Complying with HIPAA just got more complicated—and expensive. On August 24, 2009, the Secretary of Health and Human Services (HHS) published the interim final rule implementing the breach notification provisions in the HITECH Act passed earlier this year. The interim rule specifies what health care providers and other HIPAA-covered entities must do when they discover a breach of the protected health information (PHI) that they or their business associates maintain. Along with the FTC's Red Flag Rules and the data breach laws enacted by many states, the new HIPAA breach notification rules signify a new era of careful data management and accountability for breaches. Covered entities ignore the rules at their peril.
The interim rule is dense and complicated, so this alert focuses on just 12 of the most important things covered entities need to know:
- Effective Date & Grace Period. The interim regulations take effect on September 23, 2009. HHS, however, is using its "enforcement discretion" not to impose sanctions for 180 calendar days from the date of publication of the rule. This grace period ends on February 22, 2010. HHS has made clear that it still expects covered entities to try to comply with the new rules and keep track of any breaches that occur during the grace period.
- Information Subject to Breach Rules. The breach notification rules apply only to "unsecured protected health information," which is PHI "that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology" specified by HHS. Thus, covered entities may choose to secure their PHI in order to avoid having to provide breach notifications pursuant to the regulations. The process to secure PHI, however, can be costly and time consuming.
- Determining Whether a Breach Has Occurred. Not all violations of the HIPAA Privacy or Security Rules will trigger breaches requiring notification under the new regulations. A breach requiring notification is defined as "the acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] which compromises the security and privacy of the protected health information." HHS clarified that this means the breach must not only constitute a violation of the HIPAA Privacy Rule, but must also pose a "significant risk of financial, reputational, or other harm to the individual" to trigger the notification requirements.
- Harm Threshold and Risk Assessment. Because HHS has explicitly recognized a "harm threshold" for breaches, not all breaches will warrant notification to the affected individuals. Covered entities will need to perform a risk assessment to determine whether the breach "poses a significant risk of financial, reputational, or other harm to the individual." If there is no significant risk of harm, then no breach notification is required. HHS stated that covered entities need to consider a number of factors when performing a risk assessment, including (i) who impermissibly used or received the PHI, (ii) whether the covered entity has already taken immediate action to completely mitigate the risk of harm, and (iii) whether impermissibly disclosed PHI was returned prior to it being accessed by unauthorized individuals.
- Burden of Proof and Documenting the Risk Assessment. The rulemaking emphasizes repeatedly that the burden of proof is on the covered entity to demonstrate that all notifications have been made as required by the regulations. A covered entity must also carefully document when it has determined that a breach has occurred but notifications were not required, including documenting the risk assessment performed and the application of any exceptions that alleviated the need for breach notification. Thorough, careful documentation will be critical to defending potential claims that the covered entity failed to notify individuals of a breach.
- Exceptions to Federal Breach Notification. In the interim rule, HHS acknowledged and discussed the three statutory exceptions to the breach notification requirements—involving inadvertent and momentary disclosures—and provided several helpful examples. Importantly, however, HHS modified the statutory language from "employee" to "workforce members" in the regulatory exceptions. This expands the exceptions beyond just employees to also cover volunteers, trainees and other persons performing work on behalf of the covered entity.
- Time for Providing Notification to Individuals Impacted by Breach. Covered entities must notify individuals of breaches "without unreasonable delay and in no case later than 60 calendar days after the date the breach was discovered by the covered entity." HHS clarified that the breach shall be treated as discovered on "the first day the breach is known to the covered entity or by exercising reasonable diligence would have been known to the covered entity." HHS further stated that the covered entity will be deemed to have knowledge of a breach "if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity." (Emphasis added.) This is particularly important since the covered entity's breach notification obligation can begin to run on the day that its business associate suffered a breach, even if the business associate has not yet identified that a breach occurred. Undoubtedly, this rule places a premium on good communication and clarification of the business associates' obligations in the business associate agreement. Covered entities may also want to evaluate whether their business associates are "agents" or "independent contractors." Further, covered entities should know that the 60-day deadline is the outer limit for breach notice. If the covered entity has all of the information it needs to provide the notice prior to that 60-day deadline, then HHS expects such notice to be issued as soon as reasonably possible. If the covered entity lacks current contact information for an individual, substitute notice is required.
- Content of the Notification. HHS has specified the elements that must be included in the notification letter, including, for example, using first class mail, contacting next-of-kin of decedents if their contact information is known, and providing substitute notice via the media if contact information is unavailable for 10 or more affected individuals. HHS also emphasized that the notifications must be "written in plain language," which means drafting the notice at the appropriate reading level, using clear language and syntax, not including extraneous material and even translating into foreign languages or alternative formats, such as Braille, when required or appropriate. E-mail notice is permitted "provided the individual agrees to receive electronic notice and such agreement has not been withdrawn."
- Notice to Media and HHS. In addition to the notification letters covered entities must provide to affected individuals, covered entities must also provide notice via a press release to prominent media when the breach involves the unsecured PHI of more than 500 residents of a particular state or jurisdiction. In addition, the covered entity must also notify HHS "immediately" for breaches involving 500 or more individuals (regardless of whether they are from the same state or many states), and must put in place a toll-free number for 90 days. HHS clarified that "immediately" means that the notice to HHS must be sent concurrently with the notification sent to the individuals (i.e., within 60 days after the discovery of the breach). For breaches involving less than 500 individuals, covered entities must keep a log of all such breaches and notify HHS no later than 60 days after the end of each calendar year.
- Business Associate Obligations. A business associate must notify the covered entity when the business associate discovers a breach of unsecured PHI so that the covered entity can notify the appropriate individuals. The time for notification begins to run when the business associate becomes aware of the breach, or by exercising reasonable diligence should have been aware of the breach. Business associates are only obligated to notify the covered entity or entities affected by the breach, and not all covered entities with which they do business. However, if they are unable to determine the covered entity or entities from which the protected health information involved in the breach originated, they may have to notify all of their covered entities. HHS explicitly stated that the covered entity and business associate can contractually agree on the notification obligations, such as transferring the obligation for reporting to the business associate, or requiring indemnification for breaches by the business associate.
- Importance of Policies, Procedures & Staff Training. What comes through most clearly after reading the new rule and regulations is that covered entities and business associates must ensure that they have the appropriate written policies, procedures and staff training in place to identify and address security breaches efficiently and effectively. Many covered entities may already have record retention policies, data breach notification policies and similar policies and procedures in their compliance portfolio. However, those policies and procedures will need to be updated to incorporate the new HITECH Act rules, and staff will need to be trained on how to recognize a data breach and what steps to take after the discovery of a data breach. Good communication will be critical to a covered entity's efforts to comply with the new regulations.
- Complying with State Security Breach Laws. The federal breach notification obligations do not preempt state notification obligations, except to the extent that any state obligations are "contrary." HHS has specifically advised that they are not aware of any instances where the state obligations would be contrary. This means that there are now two sets of obligations that must be evaluated and meshed together whenever a breach occurs by a covered entity or business associate. In addition, the FTC has issued a similar guidance that applies to vendors of electronic protected health records, who are not covered entities or business associates.
In light of the increased penalties and heightened HIPAA enforcement from the HITECH Act, covered entities and their business associates should evaluate their privacy and security practices to help minimize the risk of having to address a breach in the first place. Since enforcement—albeit without monetary penalties through February 24, 2010—begins on September 23, 2009, covered entities and business associates do not have a lot of time to prepare.