A rule requiring healthcare providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals of a breach of their unsecured protected health information will become effective September 23, 2009.
The “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009 (ARRA).
The new “breach notification” regulations apply to HIPAA-covered entities and their business associates. HIPAA covered-entities include health plans, healthcare clearinghouses, and healthcare providers.
A business associate is a person or entity (such as a healthcare benefits broker) who, on behalf of the covered entity, performs a function involving the use or disclosure of individually identifiable health information.
Under the regulations, if a HIPAA-covered entity discovers a breach of protected health information, it must notify the affected individuals “without unreasonable delay” (in general, no later than 60 calendar days of discovery, unless law enforcement requests a delay). However, in the preamble to the regulations, the Department of Health and Human Services (HHS) notes that notification should be made as soon as reasonably possible. Therefore, HHS could find that a covered entity violated the breach notifcation rule if the covered entity waited 60 days when it could have reasonably made the notifcation sooner.
“We expect a covered entity to make the individual notifications as soon as reasonably possible,” the Department of Health and Human Services (HHS) said in the preamble. “The covered entity may take a reasonable time to investigate the circumstances surrounding the breach, in order to collect and develop the information that [is required] to be included in the notice to the individual.”
In cases of breaches involving 500 or more individuals, the covered entity must also notify HHS and the media. Smaller breaches will be reported to HHS on an annual basis.
If a covered entity's business associate discovers a breach, the business associate must notify the covered entity.
The regulations state that entities that secure health information through encryption or destruction don't have to provide notification in the event of a breach.
The regulations define breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the HIPAA Privacy Rule] that compromises the security or privacy of the protected health information.” The rules further state that “compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”