The Department of Health & Human Services (HHS) has issued interim final rules under HIPAA relating to the breach notification requirements originally introduced in the amendments to HIPAA in the HITECH Act of February 2009. The rules establish that under certain circumstances covered entities must notify an individual if such individual’s unsecured protected health information (PHI) is breached. Unsecured PHI is generally PHI that is not encrypted or destroyed.

The breach notification rules become effective September 23, 2009. However, HHS says it will not enforce sanctions against covered entities until February 22, 2010 because of the short deadline. Regardless, covered entities need to take immediate action to comply with the rules, specifically amend business associate agreements and implement new policies.

Below is a summary of the key provisions of the rules:

  • Definition of Breach. A breach is: (a) an unauthorized acquisition, access, use or disclosure of unsecured PHI that violates the Privacy Rule, (b) that poses a significant risk of financial, reputational or other harm to the individual and (c) does not fall under an exception. To determine whether a use or disclosure may cause a significant risk of financial, reputational or other harm to an individual, a covered entity must assess whether such harm is likely to occur based on factors such as the type of information disclosed, to whom the information was disclosed and any steps taken to mitigate the use or disclosure. The rules specifically exempt certain Privacy Rule violations from the breach notification requirements such as unintentional access by an employee of a covered entity or business associate or certain inadvertent disclosures within a covered entity or business associate.
  • Timing of Notice. If a breach takes place, a covered entity must notify the affected individuals and, in certain circumstances, the media and HHS, “without unreasonable delay” but within 60 days of the discovery of the breach.
  • Media and HHS Notice. If a breach involves 500 or more individuals, a covered entity must notify HHS. If a breach relates to more than 500 residents of a state, notice of the breach must be provided to a major media outlet (e.g., newspaper).
  • Business Associates. Business Associates are required to notify covered entities of a breach within 60 days of discovery. The preamble to the rules contemplates that a covered entity and business associate agreement may assign notice obligations to the business associate. Employers should consider pursuing this approach because business associates (e.g., TPAs and brokers) typically hold the vast majority of PHI.
  • Next Steps. Before the sanction reprieve expires, covered entities should take the following steps:
  1. To the extent a covered entity holds PHI, develop safeguards to prevent and detect breaches. If feasible, encrypt all or the majority of the PHI in its possession to avoid or limit the notice rules.
  2. Amend business associate agreements and allocate notice responsibilities.
  3. Develop a breach notification policy and train employees on the policy.