The Health Information Technology for Economic and Clinical Health Act ("HITECH"), a part of the American Recovery and Reinvestment Act of 2009, imposes a new duty on covered entities (including group health plans) to notify affected individuals and, in some cases, the media and the Department of Health and Human Services ("HHS"), of a breach of unsecured protected health information ("PHI").

As required by HITECH, HHS issued regulations on August 24, 2009 providing more detail regarding this new duty. The regulations are effective September 23, 2009 but, as noted below, HHS will not impose sanctions for breaches discovered during the 180-day period beginning on the issue date.  

HHS Breach Notification Regulations

General Requirements - Under the new regulations, a group health plan is required to notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed following a breach of that unsecured PHI. PHI includes individually identifiable health information maintained in any form or medium, including paper or electronic. The group health plan is also required to notify the media and HHS in certain breaches involving large numbers of individuals. The regulations also require a business associate of a group health plan (for example, a claims administrator) to notify the group health plan of a breach of unsecured PHI.

The notification requirements apply only to a breach of "unsecured PHI." In prior guidance, HHS has generally defined "unsecured PHI" as PHI that is not encrypted or destroyed.

HHS sets forth the following three-step process which group health plans and their business associates should follow in determining whether a breach has occurred for which notification must be given:

  1. Determine whether there has been an impermissible use or disclosure of PHI under the HIPAA Privacy Rule;
  2. Determine and document whether the impermissible use or disclosure compromises the privacy or security of the PHI by having created a significant risk of financial, reputational, or other harm to the individual; and
  3. Determine whether the incident is excluded from the definition of "breach" because it is:
  • An unintentional use of PHI by a workforce member acting in good faith and within the scope of his or her authority, and the PHI is not further used or disclosed improperly;
  • An inadvertent disclosure of PHI by an authorized person to another authorized person, and the PHI is not further used or disclosed improperly; or
  • A disclosure of PHI to an unauthorized person where there is a good faith belief that the unauthorized person would not reasonably have been able to retain the PHI.

Timeliness of Notification to the Individual - Notification must be made to individuals "without unreasonable delay" but no later than 60 calendar days after discovery of the breach. Breaches are considered to be discovered on the first day the breach is known to the group health plan (i.e., known to any member of the group health plan's workforce or the group health plan's agent) or when, by exercising reasonable diligence, the breach would have been known to the group health plan.

Content of Notification - Notification sent to individuals must be "in plain language" and include the following:

  • A brief description of what happened, including the date of the breach and the date of discovery of the breach, if known;
  • A description of the types of unsecured PHI that were involved in the breach;
  • Steps individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of the steps the entity is taking to investigate the breach, mitigate harm, and protect against future breaches; and
  • Contact procedures for individuals to ask questions or obtain additional information, including a toll-free number, email address, website, or postal address.

Methods of Notification to Individuals - Notification to individuals must be sent to the individual's last known address via first-class mail, or email if the individual has agreed to email and has not withdrawn such agreement. If the contact information for less than 10 individuals is outdated or insufficient, substitute notice may be provided by an alternative written notice, telephone, or other means. However, if the contact information for 10 or more individuals is found to be outdated or insufficient, the entity must provide substitute notice in one of the following forms:

  • Conspicuous posting on the home page of the covered entity's website for a period of not less than 90 days; or
  • Conspicuous notice in major print or broadcast media in geographic areas where the affected individuals likely reside.

In addition, the substitute notice on the website or in print or broadcast media must include a toll-free telephone number that will remain active for at least 90 days where individuals can learn whether their unsecured PHI was included in the breach.

Notification to Media if More Than 500 Affected - If the breach affects more than 500 residents of a particular state or jurisdiction, the group health plan also must notify "prominent media outlets" serving the state or jurisdiction of the breach without unreasonable delay, but no later than 60 calendar after discovery of the breach.

Notification to HHS if 500 or More Affected - If the breach affects 500 or more individuals, notice must be made to HHS contemporaneously with the notification to the affected individuals. If fewer than 500 individuals are affected, the group health plan must maintain a log of any such breaches, and submit the log annually to HHS no later than 60 days following the end of the calendar year. Note that, unlike the media notification above, this requirement applies even if fewer than 500 individuals are in a state.

Notification by Business Associates - Business associates must provide breach notification to the group health plan "without unreasonable delay" and in no case later than 60 calendar days after discovery of the breach. The business associate must, to the extent possible, identify each individual whose PHI was breached and provide any other available information the group health plan will need to notify the affected individuals. It is important to note that, in some cases, the business associate may be considered an agent of the covered entity, in which case the covered entity's 60-day notice period will commence upon the business associate's discovery of the breach.

Effective Date - The HHS regulations are effective 30 calendar days after the August 24, 2009 publication in the Federal Register -- September 23, 2009. In response to concerns that 30 days does not provide covered entities sufficient time to implement processes to comply with the new rules, HHS stated that it would use its "enforcement discretion" and not impose sanctions for failure to comply with the required notifications for breaches discovered during the 180-day period after the regulations were published in the Federal Register. Although there is a 6-month delay on sanctions under these regulations, employers and group health plans remain subject to the general rule under HIPAA that the group health plan must mitigate the damage to a plan participant. These general rules may, in some circumstances, require notice to an employee.

What to do now

Group health plans (and the employers and administrators operating them) need to be aware of these new rules and how they impact the administration of the plans. Although HHS has agreed not to impose sanctions with respect to breaches that are discovered within 180 days of the publication of the new regulations, the breach notification rules are still effective for breaches that occur on or after September 23. Thus, group health plans need to take action immediately, including:

  • Reviewing how PHI in their possession is secured. Although the regulations do not require encryption or destruction of PHI, many covered entities are voluntarily choosing to secure their PHI by such methods to the extent feasible in order to limit or avoid application of the notice rules.
  • Updating written HIPAA procedures to include procedures for complying with the new notice requirements (and other changes in the HIPAA rules imposed by HITECH), including sample notices, procedures to maintain current contact information for plan participants (which may avoid the need for a public notice of a breach), obtaining participant consent to email notification, and maintaining a breach log for annual submission to HHS.
  • Revising training materials to include the new notice requirements (and other changes in the HIPAA rules imposed by HITECH) and proving "refresher" training for individuals who handle PHI.
  • Reviewing business associate relationships to determine whether the business associate is the agent of the covered entity or an independent contractor, which may impact the time in which the covered entity has to distribute a required notice.
  • Revising business associate agreements as necessary to determine how the notice obligations will be implemented, e.g., to whom at the covered entity the business associate will give notice of a breach.