The Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) was enacted as part of the economic stimulus package on February 17, 2009. The HITECH Act expands the scope of the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and strengthens the enforcement authority and penalties available to the Department of Health and Human Services (the “Department”) for violations of HIPAA. The HITECH Act became effective on February 22, 2010.
Notice of Security Breach
Among othermodifications to HIPAA, the HITECH Act requires both covered entities and business associates of those covered entities to provide notice of a security breach to not only the individual or individuals affected by the breach but also, in some cases, to the media and the Department. This means that an individual’s personal physician, a pharmacy, a hospital, or another facility where an individual has received treatment, and his or her health insurance company (known as covered entities) and certain companies with which they do business (known as business associates), must let the individual know if they become aware that personal information has been used or disclosed in an inappropriate way.
When Is Notification of a Breach Required?
In the event that a covered entity or business associate becomes aware of an inappropriate use or disclosure of information, it must first determine whether the breach involved protected health information (“PHI”) and whether the PHI was unsecured. The HITECH Act provides that covered entities and business associates may avoid the notification requirements if the PHI is secured through an encryption system approved by the Department. The encryption system must render the information “unusable, unreadable, or indecipherable to unauthorized individuals,” using technologies or methods approved by the Department.
If the PHI involved is unsecured, the covered entity and business associate must then determine whether the inappropriate use or disclosure is a “breach.” The HITECH Act and regulations define a breach as an acquisition, access, use, or disclosure of PHI in amanner not permitted by HIPAAwhere such action “compromises” the security or privacy of the PHI (e.g., a stolen laptop containing unencrypted PHI). The regulations further clarify that PHI is compromised if there is a “significant risk of financial, reputational, or other harm to the individual.” Generally, an insignificant breach does not need to be reported.
In addition, there are exceptions to the notification requirements for breaches that result from (i) an unintentional access, use, or disclosure of PHI, if such access was in good faith, was within that person’s scope of authority, and did not result in further impermissible use or disclosure of the PHI, or (ii) an inadvertent disclosure by a person who is authorized to have access to such PHI to another authorized person at the same covered entity or business associate, and the PHI disclosed is not further used or disclosed in an impermissible manner, or where (iii) the covered entity or business associate had a good faith belief that the unauthorized person who received the PHI would not reasonably have been able to retain it.
When Will an Affected Individual Be Notified?
The covered entity is responsible for making the breach notification; the business associate is required to notify each covered entity with which it has a required Business Associate Agreement. The Business Associate Agreement will dictate the business associate’s responsibilities in the event of a breach, including the time period in which the business associate must notify the covered entity of the breach. The covered entity must send notice to every person whose PHI is affected, within 60 calendar days after it knows or should have known of the breach. The notice by the covered entity must provide a brief description of what happened, the type of PHI that was disclosed, what steps the covered entity and the business associate have taken to correct the breach and to lessen any harmful impact on the individual, andwhat actions the individual can take to protect herself or himself from potential harm. The covered entity must also provide contact information that can be used to obtain additional information and assistance.
If the breach was widespread, affecting more than 500 persons, the covered entity must notify the media in the areas where the affected individuals live and simultaneously notify the Department. The covered entitymust also notify the Department annually of all breaches occurring each year, regardless of the number of individuals affected.
What Does It All Mean To Patients?
Historically, state law has governed when and to whom a company must give notification of a security breach of personal information. Some state laws were limited only to disclosure of Social Security numbers. The HITECH Act now imposes a federal law requirement that generally applies in all states, resulting in consistent notification requirements, at least with respect to PHI. There is no private cause of action for a breach, but affected individuals may file a claim with the Department’s Office of Civil Rights. In addition, the attorney general of each state has the right to enforce HIPAA provisions. The Connecticut attorney general has already begun such a suit.
In order to comply with these new requirements, each covered entity and business associate will have to evaluate its physical, administrative, and technical safeguards to ensure that PHI is protected, implement the encryption systems approved by the Department, develop policies and procedures to ensure that notice of a breach of unsecured PHI is given in a timely and effective manner to all affected individuals, and train its workforce and contractors to comply with the more stringent requirements.
All these actions by covered entities and their business associates that use and maintain PHI should enhance the privacy and security of each individual’s PHI. Companies should be more aware of the purposes for which PHI is being used, who has access to it and how it is being maintained. They should learn of breaches in a more timely manner and be able to not only give the required notice of the breach but also take immediate action to correct the problem and mitigate any harm. This will enable affected individuals to take their own steps to prevent any further harm from the breach. Among the ways in which covered entities may protect individuals when a breach has occurred is to provide them with free identity theft coverage and credit monitoring services.
Identity theft, including medical identity theft, is a growing problem in the United States that affects both businesses and individuals. The HITECH Act is one step in the ongoing efforts to protect against the unauthorized use and disclosure of each individual’s PHI.