Covered entities, such as group health plans, ("CEs") and business associates, such as vendors that provide services to group health plans, ("BAs") that are subject to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") now must comply with the Health Information Technology for Economic and Clinical Health ("HITECH") Act breach notification rules (the "HITECH breach notification rules"). The HITECH breach notification rules require CEs and BAs to send out notifications to affected individuals upon a breach of unsecured protected health information ("PHI").

Recently issued Department of Health and Human Services ("HHS") guidance explains the specific timing, contents, and manner of these notifications. Generally speaking, however, BAs are required to notify CEs of a breach of unsecured PHI and CEs are required to notify the persons whose PHI was breached. CEs also are required to notify HHS of breaches and, if a breach affects more than 500 persons within a state or jurisdiction, a CE must notify a prominent media outlet serving that state or jurisdiction. Failure to comply with the HITECH breach notification rules could result in significant civil monetary penalties.

The HITECH breach notification rules are effective September 23, 2009. Although HHS has said that it will not impose sanctions for non-compliance until 180 days after the publication of the rule, CEs and BAs need to start acting now to document breaches occurring on or after September 23, 2009 and become compliant by the time enforcement commences. This Alert outlines the steps CEs and BAs should and must take to avoid the potential cost and publicity associated with a breach and ensure timely compliance with the HITECH breach notification rules.

Securing PHI

CEs and BAs need to ensure PHI is secure. The HITECH Act creates a safe harbor; the HITECH breach notification rules are only triggered if PHI is unsecure. If there is a breach of secure PHI, CEs and BAs need not send out notifications. Right now, there are only two ways to secure PHI-through encryption or destruction. So, CEs and BAs need to:

  • Develop or update policies and procedures for securing PHI, including determining whether and how they will implement encryption and destruction practices to qualify for the HITECH safe harbor;
  • Train employees on how to secure PHI and maintain records of such training; and
  • Secure the PHI in accordance with the policies and procedures implemented.

Prepare for the Discovery of Breaches When They Occur

The HHS guidance emphasizes the role of timely discovery of breaches in HITECH compliance. As such, CEs and BAs will need to:

  • Develop or update procedures for the discovery of breaches of unsecured PHI; and
  • Train employees on how to look for, recognize, and timely report breaches of unsecured PHI and maintain records of such training.

In addition, CEs need to ensure that BAs have procedures in place to properly discover and report breaches of unsecured PHI to CEs.

Compliance Before a Breach Occurs

Once a breach of unsecured PHI occurs, CEs and BAs will have to act quickly to disseminate the required notifications. CEs and BAs need to take the following steps now to facilitate timely notifications upon discovery of a breach:

  • Maintain updated and accurate contact information for potential affected individuals to reduce the occurrence of misdirected notifications;
  • Create policies and procedures for determining whether a breach has occurred, the likely harm to flow from the breach, and for documenting the breach analysis;
  • Create policies and procedures describing when and how affected individuals, HHS, and the media, if applicable, will be notified;
  • Create policies and procedures for mitigating and remedying breaches; and
  • Create a form of notification letter that can be personalized for affected individuals upon the occurrence of a breach.  

Compliance After a Breach Occurs

If a breach of unsecured PHI does occur, CEs and BAs will need to follow all the policies and procedures that they have developed for training employees, discovering a breach, assessing the risks associated with a breach, mitigating and remedying a breach, maintaining proper documentation, and sending out notifications to affected individuals, HHS, and, if applicable, the media. The HHS notification must be made immediately upon the occurrence of a breach affecting 500 or more people; for smaller breaches, however, CEs must maintain a log documenting the breaches. This log is due to HHS annually (60 days after the end of the calendar year) and CE's must start maintaining a log September 23, 2009 to capture breaches occurring on or after that date.  

Updating Business Associate Agreements and Notice of Privacy Practices

  • BAs will have appropriate risk assessment criteria in place for determining when a breach occurs and maintain documentation of such assessments for at least 6 years;
  • BAs will notify the CEs with regard to any breach that occurs, no matter how insignificant the breach may seem, so that the CE can conduct its own breach analysis; and
  • BAs will notify the CE of a breach in a timely fashion.  

Furthermore, the HHS guidance gives CEs the discretion to direct BAs to send out notifications to affected individuals. CEs may want to consider this in cases where the BA is in a better position than the CE to send out the notifications. If a CE directs its BA to send out the notifications, however, it may also want to retain the ability to monitor the BA's notification process to ensure the notifications comply with the HITECH breach notification rules.

Finally, as the HITECH breach notifications constitute an added component of a CE or BA's privacy practices, it is recommended that CEs and BAs update their Notice of Privacy Practices to reflect the HITECH breach notification rules.

The HITECH Act in general, and the HITECH breach notification rules, in particular, pose significant compliance burdens for CEs and BAs.