[in Your State]
State:
Category
Topic
Date Range (optional)
From: PopUp Calendar
To: PopUp Calendar
 (Example: 01/01/2007)
Quick Links
 
 Resources: Health Information Privacy (HIPAA)
Time Savers:
Forms (3)
Letters (1)
Policies (8)
News:
• HIPAA Enforcement Gets More Teeth
• Notification Rule on HIPAA Data Breach Effective Soon
White Papers:
• Pay Attention to GINA: She’s Officially Here
• Watch Out for HIPAA Changes in ARRA
Related Topics:
Healthcare Benefits
Healthcare Insurance
Workers' Compensation
September 16, 2009
New HIPAA Breach Notification Rule: Know Your Responsibilities
by Elizabeth Callahan-Morris, J.D.
Hall Render

As part of the Recovery Act, President Obama signed into law the Health Information Technology for Economic and Clinical Health Act (HITECH) on February 17, 2009. Among other provisions, HITECH makes several changes to the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Previously, HIPAA did not require covered entities to notify individuals or the Department of Health and Human Services (HHS) when their Protected Health Information (PHI) was improperly disclosed, although notification was sometimes part of a covered entity's effort to mitigate harm to an individual caused by a wrongful disclosure. HITECH significantly changes HIPAA in this regard because it will require notification of certain breaches to unsecured PHI.

Effective Date

The HHS interim final regulations are effective September 23, 2009. HHS, however, won't impose penalties for failures to provide notification for breaches discovered before February 22, 2010.

New Breach Notification Rule

Under the new rule, covered entities will be required to notify individuals of unsecured PHI that has been, or is reasonably believed to have been, accessed, acquired or disclosed due to a breach. Business associates will be required to notify the covered entity of such breaches.

Vendors of personal health records will be required to notify individuals and the Federal Trade Commission of such breaches.

Unsecured PHI

HITECH defines the term “unsecured PHI” as PHI “that is not secured by a technology or methodology specified by” HHS through guidance that renders PHI to be “unusable, unreadable, or indecipherable to unauthorized individuals”. HHS on April 17, 2009 issued guidance that established the following technologies/methodologies:

  • Encryption of electronic data at rest per National Institute of Standards and Technology (NIST) standards
  • Encryption of electronic data in motion per NIST standards
  • Shredding or destruction of paper, film or other hard copy media
  • Destruction of electronic media per NIST standards

Breach Notification Methods

The methods for breach notification depend in part on the size of the group of individuals affected:

  • Written notice through first class mail to individuals (or via email if specified as preferred by the individual), regardless of the size of the group affected.
  • Substitute notice to individuals whose contact information is out-of-date, regardless of the size of the group affected. For groups of 10 or more individuals, substitute notice means a posting on the covered entity’s website or a notice published in “major print or broadcast media.” It is expected HHS will in future guidance specify what substitute notice means for groups of less than 10 individuals.
  • Notice published in “prominent media outlets,” if 500 or more residents of a state are affected.
  • Notice to HHS, if 500 or more individuals are affected.
  • Annual log to HHS of all breaches involving less than 500 individuals.

When to Notify

All notifications must be given without “unreasonable delay,” but no later than 60 days after discovery. Immediate notice to HHS must be given if 500 or more individuals are affected.

Breach Notification - Exceptions

The following instances will not be considered a breach requiring notification:

  • Unintentional access of PHI by a workforce member while performing his/her duties and the information was not further used or disclosed.
  • Inadvertent disclosure of PHI by one workforce member to another at the same facility and the PHI was not further used or disclosed.

Still Need to Comply with Other Rules

Even if the new breach notification requirement is not triggered, organizations may still be required to take the following actions in the case of a breach or other wrongful use or disclosure:

  • Mitigate harm for improper use or disclosure.
  • Log the wrongful disclosure in the accounting.
  • Impose disciplinary sanctions.
  • If a business associate, report to the covered entity security incidents and uses and disclosures of PHI not permitted by the business associate agreement.
  • Notify individuals under state identify theft law or other similar notification laws.

Breach Notification Action Items

To prepare for the expected effective date of September 23, 2009, organizations should undertake the following steps:

  • Adopt new, or revise existing, policies and procedures regarding identifying and responding to breaches.
  • Identify which types of PHI are unsecured.
  • Evaluate whether unsecured PHI can be made secure using approved technologies and methodologies.
  • Review e-security for all PHI.
  • Create a process for breach response to ensure all breaches are appropriately handled.

Elizabeth Callahan-Morris is an attorney with the law firm of Hall Render specializing in privacy and security, corporate compliance and patient care issues. Liz is a graduate of The George Washington University Law School (J.D.) and Michigan State University (B.A.). She may be reached at ecallahan@hallrender.com or 248-740-7505.