In August of 2009, the Department of Health and Human Services issued an interim final rule requiring that all HIPAA covered entities and their business associates develop notification requirements for a breach of unsecured protected health information (PHI). These new requirements are part of the Health Information Technology for Economic and Clinical Health Act (HITECH). In order to comply with the provisions, covered entities need to develop revised policies, assessment tools and notification processes specific to a breach of unsecured PHI.
The new regulations are designed to expand the coverage scope of HIPAA to the increased use of electronic communication. Under the new provisions, a breach that occurs requires the covered entity to notify the individuals affected by the breach, the Secretary of HHS and in certain circumstances, the media.
The fundamental issue in the new provisions centers on the difference between unsecured and secured PHI. PHI that is secured by encryption or has otherwise been rendered unreadable or unusable and is ultimately disclosed, does not require notification. PHI that is unsecured and may be readable or useable and is subsequently disclosed, requires notification as specified in the Act. A breach is defined as the acquisition, use or disclosure of PHI which compromises the security and/or privacy of the information.
According to the rules, if a breach of unsecured PHI occurs, the covered entity must notify the individuals affected no later than 60 days from when the breach was discovered. The notification must include a description of what occurred, a description of what information was disclosed (social security numbers, addresses, etc.), steps the affected individuals should take to protect themselves, a description of what the covered entity is doing to reduce harm to the individuals and to prevent further disclosures and finally, relevant contact information for the covered entity (including toll-free telephone numbers) so that individuals may ask questions. The notification is required to be written.
In addition to notifying the affected individuals, covered entities are required to notify the Secretary of HHS. If the breach affected less than 500 individuals, the covered entity is required to maintain a log of the breach and any prior or subsequent breaches (for the prior year) and submit the information to the Secretary within 60 days of the end of the calendar year. If the breach affected more than 500 individuals, the covered entity must notify the Secretary within 60 days of discovery of the breach. HHS will post the names of covered entities involved in breaches affecting more than 500 individuals on its website.
If the breach involves more than 500 individuals, the covered entity is also required to notify the media outlets within the region or area where the breach occurred. The notice must contain the same information as provided in the notice to individuals. The notification also must occur within 60 days of discovery of the breach.
For Business Associates, the discovery of a breach on their part must be disclosed to the covered entity within 60 days after discovery. If the breach involves multiple covered entities, the business associate is required to notify each covered entity. Notification requirements on the part of the covered entity to affected individuals still apply however, the time frames for providing such notice depend on whether the business associate was an agent or an independent contractor of the covered entity. For example, if the business associate is an agent of the covered entity, the discovery of the breach on its part is viewed in the rules as discovery on the part of the covered entity. In summary, in this case, the rules for notification apply as if the covered entity discovered the breach (60 days from the date of discovery), even if the business associate/agent did not immediately communicate the discovery to the covered entity.
For health care providers who haven’t yet sought to comply with the new regulations, there is a bit of a breather. HHS will not enforce the sanctions provisions for any breaches that occurred prior to February 22, 2010. Complying with the “intent” of the new provisions will require health care providers to obtain new or updated Business Associate agreements with all related parties. The new agreements need to spell out the new notification requirements and the roles and responsibilities of the entities. In addition, providers should review and update their policies to conform with the notification requirements and the time frames as specified for notification. Annual HIPAA training should reflect the new requirements and it is advisable that some form of interim training should occur to alert key staff to the new requirements.