The Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) have recently issued proposed guidance and regulations on new breach notification requirements applicable to health records.
The new breach notification requirements come from the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (the “Act”) that was enacted on February 17, 2009 as part of the American Recovery and Reinvestment Act. The Act supplements the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and establishes federal security breach notification requirements for health-related personally identifiable information.
Under the Act, whenever a breach of unsecured protected health information (“PHI”) or a breach of any protected health records (“PHR”) occurs: (1) HIPAA covered entities must notify affected individuals and HHS; (2) business associates of HIPAA covered entities must notify HIPAA covered entities; (3) web-based entities that collect consumers health information (“PHR vendors”) must notify affected individuals; and (4) third party service providers of PHR vendors must notify PHR vendors. The guidance promulgated by HHS covers the first two types of entities and the FTC proposed regulations covers the third type, even if those entities are outside of the FTC’s enforcement jurisdiction. The specific requirements of the Act, including what must be done when a breach occurs, are summarized below.
1. What Types of Entities Must Comply with the Act?
The Act applies to all HIPAA covered entities and their business associates, as well as PHR vendors, online applications that interact with PHR, and third party service providers that can access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI or PHR (collectively, the “Covered Entities”).
2. What Type of Data Is Covered?
The Act applies to security breaches involving any PHI and security breaches involving any PHR, even when Social Security numbers, driver’s license numbers, credit card or financial account numbers are not involved.
In particular, the Act employs the HIPAA definition of “health information” in defining PHI. Under the Act, PHI “means any information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.” 1
PHR means any electronic record of “identifiable health information” on an individual that (1) can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual; (2) is provided by or on behalf of the individual; and (3) identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual . The definition of “identifiable health information” is drawn from the Social Security Act and means “any information, including demographic information collected from an individual, that— (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.” 2
Also, the Act applies to such data in both electronic and hard copy (e.g. paper or film) form. Thus, the Act is broader in scope than the state breach notification statutes, which typically do not apply unless there has been a breach of data involving Social Security numbers, driver’s license numbers, credit card or financial account numbers. Of course, those state statutes continue to apply to breaches of non-PHI and non-PHR data that contains Social Security numbers, driver’s license numbers, credit card or financial account numbers.
3. What Is Considered a Security Breach Requiring Notification?
The Act defines a security breach as the unauthorized acquisition, access, use, or disclosure of PHI or PHR that compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
According to the HHS guidance, the following scenarios would not amount to a breach of PHI: (1) when the unauthorized acquisition, access or use of PHI is unintentional and made by an employee or individual acting under authority of a HIPAA covered entity as long as it was done in good faith and within the course and scope of the employment with the covered entity and such information is not further accessed, acquired, used, or disclosed; or (2) where an inadvertent disclosure occurs by an individual who is authorized to access PHI at a facility operated by a HIPAA covered entity or business associate to another similarly situated individual at the same facility, as long as the PHI is not further acquired, accessed, used, or disclosed without authorization.
4. When are Notification Requirements Triggered?
The notice requirements apply in the event of a breach of PHI or PHR that is unsecured. If the PHI or PHR is considered secure, the breach notification requirements will not be triggered.
For unsecured PHI or PHR, notice requirements are triggered as of the first day that the breach is discovered or the first day the breach should have reasonably been known to any employee, officer or other agent of the Covered Entity. Failure to maintain reasonable security breach prevention and detection measures is not an excuse.
5. When is PHI or PHR “Secured” So that Notification Is Not Required?
PHI and PHR is secure and, therefore, not subject to the notification requirements when it is unusable, unreadable, or undecipherable to unauthorized individuals. HHS has specified that to meet this standard the data must be properly (1) encrypted or (2) destroyed. Moreover, the standard differs for: (1) data in motion (e.g. records sent in a wireless transmission), (2) data at rest (e.g. records stored in a data base), and (3) data disposed (e.g. discarded paper records or recycled electronic records).
Encryption: Proper encryption requires that there is an “algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key” (45 C.F.R. 164.304) and that there has been no breach of the confidential process or key that may enable decryption. Encryption will deemed to render PHI and PHR “unusable, unreadable, or indecipherable” if the encryption meets the following standards published by the National Institute for Standards and Technology (“NIST”) 3:
- Encryption of data at rest must meet the NIST standards set forth in Publication 800-111 Guide to Storage Encryption Technologies for End User.
- Encryption of data in motion must comply with the requirements of Federal Information Processing Standards (“FIPS”) 140-2, which include the standards set forth in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or other guidance validated by FIPS 140-2.
Destruction: For data in hard copy form (e.g. paper or film), it is destroyed when it has been shredded or destroyed such that it cannot be read or reconstructed. For data that is in electronic form, it must be cleared, purged or destroyed in a manner that is consistent with NIST Special Publication 800-88, Guidelines for Media Sanitation, such that it can not be retrieved.
6. What are the Notification Requirements?
(a) Who Must be Notified?
Generally, individuals are affected and must be notified of the security breach when their unsecured PHI or PHR has been, or is reasonably believed to have been, inappropriately accessed, acquired, or disclosed in the breach.
In accordance with the procedures outlined below, the HHS guidance requires: (1) HIPAA covered entities to notify each affected individual; (2) business associates to notify the HIPAA covered entities who must, in turn, notify affected individuals; and (3) all breaches to be reported to HHS.
In accordance with the procedures outlined below, the FTC regulations require: (1) PHR vendors to notify the FTC and the affected individuals; and (2) third party service providers to notify the PHR vendors who must, in turn, comply with their notice requirements. Further, third party service providers must notify a “senior official” of the PHR vendor and obtain confirmation that the notice was received by the PHR vendor.
(b) When Must the Notice be Sent?
All notices must be sent without “unreasonable delay” but no later than 60 calendar days after the discovery of a breach, except in circumstances where a law enforcement official requires delay. The FTC proposed regulations note that waiting 60 days to deliver the notice may be “unreasonable” in certain situations. As such, each breach must be evaluated on a case-by-case basis, and Covered Entities should not automatically assume that they have the full 60 days.
Breach reports must be made to HHS or the FTC, whichever is appropriate, on an annual basis (due one year after the date of the first breach). Or, if 500 or more individuals are affected in a single breach, notice must be sent to HHS without unreasonable delay and to the FTC as soon as possible, but no later than five days after the breach occurs.
(c) What is the Proper Method of Notice?
The Act requires that written notice be sent to the affected individual by first class mail, or by e-mail if the individual has expressly agreed to e-mail delivery. If the Covered Entity determines that the situation is urgent based upon the possibility of imminent misuse, the Covered Entity may provide notification via telephone.
Where there is out of date or insufficient contact information and the Covered Entity makes reasonable efforts to contact the individual through the individual's preferred method of notice, substitute notice may be made. Substitute notice in the form of conspicuous posting on the home page of the Covered Entity web site or notice in major print or news media is sufficient under the HHS guidance. Under the FTC proposed regulations, substitute notice may be made via a less-preferred method or “other appropriate means.” Only if there are ten or more individuals who cannot be reached via their preferred method may posting be made on the entity’s home page or via major print or news media under the FTC proposed regulations. Where notice is posted on an entity web page, the notice must be conspicuously posted (e.g. contained in a hyperlink that states “click here for an important notice about a security breach that may affect you”—not “click here”—on the entity’s home page or a landing page in the case of existing customers). The FTC requires that the notice is posted for six months and HHS requires that the notice is posted for a length of time specified by HHS.
If 500 or more individuals are affected by the breach then notice must also be made to prominent media outlets within all of the states or jurisdictions where affected individuals reside under the HHS guidance and FTC regulations. Notice to the media supplements, but does not replace individual notice.
(d) What Information Must the Notice Include?
The notice to individuals must include the following:
- A brief description of the breach, including the date of the breach and the date of discovery of the breach, if known;
- A description of the type of PHI or PHR involved in the breach (e.g. first and last name, Social Security number, date of birth, account number, disability code);
- The steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of the steps being taken to investigate the breach, mitigate losses, and to protect against further security breaches; and
- Contact information (e.g. a toll free number, an email address, web site, or postal address) for the affected individuals to inquire about the breach.
7. HHS and FTC Seeking Comments
HHS and the FTC are seeking public comment on the guidance and the interim regulations, respectively. Comments are due to HHS by May 21, 2009 and to the FTC by June 1, 2009.
The proposed HHS guidance is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf
The FTC proposed regulations are available at: http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf