With two important new security breach notification rules issued in recent days, the health care industry and its business partners now face an entirely new federal environment for disclosure of security breaches. Through these two rules, the Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) have reshaped requirements for disclosure of information—to individuals, the government and even the media—related to security breaches in an enormous range of settings. While these rules postpone for a short time enforcement against those who fail to meet fully these new notification obligations, health care entities and the wide range of companies providing services to these entities need to use this time wisely—to begin to meet their compliance obligations, to evaluate how they will meet the substantial challenges presented by these rules and to determine how they can take steps to improve overall security for the protection of health care information.
HITECH Act Provisions
These new rules stem from the substantial new privacy and security provisions of the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), as incorporated in the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5). As a component of the wide-ranging "economic stimulus" provisions, Congress determined that, because of its interest in providing economic incentives to health care providers to implement electronic medical records, it needed to establish "improved" privacy and security rules for the health care industry, where most rules have nothing to do with electronic health records. For a general description of these HITECH changes, see Nahra, "A New HIPAA Era Emerges," Privacy In Focus (March 2009), available here.
One of the most significant provisions of the HITECH Act focuses on notification to individuals in the event of information security breaches. Expanding on the wide range of state laws addressing security breach notification, Congress, for the first time, enacted a national provision on breach notification for the health care industry alone. This new breach reporting requirement is the first significant national security breach reporting statute. While following the lead of the state notice laws, the federal HITECH provision is much broader, because it: (1) applies to breaches involving any kind of personal information held by health care companies (rather than only specific categories—such as Social Security numbers), and (2) does not include a clear and explicit "risk of harm" threshold.
The breach notification legislation includes specified "exceptions"—potentially significant but very limited. Critically, the breach notification obligation applies only where information is "unsecured." The term "unsecured protected health information" in the new notice provisions means "protected health information that is not secured through the use of a technology or methodology specified by the Secretary" and "protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute." The HHS implementing regulations confirm that the idea of "secured" information includes both "encrypted" information, meeting certain technical standards, and "destroyed" information. This exception should motivate companies to pursue new and expanded means of encrypting their customer information.
The HITECH Act includes several additional exceptions, which serve mainly to emphasize the breadth of the breach notification requirements. For example, the statute creates an exception where the unauthorized recipient "would not reasonably have been able to retain the information." Stakeholders have been struggling to identify situations where this exception would apply.
The HITECH breach notification provisions have triggered substantial concern in the health care industry. They also have created additional (and perhaps unanticipated) burdens to revise Health Insurance Portability and Accountability Act (HIPAA) business associate agreements on a faster timetable than the law otherwise envisioned. Specifically, because business associates are required to report breaches to covered entities and the law on breaches are to be applicable for breaches that occur 30 days or more after the implementing regulation is issued, while the rest of the law is not effective until February 2010, many companies feel compelled to revise their business associate agreements on an accelerated timetable to establish specific reporting frameworks.
The HITECH Act required promulgation of the two new regulations. First, Congress required HHS to adopt a specific rule for HIPAA-covered entities and their business associates, defining and explaining the requirements related to breach notification. Second, Congress required the FTC to promulgate a breach notification rule for entities in the "personal health records" marketplace, many of which are not otherwise covered by HIPAA.
The FTC Rule
The FTC was the first out of the box, issuing its regulation on August 17, 2009. This regulation is available here. The FTC regulation focuses on two kinds of entities: (1) vendors of personal health records (companies that provide online repositories that people can use to keep track of their health information) and (2) entities that offer third-party applications for personal health records (the FTC's examples included devices such as blood pressure cuffs or pedometers whose readings consumers can upload to their personal health records).
Much of the FTC's rule addresses jurisdiction. The FTC made clear that its focus was on companies that are outside of HIPAA coverage. In fact, the FTC rule made clear that (with very limited exceptions) the FTC's jurisdiction extends only to entities that are not subject to HHS jurisdiction, so that companies only face one regulator for these issues and consumers will receive only one notice in the event of a security breach.
What Are the Other Key Components of the FTC's Rule?
Clear Jurisdictional Separation from HHS
The FTC's rule applies only to a limited class of entities—those participating in the personal health records marketplace and not covered by HIPAA. This breach notification rule represents the first step in the regulation of these entities—with a future study by the FTC and HHS required to consider a broader set of restrictions on their activities.
No Help on Preemption
The FTC discussed the potential confusion arising from state security breach notification laws, but made no effort to preempt these laws. Accordingly, entities covered by the FTC rule must comply with both that rule and any relevant state breach laws. Given the web-based business model of most personal health record vendors, this dual compliance obligation seems likely to remain a substantial source of complications when breaches occur.
A Distinction between "Access" and "Acquisition"
The FTC's rule creates a rebuttable presumption that unauthorized access to personal health record information leads to the unauthorized acquisition of that information, but provides the opportunity for regulated entities to demonstrate that the unauthorized access did not in fact lead to improper acquisition (e.g., a laptop is stolen but a forensic analysis indicates that the laptop password was not breached and no information was viewed).
No Additional "Risk of Harm" Threshold
Other than this "access/acquisition" distinction, the FTC did not read into the legislation any additional "risk of harm" threshold. Instead, in the context of web-based personal health record vendors, the FTC rule requires notice in any situation where there has been unauthorized access and the entity cannot demonstrate that no acquisition took place.
The FTC rule is effective for breaches that take place 30 days after publication in the Federal Register. That publication occurred on August 25 (74 Fed. Reg. 42,962 et seq.), and the rule's stated effective date is September 24, 2009. However, the FTC was sympathetic to industry concerns about the effects of this rule. Accordingly, while it expects full compliance with the rule after 30 days, it has indicated that it will use its enforcement discretion not to seek penalties for compliance failures until a period that is 180 days after the publication of the rule—or five additional months from the compliance date. The stated full enforcement date is February 22, 2010.
The HHS Rule
The HHS regulation (developed by the HHS Office of Civil Rights (OCR), the enforcement agency for the HIPAA Privacy and Security Rules) was issued on August 19, 2009, as an "Interim Final Rule." The rule is available here. It was published in the August 24 Federal Register (74 Fed. Reg. 42,740 et seq.). The stated effective date is September 23, 2009. HHS will be accepting comments on this rule for a 60-day period ending October 23, 2009.
According to Robinsue Frohboese, Acting Director and Principal Deputy Director of OCR, "[t]his new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information."
While the FTC rule applies to a relatively limited set of entities, the HHS rule applies across the health care industry, to all HIPAA-covered entities and their business associates. The bulk of the rule deals with the details of notice—relating to timing, the content of the notice and communication to HHS and media about breaches. Beyond these points—which are important but are relatively "technical" once breaches occur—what are the most significant elements of the HHS rule?
While companies will be parsing the details of the HHS rule (and the extensive commentary that accompanies the rule), there are several components that stand out as critical issues for the near future.
No Expansion of the "Secured" Concept
Under HITECH, breach notification is required only for breaches involving "unsecured" information. In its proposed rule, HHS identified encryption and "destruction" of information as appropriate means of securing information such that the notification "safe harbor" would not require reporting. In the final regulation, HHS reviewed and then rejected various additional means of securing information. Accordingly, to take advantage of this safe harbor, companies must encrypt or destroy information. While other security measures may be effective to reduce any risk of a breach in the first place, they will not, by themselves, result in application of this safe harbor.
HHS Implemented a "Risk of Harm" Threshold
One of the biggest concerns stemming from the HITECH provision was that companies would be required to provide notice in situations where there was no risk of any harm actually resulting from a disclosure. There was concern both from the covered entity perspective, about the costs and potential concerns stemming from disclosures about breaches with no effects, as well as concerns that recipients of these notices would be concerned, confused or scared by receiving a notice that seemed to describe a "no impact" situation.
Relying on the HITECH language concerning notification in situations where a breach "compromised" the privacy or security of health information, and taking a different approach from the FTC, HHS implemented a realistic and responsible "risk of harm" threshold, requiring notice in situations where the incident "poses a significant risk of financial, reputational, or other harm to the individual." The burden of determining that there is no significant risk falls on the covered entity, which otherwise is responsible for notifying the affected individual.
Compliance Is Required Promptly, but Enforcement Is Postponed for 180 Days
Like the FTC, HHS also has recognized many of the concerns about the reporting timetable. Accordingly, while HHS is requiring compliance with this provision on the statutory timetable (30 days after publication of the rule in the Federal Register), it also will utilize its enforcement discretion not to issue penalties for failure to meet these standards until February 22, 2010. This gives covered entities and business partners an additional five months to prepare for full enforcement of this rule.
Next Steps for the Health Care Industry
Now that these rules have been published, the health care industry—including not only HIPAA-covered entities but also personal health record vendors and all of their business associates—must begin aggressive efforts to meet the substantial requirements of these regulations. On the whole, despite some important and reasonable steps taken by HHS in this regulation, we can expect the requirement for notification to apply in a wide range of situations. What should companies be doing now to address these issues?
Taking Advantage of Safe Harbors
While HHS and the FTC did not expand the "secured" safe harbor, this safe harbor is still an important and useful opportunity not only to protect the security of information but also to avoid the need to notify individuals in the event of a breach. Accordingly, companies should investigate promptly whether they can implement or expand their encryption programs. At the same time, companies should review their information retention requirements, to determine if additional stores of information should be destroyed.
Using Your Time Wisely
Both the FTC and HHS have recognized that significant efforts are needed to comply with these regulations. Accordingly, affected businesses will not face penalties for a failure to meet these requirements until February 22, 2010. It is critical for companies to understand, however, that compliance with these regulations is expected as of September 23 or 24, 2009. Companies should not view this enforcement delay as an excuse not to review and address breaches during this interim period. Instead, companies should act aggressively to identify breaches, ascertain the relevant notice issues and develop appropriate protocols for notification. In addition, and perhaps most significantly, companies should be paying substantial attention to the areas where breaches have in fact occurred, so that steps can be taken to reduce or eliminate future breaches of those types.
Planning for the Notification Process
As a corollary to using this enforcement hiatus wisely, companies need to develop notification protocols—focusing on reporting procedures, distribution of notification information, development of communications strategies and identification of appropriate notification channels. Because HHS and the FTC expect notice to be provided "as soon as reasonably possible," companies need to be able to swiftly investigate apparent breaches, determine whether they must be reported and, if so, implement appropriate notification approaches. These steps all take time—and planning ahead will be critical.
Focusing on Documentation
While the "risk of harm" threshold reflects an important opportunity for HHS-regulated entities to avoid giving notice in certain situations, a critical factor will be documented analysis of whether a risk of significant harm is actually presented. As HHS makes clear in the regulation commentary, affected entities will need to develop appropriate documentation supporting their decisions. As with the required elements of the HIPAA Security Rule, where appropriate documentation is a critical component of effective compliance, covered entities will need to place a significant premium on documenting their analysis of potential breaches, not only for compliance purposes but also in the event of a challenge, by HHS, the FTC, a state Attorney General or an affected individual.
Working on Your Business Associate Relationships
Companies also need to move promptly to implement this rule with business associates. While business associates must comply with these notification provisions directly, the ultimate notification responsibility falls on the covered entity. Accordingly, particularly for "significant" business associates, covered entities should consider not only expanded business associate contract language, but also potential training and/or educational materials, as well as additional analysis to ensure that business associates are effectively protecting information and disclosing—as soon as possible—breaches that may trigger notification requirements.
Last but not least, health care companies and their business partners also should use these regulations as a vehicle for improving their overall security practices. The primary purpose of the notification requirements is to provide information to individuals in the event of a security breach. As both the FTC and HHS made clear in the regulations, a related and equally important purpose of the notification obligations—particularly the media and HHS obligations—is to motivate companies to improve their overall security practices. Companies should use these regulations as an opportunity to do just that—to evaluate their overall information security practices, to identify weak links in these practices, to determine areas where breaches have occurred and to evaluate whether feasible steps can be taken to prevent such breaches. While companies may be able in some circumstances to determine that there is no significant risk of harm, the best result is to avoid having a security breach in the first place. Companies need to move forward quickly with these evaluations, and also should ensure that they have in place an ongoing program to monitor and evaluate security practices, with the goal of improving the overall security of the information in the health care system.