Reports of personal information stolen from business databases and PCs, or from laptops full of confidential data lost in transit, have become regular features of the news. In response, new laws affecting businesses have proliferated. The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009 (ARRA), expanded the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules by creating new notification requirements for breaches of unsecured protected health information.

On Aug. 20, 2009, the U.S. Department of Health and Human Services (HHS) issued an interim final rule on required notification of breaches of unsecured protected health information. (Please see Jason Froggatt’s presentation regarding breach notification rules, made prior to the release of the interim final rule.) The interim rule is effective for breaches that occur beginning 30 days after the rule is published in the Federal Register, although HHS has indicated that it will not enforce the rule for 180 days. After the effective date, it will change the way that every employer that sponsors a group health plan must handle breaches of unsecured protected health information.

What is the new breach notification rule?

The HIPAA Privacy and Security Rules contain substantial compliance requirements for “covered entities” (including an employer’s group health plans). However, a group health plan was not explicitly required to notify individuals of privacy or security breaches affecting protected health information. The group health plan’s obligation was to mitigate the harmful effects of such a breach. The new rule creates an affirmative obligation to notify plan participants in the event of breaches of certain unsecured protected health information.

What is a “breach”?

The new rule defines a “breach” as the acquisition, access, use or disclosure of protected health information that compromises the security or privacy of that information. The definition of breach excludes situations where the unauthorized person to whom such information was disclosed would not reasonably have been able to retain such information.

It also excludes any unintentional acquisition, access or use of protected health information by a person acting under the authority of a covered entity or business associate if that acquisition, access or use was made in good faith and within the scope of authority and does not result in further impermissible use or disclosure of the protected health information.

Finally, a breach does not include any inadvertent disclosure by an authorized person to another authorized person at the same covered entity or business associate and where the information received as a result of such disclosure is not further acquired, accessed, used or disclosed without proper authorization.

Unlike some state laws, the new rule is not limited to financial or electronic information. However, the new rule makes clear that there is a harm threshold. For a report to be required, there must be a significant risk of financial, reputational or other harm to the individual.

What is “unsecured protected health information”?

“Unsecured protected health information” is defined as protected health information that is not secured using a technology or methodology specified by the secretary of HHS, for example encryption or destruction of material. HHS originally published guidance on this in April 2009, and the new rule updates that guidance. (Please see our Health Law practice's May 11, 2009, advisory, HHS Guidance Describes Safe Harbor from Data Breach Notification Requirements.)

What are the notice requirements?

The new rule provides detailed requirements regarding the timing, method and content of notification in the event of a breach of unsecured protected health information. Notice must be provided to the affected individuals without unreasonable delay, but not later than 60 days after the breach has been (or reasonably should have been) discovered.

Generally, notice may be provided by first-class mail, or by e-mail in situations where the participants have previously agreed to e-mail notification. If the group health plan does not have sufficient contact information for 10 or more participants, it must provide notice to major print or broadcast media outlets or post notice to its Web site for at least 90 days.

With respect to content, the notification must include a brief description of the events surrounding the breach, types of information involved, steps individuals should take to protect themselves from harm, steps the covered entity is taking to investigate and mitigate the harm, and contact procedures for those seeking more information.

In addition, the group health plan must provide notice of the breach to HHS. Generally, the group health plan must maintain a log and submit it annually to HHS. If the breach involves more than 500 individuals, the group health plan must notify HHS when it notifies the affected individuals so that HHS can post notice of the breach on its Web site.

Finally, business associates of group health plans—such as vendors, administrators, lawyers, accountants, auditors and other service providers with access to protected health information—are directly regulated by the new rule. Business associates will be obligated to inform covered entities of any breach of unsecured protected health information so that the covered entity can comply with the new notification requirements.

What do employers need to do now?

Employers should re-examine their HIPAA Security policies and procedures, and re-check their compliance systems, especially with respect to portable media and remote access to health information. The new rule, together with increased penalties that may be assessed under the HITECH Act and a recent reassignment of enforcement responsibility from the HHS Office of Inspector General to the Office for Civil Rights, is likely to increase significantly employers' costs for security breaches.