Just when you thought you had heard the last about the Health Insurance Portability and Accountability Act (HIPAA), the Department of Health and Human Services (HHS) has promulgated new rules for notifying individuals when their protected health information has been breached. These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act (ARRA) of 2009. The regulations became effective in September.
The regulations require covered entities (health plans, healthcare clearing houses, and healthcare providers) to promptly notify individuals affected by a breach, as well as the HHS secretary and the media in cases in which a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to HHS annually. Notably, breaches will be posted on the HHS Web site. The regulations also require business associates to notify covered entities with whom they work of breaches.
All Breaches Not Equal
Any impermissible acquisition, access, use, or disclosure of unsecured protected health information that compromises the security or privacy of the information triggers the new breach notification requirement. Health information is unsecured only if it is not encrypted or destroyed. Security or privacy is compromised when a breach poses a significant risk of financial, reputational, or other harm. To determine whether a significant risk of harm exists, a covered entity must document a fact-based assessment of the risk involved, including evaluation of:
- What happened to the information (e.g., Was a laptop stolen and never recovered or lost but subsequently found? Was an unauthorized access intentional or accidental?);
- The nature of the information (e.g., Did the information contain Social Security numbers and other data that could lead to identity theft? Did the information involve sensitive health information?);
- Steps that could mitigate the potential harm (e.g., call the recipient and request destruction of the information and confirmation); and
- The number of individual identifiers present in the information (e.g., Did the information have name, birth date, and Social Security number, or only a medical record number?).
Consequently, breaches that do not involve information that can be used to identify a specific individual are not reportable. Moreover, inadvertent breaches to other covered entities pose a low risk of harm. For example, if medical records are inadvertently faxed to the wrong pharmacy or other healthcare provider, there is low risk of harm because the recipient is independently required to comply with HIPAA.
Additionally, the regulations expressly exclude the following events from the definition of a breach:
- Unintentional, good-faith access by an employee or agent if the information has not been redisclosed. An example would be mail sent to or opened by the wrong staff member;
- Inadvertent disclosures among persons otherwise authorized to access protected health information within the same entity, provided the information is not redisclosed; and
- When an unauthorized recipient could not have retained the information (e.g., paperwork given to the wrong patient but returned immediately without being read).
In each of the examples above, a covered entity does not need to provide breach notification because a breach has not occurred under the regulations.
Unless law enforcement makes a written request for a covered entity to delay notification, covered entities must provide written notice to each individual affected by a breach as soon as possible but no later than 60 calendar days from discovery of the breach. Importantly, a covered entity is liable for appropriate notification if they know, or should know, of a breach. Moreover, the knowledge of an employee is imputed to an employer. Further, business associates must notify covered entities of any breaches. Thus, policies and procedures should include training of a covered entity’s workforce and ensuring business associates’ compliance.
While there is not a prescribed form for notice, the regulations do require some specific elements, including:
- Description of the breach and the dates, if known;
- Description of the protected health information involved;
- Steps the affected individual should take to protect themselves (e.g., cancel credit cards);
- Description of the steps being taken by the covered entity; and
- Contact information to obtain more information, which must include a toll-free telephone number, e-mail or postal address, or Web site.
If 10 or more individuals are involved for which the entity does not have adequate contact information, notice can be accomplished by a conspicuous posting on the entity’s Web site for at least 90 days, or a posting in print or broadcast media. In either case, an active toll-free telephone number where individuals can find out if they were affected must be available for 90 days.
If a breach involves more than 500 people from any one state, notification must include prominent media outlets. Moreover, the covered entity must notify the HHS secretary at the time notice is provided to affected individuals. Breaches involving fewer than 500 individuals must be reported annually through the Office of Civil Rights Web site.
Sanctions and Penalties
HHS is required to audit, investigate, and impose civil monetary penalties for offenses resulting from willful neglect. Fortunately, HHS has indicated that it will not be imposing sanctions for unintentional violations of the notification requirements until March. This gives providers some time to implement the necessary processes. Nonetheless, it is important to implement compliance processes now, as the penalties for noncompliance can be severe. Under the new law, penalties are tiered based on knowledge, and are capped at $1.5 million annually.
For more information about HIPAA, visit www.hhs.gov/ocr/privacy. TH
Patrick T. O’Rourke works in the Office of University Counsel at the University of Colorado Denver. Kari Hershey is a public relations consultant with Budman & Hershey, LLC, in Denver.