On August 24, 2009, the U.S. Department of Health and Human Services (“HHS”) released an interim final rule with request for comments entitled “Breach Notification for Unsecured Protected Health Information.” The HHS Rule applies to both covered entities and their business associates who are regulated under the Health Insurance Portability and Accountability Act (HIPAA). As a companion to the HHS Rule, on August 25, 2009, the Federal Trade Commission (“FTC”) published a final rule, entitled “Health Breach Notification Rule” (the “FTC Rule”). The FTC Rule applies to vendors of personal health records (“PHR”), PHR related entities and certain third party service providers. The FTC Rule closely follows the notification requirements in the HHS Rule. These rules implement sections of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, passed as part of the American Recovery and Reinvestment Act of 2009 on February 17, 2009.
The HHS Rule applies to any breach on or after September 23, 2009 and the FTC Rule applies to any breach on or after September 24, 2009. However, neither the HHS nor the FTC will assess sanctions for failure to provide the required notice for breaches discovered prior to February 22, 2010. Despite this short grace period, it is vital that covered entities, business associates and entities regulated by the FTC Rule take prompt action to address the breach notification requirements. These actions should include: (1) amending business associate agreements; (2) preparing appropriate policies and procedures to address breach notification requirements; (3) training workforce and employees on these policies; and (4) developing procedures for individuals to initiate complaints concerning the policies and procedures.
The HHS Rule
What is a Breach?
The HHS Rule specifies notification requirements for covered entities and their business associates to follow in the event of a breach of protected health information (“PHI”). A breach is defined in the rule as the acquisition, access, use or disclosure of unsecured PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI. A covered entity or business associate must conduct a four prong inquiry to determine if a breach has occurred.
Does the potential “breach” involve unsecured PHI? PHI is unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in guidance published by HHS and available on the HHS website. Information that has been de-identified or excluded from the definition of PHI (such as employment records held by a covered entity in its role as an employer) is not considered PHI and, therefore, not subject to the breach notification rule.
Has there been an impermissible use or disclosure? Assuming PHI is involved, the covered entity or business associate must determine whether the alleged “breach” violates the Privacy Rule, which could render the use or disclosure impermissible. Violations of the Privacy Rule that do not involve the use or disclosure of PHI, such as a violation of an administrative requirement including reasonable safeguards or appropriate policies and training, would not constitute a breach unless the Privacy Rule violation results in an actual use or disclosure of PHI in violation of the Privacy Rule. Likewise, violations of the Security Rule that do not also violate the Privacy Rule would not result in a breach.
Does the potential “breach” result in a significant risk to the individual? Assuming that an impermissible use or disclosure has occurred, the covered entity or business associate must conduct a fact-specific risk assessment in order to determine whether the breach results in a significant risk of financial, reputational, or other harm to the individual. The risk assessment should consider relevant factors including, but not limited to:
- Who impermissibly used the PHI or to whom the PHI was disclosed (i.e., was it disclosed to another covered entity with HIPAA obligations to maintain the privacy of the PHI)?
- Did the covered entity or business associate take immediate steps that mitigated the impermissible use or disclosure (e.g., obtaining reasonable assurances that the recipient will not further use or disclose the PHI or that the PHI has been or will be destroyed)?
- Has the PHI been returned prior to being improperly accessed (i.e., upon return of a laptop, a forensic investigation shows that the PHI was not accessed)?
- What is the type and amount of PHI involved in the use or disclosure (i.e., is the PHI involved of a type or amount that could reasonably impact an individual’s reputation or cause financial or other harm)?
Does an exception apply? Lastly, assuming a breach meeting the above tests has occurred, the covered entity or business associate must determine whether the breach falls within one of the three exceptions contained in HHS’ definition of breach. For each exception, the acquisition, access or use must not result in further impermissible use or disclosure under the Privacy Rule.
The first exception is any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate provided that such acquisition, access or use was made in good faith and within the scope of the person’s authority. For example, if a billing employee receives and opens an email containing PHI mistakenly sent by a nurse and the employee notices that he is not the intended recipient, alerts the nurse to the error, and deletes the email, then no breach occurred.
The second exception is any inadvertent disclosure by a person who is authorized to access PHI at the covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate or organized health care arrangement.
Physicians, nurses, and billing employees qualify as types of persons who are authorized to access PHI. On the other hand, the exception would not apply upon disclosure from or to a receptionist who lacks the authority to access PHI.
The third exception is a disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. For example, if an EOB is sent to the wrong person but it is returned to the covered entity as undeliverable, a breach did not occur because the individual never received the EOB to impermissibly disclose.
Because covered entities and business associates have the burden to prove why a breach notification is not required, they should carefully document risk assessments and how any applicable exceptions are met.
Timeframe for Notification
A covered entity must provide any required notification of a breach without unreasonable delay and no more than 60 days from discovery of the breach. Sixty days is the outer limit and in some cases might be considered to be an unreasonable delay.
A breach is treated as discovered as of the first day on which the breach is known to the covered entity or, by exercising reasonable diligence, would have been known to the covered entity. A covered entity is not liable for providing notification in cases in which it is not aware of a breach unless it would have been aware if it had exercised reasonable diligence. Knowledge of a breach by a member of the workforce or other agent of the covered entity (other than the person committing the breach) is imputed to the covered entity. Consequently, it is vital that covered entities implement reasonable policies and systems for discovery of breaches and train their workforce members and agents to recognize and promptly report a breach. Notification may be delayed if a law enforcement official states to a covered entity or business associate that a notification, notice or posting requirement will impede a criminal investigation or cause damage to national security.
Contents of Notification
The individual notification must be written in plain language and describe: (1) what happened, including the date of the breach and date of discovery, if known; (2) the types of unsecured PHI that were involved; (3) any steps individuals should take to protect themselves from potential harm resulting from the breach; (4) what the covered entity involved is doing to investigate the breach, to mitigate harm, and to protect against further breaches; and (5) contact procedures for individuals to ask questions or learn additional information.
Methods of Notification
Notification must be provided in writing by first class mail to the individual at the individual’s last known address unless the individual has consented to electronic notice. In the event that the individual whose PHI is breached is deceased, the notice should be sent to the individual’s next of kin or personal representative (if known). Substitute notice may be provided if the individual’s contact information is insufficient or out of date. If the covered entity has insufficient information for 10 or more individuals, the substitute notice must be by one of the following methods: (1) conspicuous posting on the covered entity’s website for 90 days; or (2) conspicuous notice in a major print or broadcast media in the individuals’ geographic area for 90 days. The substitute notice must contain a toll free number which is active for 90 days to enable individuals to call and obtain additional information. To avoid sending substitute notice, the covered entity may attempt to update any insufficient contact information so that it is current. Moreover, if the covered entity believes that the breach poses an imminent misuse of unsecured PHI, the covered entity may provide urgent notice via telephone or other appropriate means.
If a breach involves more than 500 residents of a state or jurisdiction, a covered entity, after discovering a breach, must notify prominent media outlets serving the state or jurisdiction. For example, if a laptop containing unsecured PHI of more than 500 residents of a particular city is stolen, the covered entity is only required to notify prominent media in that city. However, if the laptop contained unsecured PHI of more than 500 individuals spread across a particular state, then the covered entity would be required to notify a prominent media source serving the entire state. The media notification requirement does not apply if the 500 residents are spread across multiple states with fewer than 500 individuals residing in any one state. Therefore, if 200 residents reside in Texas and 300 reside in New Mexico, media notification is not required.
Notification to the Secretary
A covered entity that experiences a breach involving 500 or more individuals must notify the Secretary of HHS at the same time it provides notification to the affected individuals. For breaches involving fewer than 500 individuals, the covered entity must document the breach in a log that will be filed with HHS on an annual basis.
Applicability to Business Associates
If, after following the four-prong test discussed above, a business associate discovers that an impermissible breach occurred, a business associate must notify the covered entity of such breach. “Discovery” of a breach follows the same elements of discovery as seen for covered entities. Notice must be provided to the covered entity without unreasonable delay and no later than 60 calendar days after discovery of the breach. If possible, the notice should include the identification of each individual whose unsecured PHI has been or is reasonably believed to have been breached. The business associate must also provide any other available information that is required in the covered entity’s notice to individuals whose PHI is involved in the breach.
The FTC Rule
What does the FTC Rule regulate?
Unlike the HHS Rule, the FTC Rule focuses on breaches involving unsecured “personal health records” (“PHR”), which are defined as “electronic records of PHR identifiable health information on an individual that can be drawn from multiple sources and that are managed, shared and controlled by or primarily for the individual.” In order to protect individuals whose information is held in a PHR, the FTC Rule establishes breach notification requirements for vendors of PHR, PHR related entities and third party service providers. The FTC is not limited by any jurisdictional tests in the Federal Trade Commission Act, and, therefore, entities such as non-profit organizations that are traditionally outside the FTC’s jurisdiction must comply. In addition, foreign entities with U.S. customers are required to comply with the breach notification requirements.
Vendors of PHR are entities that offer or maintain PHR, such as through a website service. PHR related entities are entities that (1) offer products or services through the websites of a vendor of PHR; (2) offer products or services through the websites of HIPAA-covered entities that offer individuals PHRs; or (3) access information in a PHR or send information to a PHR. Examples of PHR related entities include web-based applications that help consumers manage medications and websites offering online personalized health checklists. Third-party service providers are entities that (1) provide services to a vendor of PHR in connection with the offering or maintenance of a PHR or to a PHR related entity in connection with a product or service offered by that entity; and (2) access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose unsecured PHR identifiable health information as a result of such services. Third party service providers include entities providing billing, debt collection or data storage services to vendors of PHR or PHR related entities.
What is a Breach?
The FTC defines a breach of security to mean the acquisition of unsecured PHR identifiable health information of an individual in a PHR without the authorization of the individual. To assess whether a breach occurred, a vendor or other entity must evaluate:
Whether the potential “breach” involved unsecured PHR: Unsecured PHR would be PHR identifiable information that is not protected through the use of a technology of methodology specified by HHS.
Whether there has been unauthorized access of the unsecured PHR: When there is unauthorized access to data (i.e., the opportunity to view the data), unauthorized acquisition (i.e., the actual viewing or reading of the data) will be presumed unless the entity that experienced the breach “has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” Reliable evidence could include forensic analysis revealing that files were never opened, altered, transferred or otherwise compromised.
Whether the individual authorized the access: According to the FTC’s response comments, use of information to enhance individuals’ experience with their PHR would be within the scope of the individuals’ authorization, as long as such use is consistent with the entity’s disclosures and individuals’ reasonable expectations. Such authorized uses could include communication of information to the consumer, data processing, or Web design. Beyond such uses, the FTC expects that vendors of PHR and PHR related entities would limit the sharing of consumers’ information, unless the consumers exercise meaningful choice in consenting to such sharing. Buried disclosures in lengthy privacy policies do not satisfy the standard of “meaningful choice.”
Timeframe for Notification
Notification of a breach must be provided without unreasonable delay but no longer than 60 days from discovery. The FTC’s definition of discovery of a breach is virtually identical to the HHS rule. A breach is treated as discovered as of the first day on which the breach is known or should have been known. Knowledge is imputed to an entity when a breach is discovered by an employee, officer or other agent of the entity. The FTC also adopted the HHS law enforcement exception.
The FTC’s individual notice procedures closely mirror those provided by HHS, and the same information discussed in the HHS Rule is required in this notification. Unlike the HHS Rule, however, if the individual is deceased, notice should be provided to the individual’s next of kin only if the individual provided contact information for his or her next of kin, along with authorization to contact them.
Notification to the FTC
Vendors of PHR and PHR related entities shall also notify the FTC following the discovery of a breach of security. If the breach involves 500 or more individuals, such notice shall be provided as soon as possible and in no case later than 10 business days following the date of discovery. If the breach involves fewer than 500 individuals, the vendor or entity may maintain a log of the breach and submit it annually to the FTC.
Vendors of PHR and PHR related entities must also notify prominent media outlets serving a state or jurisdiction in which 500 residents or more are affected. The FTC Rule mirrors the HHS requirements on this issue.
Notice by Third Party Service Providers
Upon discovery of a breach, third party service providers must notify the vendor of PHR or the PHR related entity and identify each customer whose unsecured PHR identifiable health information has been, or is reasonably believed to have been acquired during such breach. Vendors of PHR and PHR related entities must notify third party service providers of their status as vendors of PHR or PHR related entities subject to the FTC Rule.
Entities with Overlapping and Dual Roles
At times, vendors of PHR and other entities regulated by the FTC Rule may have roles that overlap with both the FTC and HHS rules. These entities must be prepared to determine which breach notification requirements to follow and have policies in place to track customer lists of their own as well as those of covered entities that use their services. These relationships must be carefully analyzed to ensure that individuals receive proper notification under either the FTC or HHS Rules.
Planning and Preparation
Covered entities, business associates and entities regulated by the FTC Rule will be significantly affected by these breach notification requirements and should begin updating policies, procedures and related contracts to ensure timely compliance with the new provisions.