destroyed. Security or privacy is compromised when a breach poses a significant risk of financial, reputational, or other harm. To determine whether a significant risk of harm exists, a covered entity must document a fact-based assessment of the risk involved, including evaluation of:
- What happened to the information (e.g., Was a laptop stolen and never recovered or lost but subsequently found? Was an unauthorized access intentional or accidental?);
- The nature of the information (e.g., Did the information contain Social Security numbers and other data that could lead to identity theft? Did the information involve sensitive health information?);
- Steps that could mitigate the potential harm (e.g., call the recipient and request destruction of the information and confirmation); and
- The number of individual identifiers present in the information (e.g., Did the information have name, birth date, and Social Security number, or only a medical record number?).
Consequently, breaches that do not involve information that can be used to identify a specific individual are not reportable. Moreover, inadvertent breaches to other covered entities pose a low risk of harm. For example, if medical records are inadvertently faxed to the wrong pharmacy or other healthcare provider, there is low risk of harm because the recipient is independently required to comply with HIPAA.
Additionally, the regulations expressly exclude the following events from the definition of a breach:
- Unintentional, good-faith access by an employee or agent if the information has not been redisclosed. An example would be mail sent to or opened by the wrong staff member;
- Inadvertent disclosures among persons otherwise authorized to access protected health information within the same entity, provided the information is not redisclosed; and
- When an unauthorized recipient could not have retained the information (e.g., paperwork given to the wrong patient but returned immediately without being read).
In each of the examples above, a covered entity does not need to provide breach notification because a breach has not occurred under the regulations.
Unless law enforcement makes a written request for a covered entity to delay notification, covered entities must provide written notice to each individual affected by a breach as soon as possible but no later than 60 calendar days from discovery of the breach. Importantly, a covered entity is liable for appropriate notification if they know, or should know, of a breach. Moreover, the knowledge of an employee is imputed to an employer. Further, business associates must notify covered entities of any breaches. Thus, policies and procedures should include training of a covered entity’s workforce and ensuring business associates’ compliance.