Final breach notification rules pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA) have been released by the Federal Trade Commission (FTC) (the "FTC Breach Notification Rule") and the U.S. Department of Health and Human Services (HHS) (the "HIPAA Breach Notification Rule"). The HIPAA Breach Notification Rule applies to entities and business associates covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), while the FTC's Breach Notification Rule applies to vendors of personal health records (PHR) and related entities. In some cases an entity may be subject to both rules.
The HIPAA Breach Notification Rule
The Health Information Technology for Economic and Clinical Health (HITECH Act) provisions contained within ARRA require HIPAA-covered entities and business associates to address and incorporate breach notification as an integral part of their HIPAA systems, policies, procedures and training. The HIPAA Breach Notification Rule is anticipated to become effective for breaches occurring on or after September 23, 2009. However, as described below, enforcement will be delayed.
The HIPAA Breach Notification Rule largely follows the HITECH Act, Section 13402, with several important clarifications and modifications. It also provides additional guidance on the technologies and methodologies that render protected health information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals, and therefore not considered "unsecured PHI" subject to the breach notification provisions.
Notice of Breach of PHI
A covered entity, following the discovery of a "breach of unsecured protected health information" is required to notify each individual whose PHI has been, or is reasonably believed to have been "accessed, acquired, used, or disclosed as a result of such breach." The notice must be provided without unreasonable delay and in no case later than 60 days after discovery of a breach. For breaches involving 500 individuals or more, the covered entity also must notify HHS concurrently. For breaches involving less than 500 individuals, the covered entity need only maintain a log and report such breaches to HHS annually. Media notice publication or broadcast also is required when a breach involves the PHI of more than 500 individuals. Additionally, covered entities and their business associates must publish substitute notice (e.g., a notice conspicuously posted on the covered entity's website, or a newspaper or broadcast media notice) where insufficient or out-of-date contact information exists to notify affected persons.
Notifications must include, among other things, a description of the types of PHI subject to the breach. However, the notification also must avoid further disclosure of PHI, such as social security numbers, diagnosis information or account numbers. The notice to individuals must be written in plain language and comply with applicable federal laws governing appropriate accommodations for persons with limited English language proficiency or sensory disabilities.
Timing of Notice
The HIPAA Breach Notification Rule clarifies that a covered entity's breach notification "clock" begins ticking as soon as a business associate for the covered entity discovers the breach, making contractual notice and cooperation requirements imperative in business associate agreements. Furthermore, the requirement that no "unreasonable delay" occur prior to notification highlights the importance of appropriately training workforce and other agents to notify the Privacy Official immediately when a potential breach occurs. HHS views the 60-day notification deadline as an outside limit. However, covered entities are expected to take a reasonable time to collect the information required for the notice. Therefore, in some cases multiple mailings may be needed as information becomes available.
A covered entity must undertake a three-step process for determining when a breach notification must be made:
- Was there a data breach? For example, was there an unauthorized acquisition, access, use or disclosure of PHI that was not secured by one of the methodologies approved by HHS for rendering the PHI unusable, unreadable or indecipherable?
- Did the access, acquisition, use or disclosure violate HIPAA privacy and security standards?
- Did the unauthorized access, acquisition, use or disclosure compromise the security or privacy of the PHI, by posing a significant risk of financial, reputational, or other harm to the individual?
- The third step, above, creates a so-called harm threshold and necessitates that covered entities determine and document the risk of harm to the individual resulting from a potential breach of unsecured PHI.
T rule further clarifies that the security or privacy of the PHI is not compromised unless there is a "significant risk of financial, reputation, or other harm to the individual." In some cases the PHI may be recovered so quickly (such as the recovery of a lost laptop computer where forensic analysis shows that no acquisition or disclosure of PHI occurred) or so limited in content, that the risk of harm is so low that a notification of breach may be avoided. Caution is advised when conducting such analyses, however, as the HIPAA Breach Notification Rule places the burden of demonstrating compliance squarely on the shoulders of the covered entity. It also provides that the security or privacy of the information is not considered compromised, if only certain narrowly-defined elements are affected. HHS cautions, however, that this is a very narrow exception and must not be construed as permitting or encouraging the use or disclosure of more than the "minimum necessary" PHI in violation of the limits and requirements found in 45 C.F.R. Sections 164.502(b) and 164.514(d).
Finally, the HIPAA Breach Notification Rule clarifies that the methodologies approved to render PHI unusable, namely encryption and destruction, relate only to the HIPAA Breach Notification Rule and are viewed separately and apart from the HIPAA security standards. Consequently, an encryption method that complies with HIPAA security standards will not necessarily comply with the HIPAA Breach Notification Rule. With respect to encryption, HHS advises that the confidential process or key to decrypt data must be stored on a device or housed in a location separate from the data they encrypt or decrypt. HHS also clarifies that redaction is not an approved method of destruction.
Perhaps the most immediately significant development contained in the HIPAA Breach Notification Rule is the decision by HHS to delay enforcement and the imposition of sanctions during the 180-day period following publication. Despite some initial "breathing room" on the enforcement side, HHS expects that covered entities and business associates will be in compliance with the HIPAA Breach Notification Rule on the effective date (September 23, 2009).
The FTC Breach Notification Rule
Originally proposed in April 2009, the FTC Breach Notification Rule requires compliance by vendors of PHR, such as web-based repositories used for tracking an individual's health information and entities offering third-party applications for PHRs, such as information uploaded from a blood pressure cuff or pedometer. The final FTC Breach Notification Rule clarifies that it applies both to vendors of PHR and related entities, irrespective of any jurisdictional tests. Consequently, a wide variety of entities are subject to its requirements.
Application of the Rule
The FTC Breach Notification Rule does not apply to HIPAA-covered entities or business associates, including for example, instances involving physicians who offer a PHR to their patients. To avoid consumers receiving duplicate notices for the same breach, the FTC clarifies that if a PHR vendor is both a business associate and deals directly with consumers, it need not notify a customer receiving a breach notification on behalf of a HIPAA-covered entity (discussed above).
In response to comments expressing concern that third-party vendors would not be aware that they were handling covered electronic health records, the FTC added a provision to the Breach Notification Rule that requires vendors of PHR and PHR-related entities to notify third-party service providers of such status.
The requirements under the federal breach notification law supersede any contrary provision of state law, in the same manner as the HIPAA privacy rules supersede state law. The FTC Breach Notification Rule, however, does not preempt state laws imposing additional, as opposed to contradictory, breach notification requirements.
Additionally, the FTC Breach Notification Rule eliminated many of the barriers from the proposed rule to sending e-mail notification to consumers. However, consumers must be given a clear, conspicuous and reasonable opportunity to receive breach notifications by first-class mail. The time period a breach is required to be posted on an entity's website also was reduced from six months to 90 days. The FTC has developed a form for vendors of PHRs or PHR-related entities to use in notifying the FTC of a breach. The information received by the FTC will be entered into a searchable database that will be made available to the public.
Timing of Notice
Finally, the FTC Breach Notification Rule clarifies that the 60-day period for the breach notification may begin before an entity establishes that all of the prerequisites for triggering a breach notification have been determined. The FTC stated that the 60-day period is to give entities time to conduct such an investigation. Hence, the clock starts ticking very early on and will not be delayed until the "entity conducts an investigation to determine whether unauthorized acquisition has occurred, whether PHR identifiable health information has been breached, or whether the information breached was unsecured."