New security breach notification requirements will become effective soon for entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which includes health plans, health care clearinghouses and health care providers. Prior to this change in the law, there was no obligation to notify affected individuals of a breach of privacy or security of protected health information. Now, covered entities must notify individuals upon discovering a breach of unsecured protected health information. Further, a business associate must notify the affected covered entity upon discovery of the business associate's breach.

Important Deadline: HIPAA's breach notification requirements become effective 30 days after Health and Human Services (HHS) issues regulations implementing this new law. These regulations should be issued no later than August 16, 2009. Do not delay in putting procedures in place to implement these new requirements.

Upon discovery of a breach, notice must be provided by the covered entity without "unreasonable delay" but no later than 60 days after the discovery of the breach. A breach is considered to be discovered when at least one employee (other than the individual responsible for the breach) knows or reasonably should know of the breach. The notice requirements are summarized below:

  • Written notice must be provided to the affected individuals by first-class mail (the notice must contain elements prescribed by HHS);
  • In urgent cases, notice by telephone or other means may be required;
  • If 500 or more individuals are affected, notice must be provided to:
    • prominent local media outlets; and
    • HHS – who will post the entity's name on its website and most likely target the entity for an audit; and
  • A log must be kept of all breaches (regardless of number of individuals affected) which must be reported to HHS annually.

In addition to HIPAA's requirements, entities must also be aware of and comply with state breach notification statute requirements. Many states, such as California, have much shorter timeframes in which to report breaches than that required by HIPAA. Therefore, it is critical to coordinate both state and federal law requirements when implementing breach notification procedures.

The following entities should take steps immediately to begin developing HIPAA breach notification procedures:

  • Employers who offer self-insured health plans (medical, dental, vision, wellness, health FSAs, etc.);
  • Employers who maintain fully-insured health plans and receive more than enrollment and general summaries of usage from the carrier;
  • Business associates (entities that perform services on behalf of covered entities involving the use or disclosure of protected health information, such as third party administrators, brokers, consultants, accountants, auditors, attorneys, transcriptionists, collection agencies, etc.);
  • Health care clearinghouses; and
  • Health care providers.

HHS can impose civil penalties up to $1.5 million per violation per year for non-compliance with HIPAA's new breach notification requirements.

Entities subject to these new requirements should begin developing a program now for responding to security breaches, such as determining who will communicate with the media and HHS, procedures for investigating the scope of a breach and mitigating the consequences of the breach, procedures for coordinating HIPAA requirements with state breach notification statutes, who to contact internally upon discovery of a breach, time frames for acting upon discovery of a breach, etc. Starting the process early will eliminate the need to 'scramble' to meet the 30 day deadline once the regulations are issued by HHS.