Health Care Providers Should Take Note of Final HIPAA Breach Notification Laws
Today the Department of Health and Human Services' final regulations governing the new Health Insurance Portability and Accountability Act (HIPAA) security breach notification requirements were published in the Federal Register. These regulations take effect September 23, 2009, and health care providers should take care to familiarize themselves with the requirements by then.
The Health Information Technology for Economic and Clinical Health (HITECH Act), which was part of the 2009 Stimulus Bill, requires HIPAA-covered entities to provide notification to affected individuals and the Secretary of Health and Human Services following the discovery of a breach of unsecured protected health information (PHI). In some cases, the HITECH Act requires covered entities to provide notification to the media of the breaches. In the case of a breach of unsecured PHI by a business associate (such as an accountant or attorney) of a covered entity, the Act requires the business associate to notify the covered entity of the breach. Finally, the Act requires the Secretary of Health and Human services to post a list of covered entities that experience a breach of the PHI of 500 or more individuals on the HHS website.
However, it is important to note that the HITECH Act does not require the reporting of every slip-up and privacy violation by a covered entity or business associate. For example, in order for a breach to occur the PHI must be “unsecured”. This means that the information must not be rendered unuseable, unreadable, or indecipherable to unauthorized individual. For example, if a covered entity accidentally emails notes on a patient file to the wrong address, but the email is encrypted in a certain fashion delineated by the regulations, the notice requirements would not be triggered because the information is not “unsecured”.
After the jump - how to determine if a "breach" has occurred >>
The regulations further detail that if a disclosure of PHI occurs, in order to determine if the disclosure constitutes a “breach” as defined by 45 CFR §164.402, the covered entity/business associated needs to perform a risk assessment. According to the HHS interpretation in the Federal Register, a “breach” which “compromises the security and privacy of the protected health information” means “poses a significant risk of financial, reputational, or other harm to the individual.” For example, if a covered entity improperly discloses PHI that merely includes the name of a patient and the fact that he/she received services from a hospital, then this would be a violation of the HIPAA laws but may not constitute a true breach in the sense that it constitutes a “significant risk of financial or reputational harm to the individual.” BUT if the information indicates the type of services received or includes information that increases the risk of identity theft (such as a social security number or mother’s maiden name) then it may be a breach. A risk assessment will help determine whether a true “breach” has occurred.
If a covered entity determines a breach has occurred, the entity is required to notify each individual whose unsecured PHI has been disclosed “without unreasonably delay and in no case later than 60 calendar days after the date the breach was discovered by the covered entity.” Further, a covered entity must provide notice to “prominent media outlets serving a State or jurisdiction, following the discovery of a breach if the unsecured protected health information of more than 500 residents of such State or jurisdiction is [improperly disclosed].” See 45 CFR §164.404. A breach of this scale also requires “immediate” notice to the Secretary of Health and Human Services.
The new HITECH provisions also include a whistleblower protection provision, which provides that a covered entity may not threaten or discriminate against an individual for following the notice requirements. See 45 CFR §164.530(g)
This post merely provides an overview of the new HIPAA changes, and the complete regulations include many additional requirements. The complete overview of the changes is published in today’s Federal Register, 74 FR 42740-42770 (Aug. 24, 2009). (To retrieve, click on the "Page Number" link in the middle of the page.) For further information about compliance, providers and other covered entities should contact an experienced health care attorney.
