HITECH Act Breach Notification Standards
This is the third in a series of three HITECH alerts.
This Wolff & Samson Health Law Alert is the third in a three-part series regarding the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act” or “HITECH”), which significantly broadens the scope of existing health information privacy and security requirements. The first HITECH alert addressed certain provisions of HITECH that create new and revise or expand existing privacy requirements with respect to protected health information (“PHI”) under the regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The second HITECH alert reviewed sections of HITECH that affect business associates of HIPAA covered entities and business associate agreements. This latest alert summarizes the HITECH Breach Notification Standards, which impose certain additional obligations on covered entities and business associates in the event unsecured PHI is breached.
Enforcement Will Begin February 22, 2010 – Necessary and/or Suggested Steps for Compliance
As a result of rules promulgated on August 24, 2009, the United States Department of Health and Human Services (“HHS”) will begin imposing penalties for noncompliance with the Breach Notification Standards on February 22, 2010. If they have not done so already, covered entities must incorporate the Breach Notification Standards into their existing HIPAA compliance infrastructure. For instance, covered entities are required to implement the same type of policies and procedures, training programs and other administrative elements relating to the Breach Notification Standards that are mandated under the HIPAA privacy rules. While business associates do not appear to be legally mandated to implement such administrative requirements, in light of their direct compliance obligations under the Breach Notification Standards (as further discussed below), we recommend business associates also implement policies, procedures and training programs to ensure their compliance. In addition, as discussed in the second Alert of this series, we recommend that covered entities and business associates amend their business associate agreements to delineate their respective legal obligations under the Breach Notification Standards and agree to certain communication terms to ensure their obligations will be satisfied in the event of a breach.
Basic Elements of the Breach Notification Standards
The Breach Notification Standards require the provision of notice to affected individuals, HHS and in some cases the media, in the event of a “breach” of “unsecured” PHI. As further detailed below, the Breach Notification Standards prescribe rules with respect to the methods, content and time period for providing such notice.
Definition of “Breach”
The term “breach” generally means “the acquisition, access, use or disclosure of protected health information in a manner not permitted under [the HIPAA privacy rules] which compromises the security or privacy of the protected health information.” There are scenarios that are specifically excluded from the breach definition, such as in the case of an unintentional acquisition of PHI by the employee of a covered entity or business associate.
- “Risk Assessment” Required to Determine Whether Security or Privacy of PHI Has Been Compromised. The phrase “compromises the security or privacy of the protected health information” as used in the definition of “breach” means the acquisition, access, use or disclosure of PHI “poses a significant risk of financial, reputational, or other harm to an individual.” To determine whether a significant risk of harm exists, covered entities and business associates will need to perform a fact-specific “risk assessment” that takes into account factors such as: (i) who impermissibly used the PHI or to whom the PHI was impermissibly disclosed; (ii) the steps taken to mitigate the impermissible use or disclosure; and (iii) the type and amount of PHI involved.
Definition of “Unsecured Protected Health Information”
The Breach Notification Standards only apply to breaches of “unsecured protected health information,” which is defined as PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary [of HHS].” HHS issued guidance in April 2009 regarding the technologies and methodologies, such as encryption, that can be used to secure PHI and avoid the occurrence of a “breach” of such PHI; this guidance is available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html.
The Notice Requirements – Who Must Provide It, When It Must Be Provided, and What It Must Include
- Covered Entity Notice to Affected Individuals. In most instances a covered entity must provide notification of a breach to each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, involved in the breach. Such notice must be provided without unreasonable delay and in no event later than 60 calendar days after the date the breach was discovered by the covered entity. The notice must generally be provided in writing to the individual by first-class mail and must include certain information, such as a brief description of the breach incident and the types of unsecured PHI involved (e.g., full name, social security number, etc.).
- Covered Entity Notice to HHS. In the event more than 500 individuals are affected by a breach, in most instances a covered entity must notify HHS concurrently with notification to the affected individuals in the manner specified on the HHS website, located at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html. With respect to breaches that affect fewer than 500 individuals, the notification may occur later. A covered entity must maintain a log or other form of documentation of such breaches and, within 60 days after the end of each calendar year, provide HHS with notification of all such breaches that occurred during the preceding year in the manner specified on the HHS website (see link immediately above).
- Covered Entity Notice to Media. In cases where a breach of unsecured PHI involves more than 500 residents of a given state or jurisdiction, a covered entity must provide notification of the breach to prominent media outlets serving such state or jurisdiction without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Such notice must include the same information that is required for the notice to affected individuals.
- Business Associate Notice to Covered Entity. A business associate has an obligation to notify a covered entity of a breach of unsecured PHI without unreasonable delay and in no case later than 60 days following the discovery of such breach. The notice must include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, involved in the breach and, to the extent it is or becomes available to the business associate, any other information that a covered entity is required to include in the notice to affected individuals.
When a Breach Is Considered “Discovered”
A breach is generally considered “discovered” by a covered entity or business associate as of the first day the breach is known, or by exercising reasonable diligence would have been known, to the entity. A breach is generally “known” by an entity when a member of its workforce or an agent (other than the person committing the breach) has or should have knowledge of the breach.
The “discovery” provisions can have a substantial affect on the nature of the relationship between a business associate and covered entity, particularly when a business associate is an “agent” of the covered entity. In such a case, the business associate’s discovery of a breach of unsecured PHI will be imputed to the covered entity and the timeframe within which the covered entity must make its required notification(s) will begin on the day the business associate discovered the breach. Whether or not a business associate is an “agent” of a covered entity will depend on the circumstances surrounding the engagement and the nature of the business associate relationship. Covered entities and business associates should consider this aspect of the Breach Notification Standards and whether a business associate is properly categorized as an “agent” when entering into and amending business associate agreements.
Burden on Covered Entities and Business Associates to Demonstrate Compliance - Documentation of Risk Assessments and/or Provision of Required Notifications Should be Maintained
Covered entities and business associates have the burden of demonstrating that an impermissible use or disclosure of PHI did not constitute a breach or that all required notifications were made. Therefore, the provision of any required notifications or the risk assessment resulting in the determination that such notifications are not required should be documented in writing.
For more information, please contact:
David M. Hyman ¦ Member of the Firm ¦ (973) 530-2009 ¦ firstname.lastname@example.org
Daniel A. Schwartz ¦ Member of the Firm ¦ (973) 530-2005 ¦ email@example.com
Nicole DiMaria ¦ Counsel ¦ (973) 530-2111 ¦ firstname.lastname@example.org