On August 24, 2009, the U.S. Department of Health and Human Services (HHS) published an interim final rule (the Regulations) implementing the notification requirements for breaches of unsecured protected health information (PHI) enacted under Section 13402 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Effective September 23, 2009, covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates will be required to comply with these new breach notification requirements. In order to comply with the Regulations, covered entities and business associates should implement policies and procedures for the appropriate risk assessment and, if required, notification process in the event of a breach of unsecured PHI.
Under the Regulations, covered entities, as defined under HIPAA, will be required to notify individuals affected by the breach, the Secretary of HHS and, in certain circumstances, the media, following the discovery of a breach of unsecured PHI. Moreover, business associates of covered entities will be required to notify the covered entity of any breaches to the covered entity’s unsecured PHI. This memorandum describes the manner in which a covered entity and a business associate may determine whether a breach of unsecured PHI has occurred and the applicable notification requirements upon discovery of the breach.
Breach of Unsecured PHI The initial step in assessing whether a breach of PHI triggers notification is to determine if the PHI was unsecured. “Unsecured protected health information” is defined in the Regulations as PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS. Covered entities and business associates that implement these specified technologies and methodologies with the respect to the PHI are not required to provide notification in the event of a breach of this information.
On April 17, 2009, the Secretary of HHS issued initial guidance describing encryption and destruction as the two technologies and methodologies for rendering PHI unusable, unreadable or indecipherable to unauthorized individuals. The Regulations provide an update to that April guidance and specify that covered entities and business associates may use the following technologies and methodologies to render PHI sufficiently secure:
- Electronic PHI that has been encrypted by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and such confidential process or key that might enable decryption has not been breached. To avoid breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. Certain encryption processes tested by the National Institute of Standards and Technology (NIST) have been judged to meet this standard.1
- The media on which the PHI is stored or recorded has been destroyed through one of the following methods:
- Paper, film or other hard copy media has been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction of documents is specifically excluded as a means of data destruction.
- Electronic media has been cleared, purged or destroyed consistent with NIST standards2 such that the PHI cannot be retrieved.
Definition of a “Breach”
The Regulations define a “breach” as the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the protected health information. After determining that the PHI involved was “unsecured PHI,” as defined above, HHS envisions that covered entities and business associates will employ the following three-step analysis to determine if a “breach” occurred:
Step 1: Determine whether there has been an impermissible use or disclosure of PHI under the Privacy Rule.
A breach occurs only if there is use or disclosure of unsecured PHI in violation of HIPAA’s Privacy Rule.
Step 2: Determine and document whether the impermissible use or disclosure compromises the security or privacy of the PHI.
This occurs when there is a significant risk of financial, reputational or other harm to the individual. In this step, covered entities and business associates will need to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. In performing the risk assessment, covered entities and business associates may need to consider a combination of factors such as: (a) who impermissibly used the PHI or to whom the PHI was impermissibly disclosed; (b) was the impermissibly disclosed PHI returned prior to it being accessed for improper purpose; and (c) the type and amount of PHI involved in the impermissible use or disclosure. HHS has provided a narrow, explicit exception to what compromises the privacy and security of PHI. More specifically, HHS has determined that a use or disclosure of PHI that excludes the 16 direct identifiers listed in the Privacy Rule that creates a “limited data set” and that also excludes the date of birth and zip code will not be deemed to compromise the privacy or security of PHI.
Step 3: Determine whether the incident falls under one of the three exceptions to the definition of a “breach.”
The three exceptions that do not constitute a breach include:
- Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of the covered entity or business associate, if such acquisition, access or use was: (a) made in good faith; (b) within the course and scope of authority; and (c) does not result in further use or disclosure in a manner not permitted under the Privacy Rule. As an example, in the commentary to the Regulations, HHS identifies those incidents in which a billing employee receives and opens an e-mail containing PHI about a patient that was mistakenly sent to the billing employee would not be considered a breach if the billing employee notices that he is not the intended recipient, alerts the sender of the misdirected e-mail and then deletes it.
- Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or a business associate to another person authorized to access PHI at the same covered entity or business associate (or OHCA in which the covered entity participates) and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
- A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. For example, if a covered entity, due to a lack of reasonable safeguards, sends a number of explanations of benefits (EOBs) to the wrong individuals and a few of the EOBs are returned by the post office, unopened, as undeliverable. In this circumstance, the covered entity can conclude that the improper addressees could not reasonably have retained the PHI. Those EOBs that were not returned undeliverable and that the covered entity knows were sent to the wrong individuals, however, should be treated as potential breaches.
Notifications to Individuals, the Secretary of HHS and the Media
If a breach of unsecured PHI (as determined above) has occurred, a covered entity must provide notifications to individuals affected by the breach, to the Secretary of HHS and, in certain circumstances, to the media. The Regulations include implementation specifications regarding the timeliness, content and methods of notice.
Notification to Individuals. Following the discovery of a breach of unsecured PHI, a covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed as a result of such breach. A covered entity must provide the required notification to an individual without unreasonable delay and in no case later than 60 days from the date the breach was discovered by the covered entity.
A covered entity is deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person who committed the breach) who is a workforce member or agent of the covered entity. Given this knowledge standard, it is important that covered entities implement reasonable systems for the discovery of breaches. Covered entities should ensure their workforce members and other agents are appropriately trained and aware of the importance of timely reporting privacy and security incidents and of the consequences of failing to do so.
The content of the notification to the individuals whose privacy has been breached must include, to the extent possible, the following elements: (1) a brief description of what happened, including the date of the breach and the date of discovery of the breach, if known; (2) a general description of the types of unsecured PHI that were involved in the breach, such as whether full name, social security number, date of birth, home addresses, disability code or other types of information were involved; (3) any steps individuals should take to protect themselves from potential harm resulting from the breach; (4) a brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals and to protect against any further breaches; and (5) contact procedures for individuals to ask questions or learn additional information, including a toll-free number, an e-mail address, Website or postal address. The notification must be written in plain language.
Covered entities must provide written notification by first-class mail to the last known address of the individual. If the individual previously agreed to electronic notice, then covered entities may provide notification by e-mail. If not all information regarding the breach is available at once, covered entities may provide notification in one or more mailings, as information becomes available. The Regulations also describe the methods for notification if the individual is deceased, if the covered entity has insufficient or out-of-date contact information or if there is a possible imminent misuse of unsecured PHI.
Notification to the Secretary of HHS. In addition to providing notice to the individuals of a breach of unsecured PHI, a covered entity must provide notice to the Secretary of HHS. The timing of the notification, however, differs depending on whether the breach involves at least 500 or less than 500 individuals. For breaches involving 500 or more individuals (without regard to whether the breach involved more than 500 residents of a particular state or jurisdiction), a covered entity must provide notice to the Secretary of HHS concurrently with the notification sent to the individual (i.e., without unreasonable delay but in no case later than 60 calendar days following discovery of a breach) and include all the information provided in the notice to the individual. The names of covered entities that submit notification of breaches involving 500 or more individuals to the Secretary will be posted on the HHS Web site.
For breaches involving less than 500 individuals, the covered entity must maintain a log or other documentation of such breaches and submit information annually to the Secretary of HHS for breaches occurring during the preceding calendar year. This log must be submitted to the Secretary no later than 60 days after the end of each calendar year. Covered entities must maintain this log for six years. Although not available as of the date of this publishing, HHS intends to post instructions on its Web site for submitting both the immediate and annual notifications to the Secretary.
Notification to Media. Following the discovery of a breach of unsecured PHI involving more than 500 residents of a particular state or jurisdiction, a covered entity must notify prominent media outlets serving that state or jurisdiction. HHS intentionally refrains from defining “prominent media outlets” in the Regulations, reasoning that what constitutes a prominent media outlet will differ depending upon the state or jurisdiction affected. Covered entities must make such notification to the media without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The notification to the media must include the same content as the notification to individuals, as described above.
The Regulations also provide for a delay in notification to individuals, the Secretary of HHS and to the media if a law enforcement official determines that such notification would impede a criminal investigation or cause damage to national security.
Notification by Business Associates to Covered Entities
Following the discovery of a breach of unsecured PHI, a business associate must notify the covered entity of the breach so that the covered entity can notify affected individuals, the Secretary of HHS and, if required, the media, as set forth above. In cases in which a breach involves the unsecured PHI of multiple covered entities, and it is unclear to whom the breached information relates, it may be necessary for the business associate to notify all potentially affected covered entities.
The business associate must notify the covered entity without unreasonable delay, but no later than 60 calendar days following the discovery of a breach. The content of the notification to the covered entity must include, to the extent possible, the identity of each individual whose unsecured PHI has been, or is reasonably believed to have been, breached, and any other available information that the covered entity is required to include in its notification to the individual. In the commentary to the Regulations, HHS recognizes that in certain circumstances, the business associate may provide immediate notification of the breach to the covered entity and then follow up with the required information regarding the breach. If information surrounding the breach becomes available after the covered entity has sent notifications to individuals or after the 60-day period, business associates should provide this additional information to covered entities.
The timing of notifications by a covered entity to individuals, the Secretary and/or the media depends on whether the business associate is acting as an agent or is an independent contractor of the covered entity. If a business associate is acting as an agent of a covered entity, the business associate’s discovery of the breach will be imputed to the covered entity. In this circumstance, the covered entity must provide its requisite notifications based on when the business associate discovers the breach, not when the business associate notifies the covered entity. In contrast, if the business associate is an independent contractor of the covered entity (i.e., not an agent), then the covered entity must provide notification based on the time the business associate notifies the covered entity.
In the commentary to the Regulations, HHS emphasizes that it does not intend to interfere with the current relationship between covered entities and business associates. Accordingly, business associates and covered entities will continue to have flexibility to set forth specific obligations for each party, such as who at the business associate will provide notice to the covered entity and when the notification from the business associate to the covered entity will be required following a breach of unsecured PHI, so long as all required notifications are provided and other requirements of the Regulations are met. HHS, however, encourages covered entities and their business associates to consider which entity is in the best position to provide notice to the individual, which may depend on circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual. HHS also encourages the parties to ensure that individuals do not receive notifications from both the covered entity and the business associate about the same breach.
Although the Regulations directly require business associates to comply with the breach notification requirements, covered entities may desire to amend their business associate agreements to: (1) add additional specifications regarding the manner or timing of the notification from the business associate to the covered entity; or (2) strengthen their indemnification provisions in the business associate agreement.
Covered entities and business associates must develop and document policies and procedures regarding the breach notification requirements, train workforce members and have sanctions for failure to comply with these policies and procedures, permit individuals to file complaints regarding these policies and procedures, or a failure to comply with them, and require covered entities to refrain from intimidating or retaliatory acts. Additionally, when a covered entity or business associate becomes aware of an impermissible use or disclosure of PHI, it should maintain documentation that all required notifications were made or, alternatively, of its risk assessment or the application of any exceptions to the definition of “breach” to demonstrate that notification was not required.
Effective Date and Delayed Period for Sanctions
The breach notification requirements under the Regulations become effective as of September 23, 2009. In its commentary to the Regulations, HHS recognizes that it will take covered entities and business associates time to implement the process and procedures necessary to comply with these requirements. Accordingly, HHS will not impose sanctions for failure to provide the required notifications for breaches that are discovered before February 22, 2010. During this initial time period, however, HHS expects covered entities and business associates to comply with the breach notification requirements and HHS will work with covered entities and business associates, through technical assistance and voluntary corrective action, to achieve compliance.