On August 19, 2009, the United States Department of Health and Human Services (“HHS”) issued an interim final rule on Notification for Unsecured Protected Health Information ("HHS Breach Notification Rule" or the "Rule") as required by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), a part of the American Recovery and Reinvestment Act of 2009. The Rule applies to HIPAA covered entities and their business associates. As explained in more detail on our Web site, the Rule requires covered entities to notify affected individuals, the media, and HHS following a breach of unsecured protected health information ("PHI"). The Rule also requires business associates to notify covered entities of a breach of unsecured PHI.
In addition, within the preamble to the Rule, HHS issued an updated version of its Guidance Specifying the Technologies and Methodologies that Render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals ("Guidance") originally published on April 17, 2009. Significantly, a breach of PHI secured in accordance with the HHS Guidance does not trigger the breach notification requirements of the HHS Breach Notification Rule.
HHS Breach Notification Rule
The HHS Breach Notification Rule requires covered entities to notify each individual whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, used, or disclosed following a breach of that unsecured PHI. The covered entity also must notify the media and HHS. The Rule also requires a business associate to notify the HIPAA covered entity of a breach of unsecured PHI.
HHS sets forth the following three step process for covered entities and business associates to follow in determining whether a breach has occurred for which notification must be given:
- Determine whether there has been an impermissible use or disclosure of PHI under the HIPAA Privacy Rule;
- Determine, and document, whether the impermissible use or disclosure compromises the privacy or security of the PHI by having created a significant risk of financial, reputational, or other harm to the individual; and
- Determine whether the incident is excluded from the definition of “breach” because it is:
- An unintentional use of PHI by a workforce member acting in good faith and within the scope of his or her authority, and the PHI is not further used or disclosed improperly;
- An inadvertent disclosure of PHI by an authorized person to another authorized person, and the PHI is not further used or disclosed improperly; or
- A disclosure of PHI to an unauthorized person where there is a good faith belief that the unauthorized person would not reasonably have been able to retain the PHI.
The Rule requires notice of a breach of unsecured PHI to be provided as follows:
Timeliness of Notification to the Individual – Notification must be made to individuals “without unreasonable delay” but no later than 60 calendar days after discovery of the breach. Breaches must be treated as discovered on the first day that the breach is known to the covered entity (i.e., known to any member of the covered entity’s workforce or agent of the covered entity), or when, by exercising reasonable diligence, the breach would have been known to the covered entity.
Content of Notification – Notification sent to individuals must be “in plain language” and include the following:
- A brief description of what happened, including the date of the breach and the date of discovery of the breach, if known;
- A description of the types of unsecured PHI that were involved in the breach;
- Steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of the steps the entity is taking to investigate the breach, mitigate harm, and protect against future breaches; and
- Contact procedures for individuals to ask questions or obtain additional information, including a toll-free number, email address, website, or postal address.
Methods of Notification to Individuals – Notification to individuals must be sent to the individual’s last known address via first-class mail, or email if the individual has agreed to email and has not withdrawn such agreement. If the contact information for less than 10 individuals is outdated or insufficient, substitute notice may be provided by an alternative written notice, telephone, or other means. However, if the contact information for 10 or more individuals is found to be outdated or insufficient, the entity must provide substitute notice in one of the following forms:
- Conspicuous posting on the home page of the covered entity’s website for a period of not less than 90 days; or
- In major print or broadcast media, including in the areas where the affected individuals likely reside.
In addition, the substitute notice on the website or in print or broadcast media must include a toll-free telephone number that will remain active for 90 days where individuals can learn whether their unsecured PHI was included in the breach.
Notification to Media – If the breach affects more than 500 or more residents of a particular state or jurisdiction, the covered entity also must notify “prominent media outlets” of the state or jurisdiction of the breach without unreasonable delay, but no later than 60 calendar after discovery of the breach.
Notification to HHS – If the breach affects more than 500 individuals, notice must be made to HHS contemporaneously with the notification to the affected individuals. If fewer than 500 individuals are affected, the covered entity must maintain a log of any such breaches, and submit the log annually to HHS no later than 60 days following the end of the calendar year.
Notification by Business Associates – Business associates must provide breach notification to covered entities “without unreasonable delay” and in no case later than 60 calendar days after discovery of the breach. The business associate must, to the extent possible, provide the covered entity with the identification of each individual whose PHI was breached, and any other information available that the covered entity will need to notify the affected individuals.
Preemption of State Breach Notification Laws – In response to several public comments regarding preemption of state breach notification laws, HHS confirmed that state laws that are contrary to the HHS Breach Notification Rule (i.e., it is impossible to comply with both laws), are preempted by the HHS Breach Notification Rule. However, covered entities subject to state laws imposing additional but non-conflicting breach notification requirements must continue to comply with those state law requirements as well.
Effective Date – The HHS Breach Notification Rule is scheduled to be published in the Federal Register on August 24, 2009. The Rule will become effective 30 calendar days after publication in the Federal Register. However, in response to commenters who expressed concern that 30 days would not provide covered entities sufficient time to implement processes to comply with the Rule, HHS stated that it would use its “enforcement discretion” and not impose sanctions for failure to comply with the required notifications for breaches discovered during the 180-day period after the Rule is published in the Federal Register.
Comments – Comments on any provision of the Rule may be submitted to HHS, and are due 60 days after publication of the Rule in the Federal Register.
HHS Guidance Specifying the Technologies and Methodologies that Render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
On April 17, 2009, as required by the HITECH Act, HHS issued Guidance Specifying the Technologies and Methodologies that Render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. If covered entities and business associates secure PHI in accordance with this Guidance, any breach of such secured information is not subject to the HHS Breach Notification Rule. In the preamble to the Rule, HHS provided an updated version of the Guidance. HHS emphasized that nothing in the Guidance, either in the original or updated version, modified a covered entity’s obligations under the HIPAA Security Rule. Specifically, although the Guidance lists encryption as one of only two ways to secure PHI, HHS clarified that the Guidance does not impose any new obligation upon covered entities to encrypt all PHI.
In this updated Guidance, HHS:
- Clarified that “data in motion” includes data moving through a network, including wireless transmission; “data at rest” includes data residing in a database, file system, flash drive, memory or any other storage device; “data in use” includes data in the process of being created, retrieved, updated or deleted; and “data disposed” includes discarded paper records or recycled electronic media.
- Rejected access controls, such as firewalls, as a method for securing PHI.
- Rejected redaction as a means of securing PHI, and clarified that only the destruction of paper PHI will render that PHI secure. (HHS did state, however, that if PHI is properly redacted so as to be fully deidentified, the breach of the deidentified information will not trigger the breach notification requirements under the Rule.)
- Clarified that encryption keys must be kept on a separate device from the data that they encrypt or decrypt.
- Reiterated its reliance on certain National Institute of Standards and Technology (“NIST”) standards as meeting the encryption standards required to secure PHI.