As we reported in our Alerts on February 19, 2009, the federal stimulus package—the American Recovery and Reinvestment Act of 2009 (“ARRA”)—directed the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) to implement regulations requiring that individuals be notified in the event a security breach compromises “unsecured” health information. HHS was tasked with implementing regulations directed at covered entities and business associates subject to HIPAA, and with providing guidance as to how health information may be adequately secured. The FTC, on the other hand, was to address security breaches affecting vendors of personal health records (“PHRs”), such Google and Microsoft, and PHR-related entities.
Both the HHS and FTC have issued interim final security breach notification rules. The HHS regulations (“HHS Rule”) will take effect on September 23, 2009, though HHS will delay enforcement until February 22, 2010. The FTC’s regulations (“FTC Rule”) will take effect on September 24, 2009, and the FTC will similarly delay enforcement until February 22, 2010.
Both the HHS Rule and the FTC Rule have many features that are analogous to State breach notification laws that address security breaches of personally identifiable information. These include, for example, how and when notice to individuals should be provided, and what should be included within the content of the notice. There are, however, some unique aspects to the HHS and FTC Rules, some of which we highlight below.
“Unsecured” Protected Health Information
Recall that both the HHS Rule and the FTC Rule apply to “unsecured” health information. Therefore, if there is a breach of “secured” health information, neither the HHS Rule nor the FTC Rule is triggered, and the applicable entity would have no breach notification obligations under these rules (though the entity may have certain obligations under other laws). As noted above, Congress required HHS to provide guidance as to how health information may be adequately secured, with the caveat that the guidance must specify “the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable.”The guidance issued by HHS meets this standard by defining two methods through which health information may be secured: encryption and destruction.
Electronic health information is adequately encrypted if it is subjected to a cryptographic algorithm that transforms it “into a form in which there is a low probability of assigning meaning without use of a confidential process or key,” and such confidential process or key is kept on a device separate from that which stores the health information. HHS’s guidance refers to several publications by the National Institute of Standards and Technology (“NIST”) that provide more detailed information of valid encryption processes.
The second method, destruction, applies to both hard copy and electronic media. Hard copy media containing health information is adequately secured if it is shredded or destroyed such that the health information cannot be read or otherwise reconstructed. Importantly, redaction of health information does not constitute destruction. Electronic media containing health information is adequately secured by destruction if the media is purged in accordance with the relevant NIST guidance.
The HHS Rule
Under the HHS Rule, a covered entity must notify the affected individuals, and a business associate must notify the affected covered entities, if there is a security breach of unsecured protected health information (“PHI”). But note that “breach” is a defined term; a breach occurs within the meaning of the HHS Rule if: (i) there is “acquisition, access, use, or disclosure” of unsecured PHI in a manner that violates the HIPAA Privacy Rule; and (ii) such acquisition, access, use, or disclosure poses a “significant risk of financial, reputational, or other harm to the individual” (this requires conducting a “risk assessment,” which is further described below); and (iii) none of the following three exceptions apply:
- The acquisition, access, use, or disclosure was made in good faith by, and within the scope of duty of, someone under the authority of a covered entity or business associate, and no further use or disclosure prohibited by the Privacy Rule occurs.
- There is an inadvertent disclosure by one person at a covered entity or business associate who is authorized to access PHI to another person at the same covered entity or business associate who is also authorized to access PHI, and no further use or disclosure prohibited by the Privacy Rule occurs.
- There is a disclosure of PHI and the relevant covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information.
All of this makes for a relatively complex analysis to determine if there has in fact been a “breach.” First, a covered entity or business associate must determine if there has been a violation of the Privacy Rule. If so, the entity must carry out a “risk assessment” to determine if there is a significant risk of harm (financial, reputational, or otherwise) to the individuals whose PHI was accessed, used, or disclosed. This risk assessment should take into account the type and amount of PHI involved, and whether the PHI involved includes information that increases the risk of identity theft. (Use or disclosure of a “limited data set” under HIPAA, provided that the data set also lacks date of birth and zip code identifiers, is not deemed to pose a significant risk of harm, and is therefore not considered a breach.) Finally, if any of the three exceptions described above apply, no breach has occurred within the meaning of the HHS Rule.
If a breach of unsecured PHI has in fact occurred, the HHS Rule proceeds to address the same types of issues as the breach notification laws enacted by the States, such as: when discovery of a breach is deemed to have occurred (when it becomes known or should have been known through the exercise of “reasonable diligence”); the type of notification allowed under various circumstances; the content of the notification; when notification to individuals must be made (without unreasonable delay, not to exceed 60 days after discovery of the breach, or 120 days if the breach affects a business associate not acting as an agent of a covered entity); the circumstances under which “prominent media outlets” should be notified (when the breach affects 500 or more people in a State or jurisdiction); and when and how HHS itself must be notified.
The FTC Rule
The FTC Rule lacks the complexity of the HHS Rule when it comes to determining whether a “breach” has occurred. Under the FTC Rule, there is simply a “rebuttable presumption” that a security breach has occurred if the breach could have led to unauthorized access to unsecured PHR identifiable information. Thus, for example, if a laptop containing unsecured PHR identifiable information is lost by a PHR vendor or a PHR-related entity, a security breach within the meaning of the FTC Rule is presumed to have occurred, but this presumption can be rebutted if the applicable entity can show that the laptop was recovered and the files stored on the laptop were never opened, altered, transferred, or otherwise compromised.
But the FTC Rule can be complex with respect to its interplay with the HHS Rule. As noted above, the FTC Rule applies to PHR vendors and PHR-related entities. The FTC Rule defines PHR vendor as an entity that offers or maintains PHRs, other than “a HIPAA-covered entity or an entity to the extent it engages in activities as a business associate of a HIPAA-covered entity.” The result is that a PHR vendor can also be subject to the HHS Rule “to the extent” it is also a business associate under HIPAA. This is best illustrated through the FTC’s own example: suppose a vendor provides PHRs to the public generally through its own website, and also signs a business associate agreement with a health insurer to offer PHRs to the health insurer’s customers. If there is a security breach that affects all of the unsecured PHRs maintained by the vendor, the vendor does not need to notify the health insurer’s customers directly. Rather, the vendor must: (i) in its role as a PHR vendor, directly notify the affected individuals that are not customers of the health insurer, pursuant to the FTC Rule; and (ii) in its role as a business associate, notify the health insurer of the breach to the extent the breach affected the health insurer’s customers, pursuant to the HHS Rule.
A PHR-related entity is defined as an entity that offers products or services through the website of a PHR vendor or the websites of HIPAA-covered entities that offer PHRs, or accesses information in, or sends information to, a personal health record. As with PHR vendors, a PHR-related entity does not include a covered entity under HIPAA, or an entity “to the extent” it acts as a business associate under HIPAA. Thus, a PHR-related entity may also be subject to both the FTC Rule and the HHS Rule, depending on the circumstances.
In recognition of the fact that PHR vendors and PHR-related entities frequently rely on third parties for data hosting and other similar services, the FTC Rule also requires PHR vendors and PHR-related entities to notify their “third party service providers”—the service providers that access, maintain, modify, record, destroy or otherwise handle unsecured PHR identifiable health information—of their status as PHR vendors or PHR-related entities. In turn, if there is a security breach of unsecured PHR identifiable health information that affects the third party service provider, that service provider must notify a senior official of the applicable PHR vendor or PHR-related entity of the breach, and obtain an acknowledgement from such official that the notice was received.
The FTC Rule, similar to the HHS Rule, proceeds to address when discovery of a breach is deemed to have occurred, the type, timing, and content of the notification, the circumstances under which “prominent media outlets” should be notified; and when and how the FTC itself must be notified.
Practical Next Steps
As mentioned above, HHS and the FTC indicated that they will not enforce these regulations until February 2010. Nevertheless, it is a good idea for covered entities and business associates to revisit and consider revising any business associate agreements to reflect the breach notification requirements, or for business associates to consider imposing such requirements “downstream” to its service providers that handle PHI. However, covered entities and business associates should also note that additional business associate obligations mandated by ARRA take effect on February 17, 2010, and that forthcoming regulations from HHS may provide additional details for required amendments to business associate agreements.
More importantly, organizations to which these regulations apply should create and implement a comprehensive incident response plan, or update an existing incident response plan. In our experience, having no incident response plan in place when a breach occurs carries substantial risk—an organization’s response under such circumstances is invariably haphazard and disorganized. On the other hand, a properly designed and implemented incident response plan can not only enable an organization to comply with these regulations in an organized and effective way, it can also minimize damage to an organization’s reputation and the risk of later regulatory sanctions.