New regulations were recently issued by the Department of Health and Human Services (HHS) that require health care providers, health plans and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their protected health information is breached. These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA, also referred to as the stimulus bill).
The regulations require health care providers and other HIPAA-covered entities to promptly notify affected individuals of a breach of their protected health information. The HHS and the media (in cases where a breach affects more than 500 individuals) must also be notified of the breach. The regulations also require business associates of covered entities to notify the covered entity of breaches by the business associate.
The new rules became effective September 23, 2009, and covered entities are expected to comply with the new rules beginning on the effective date. However, HHS will not impose sanctions for failure to provide notifications until Monday, Feb. 22, 2010.
Breach Notification Rules
The discovery of a breach by a covered entity or business associate triggers the notification requirement. The notification rules only apply to unsecured protected health information that is not encrypted or completely destroyed. Not all violations of the HIPAA privacy rule will constitute a breach. In the event of a HIPAA privacy rule violation, the covered entity must perform a risk assessment to determine if there is a significant risk of financial, reputational or other harm to the individual, as a result of the impermissible use or disclosure.
Additionally, there are three exceptions to the breach notification rules. No notice is required if:
- There is an unintentional acquisition, access or use of personal health information by an employee or individual acting under the authority of a covered entity or business associate, if done in good faith and within the scope of authority;
- There is inadvertent disclosure from one covered entity or business associate employee to another person authorized to access the personal health information at the same covered entity or business associate; or
- The recipient would not reasonably have been able to retain the information.
Generally, notification of the breach must be provided within 60 days to:
- Affected Individuals;
- The media, if 500 or more residents of a state or jurisdiction are affected;
- The HHS Secretary; and
- The covered entity, if the breach is discovered by the business associate.
The notice provided to the affected individual must be written in plain language and contain:
- A brief description of what happened, including the date of the breach and the date of discovery;
- The types of personal health information involved;
- Any steps the affected individuals should take to protect themselves from potential harm;
- A brief description of steps the covered entity is taking to investigate, mitigate harm to the individuals and protect against further breaches; and
- Contact information for affected individuals to ask questions, including a toll-free number, e-mail address, Web site or postal address.
Rather than waiting for a breach to occur and then reacting in a panic, best practice is to proactively act now to establish notice procedures, maintain breach logs, revise business associate agreements, train employees and update privacy procedures.