In mid-August, Department of Health and Human Services (HHS) released an interim final rule describing the new notification requirements related to certain HIPAA violations, effective September 23, 2009.
Simply put, under the notification requirements, HIPAA-covered entities and their business associates must report certain breaches of "unsecured" protected health information (PHI). PHI that has been "secured" (made unreadable by unauthorized persons) as provided by other governmental guidance or from which the identifying information has been essentially stripped is not subject to the breach notification rule.
There are a few situations of unauthorized disclosure, access or use of unsecured PHI that do not constitute a breach requiring notification. These can be summarized as scenarios under which a) a workforce member unintentionally accesses PHI within the scope of the member's authority, b) the PHI is inadvertently disclosed to an individual within the covered entity who normally has access to certain types of PHI or c) the individual to whom the PHI was disclosed cannot readily retain the information.
Even a breach of unsecure PHI that does not fall under one of the exceptions above may not trigger a notification. The covered entity must perform a risk assessment in order to determine if there truly is a significant risk of economic, reputational or other harm to the individual from the breach. Many factors must be taken into account when performing this assessment, including any steps taken to mitigate harm immediately following the breach. Your employee benefits counsel can assist you in determining whether notification is required. Please be aware however, that proper documentation showing an intention to comply with the rule is of great importance under the regulation.
If a breach requiring notification does occur, the individual(s) to whom the PHI pertains must be notified within a reasonable time, not to exceed 60 days after discovery of the breach. Discovery of a breach by a business associate that acts as an agent of a HIPAA-covered entity will be imputed to the covered entity for timing purposes. The notification must contain a summary of the breach, the type of PHI disclosed, steps the individual may take to protect himself or herself from further harm, steps the covered entity has taken or will take to mitigate harm to the individual and prevent future breaches, and, finally, contact information for further questions the individual may have regarding the breach.
The notification must always be sent to the individual, and in breaches involving many people, notification may need to be given to the media and to HHS. The notification should be made in writing, but some circumstances may justify the use of e-mail, telephone or Web site postings.
Covered entities and their business associates should consider and discuss several issues with each other and their counsel. These issues may include: "securing" PHI in order to avoid the notification requirements, updating employee training programs, creating a breach log system, developing a notification program, and incorporating into business associate agreements clear provisions regarding these responsibilities.