HHS Issues Rule on Breach Notification for Unsecured Protected Health Information
On Aug. 20, 2009, the Department of Health & Human Services (HHS) issued an interim final rule addressing data breach notification requirements for entities and business associates covered under the Health Insurance Portability and Accountability Act (HIPAA). (Read the HHS press release here.)
We expect the interim final rule to be published in the Aug. 24 Federal Register. It will go into effect for breaches occurring 30 days after publication. The final rule will be issued after a 60-day public comment period.
HHS says it will not enforce the rule for 180 days to give covered entities an opportunity to come into compliance. However, covered entities will need to move quickly to do so.
Covered entities should consider the following measures:
- Begin logging data breaches on the effective date. HHS does expect covered entities to report breaches occurring after the effective date in their annual report to HHS for 2009, so it appears that covered entities and their business associates should begin recording breaches on the effective date, even if they are not notifying individuals immediately.
- Assign compliance responsibility. Typically, this will require expertise in privacy and in data security.
- Prepare policies and procedures for the detection and investigation of data breaches, for determining whether they are reportable, and identifying the individuals involved. The rule expressly requires policies and procedures for breach reporting. It also makes a covered entity liable for breaches that should have been discovered by exercising reasonable diligence, even if they were not in fact discovered. This places a premium on effective detection and investigation of possible breaches.
- Settle on a form of notice and contact procedures, and on what assistance (if any) is to be offered to individuals. Making these decisions should not be a cause of delay if a breach occurs.
- Integrate these policies and procedures with state breach reporting requirements. Covered entities will want to send a single notice, so it should satisfy state law as well as the new rule.
- Train workforce in the new requirements—again, this is an express requirement of the regulation.
- Communicate with business associates. The regulation places business associates under a direct legal obligation to report data breaches to covered entities, and does not require covered entities to amend their business associate contracts. However, covered entities may want to ensure that their business associates are aware of the requirements, and to address the timing and method of reporting with them.
- Re-check data security compliance, particularly for portable media and remote access. The new regulation, together with the increased penalties under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the recent reassignment of enforcement responsibility from the HHS Office of Inspector General to the Office for Civil Rights, is likely increase the cost of security breaches substantially.
The rule implements the HITECH Act, which was part of the American Recovery and Reinvestment Act of 2009 (ARRA). A companion regulation was issued by the Federal Trade Commission (FTC) on Aug. 17, 2009, implementing the personal health record (PHR) notification requirements which are applicable to PHR vendors and related entities. (Please see our Aug. 24, 2009, advisory, FTC Issues Final Rule on Breach Reporting by Personal Health Record Providers.)
The HHS rule is similar to the data breach reporting requirements already in effect in most states. It is broader than some, however, because it covers breaches of any protected health information, not just electronic data, and not just financially sensitive data.
The rule requires covered entities to notify affected individuals and HHS of security breaches involving the unauthorized acquisition, access, use or disclosure of unsecured protected health information (PHI) which compromises the security or privacy of such information. The rule also requires business associates to notify covered entities of such breaches. It does not apply to information that has been de-identified in accordance with the HIPAA Privacy Rule, in which case it is not considered to be PHI, or to employment records held by a covered entity in its role as an employer.
A breach must at a minimum constitute a violation of the Privacy Rule to require notification. So, for example, incidental disclosures allowed by the Privacy Rule do not trigger notification. And not all violations need be reported: A security breach must pose a “significant risk of harm” to an affected individual before a report is required.
HHS suggests the following factors be analyzed to perform an assessment of the risk of harm: to whom the data was disclosed (e.g., disclosure to another covered entity presents little risk); whether or not mitigation is possible (e.g., obtaining a satisfactory assurance of nondisclosure or obtaining forensic proof that a stolen laptop’s data was not accessed); and the type and amount of information breached (e.g., a list of patient names at a facility may present little risk of harm unless the facility is a substance abuse treatment program).
Covered entities and business associates must document their risk assessments in order to be able to demonstrate, if necessary, that no notification was required.
There are also two other sets of circumstances in which the notification requirements will not apply:
PHI rendered unusable. First, in the commentary to the rule HHS republishes an updated guidance that specifies when PHI will not be considered to be unsecured because of the use of technologies and methodologies that render the PHI unusable, unreadable or indecipherable.
The HIPAA Security Rule requires covered entities to consider encryption as a means of protecting electronic records, but does not mandate it. Nevertheless, encryption is the only method that will exempt a covered entity from complying with the new notification requirements in the event of a breach of electronic data. Mere access controls, such as firewalls and passwords, will not suffice. The commentary also states that covered entities and business associates that rely on encryption to avoid reporting should keep their encryption keys on a separate storage device from the encrypted data. With respect to paper documents, only their complete destruction, as opposed to redaction of identifying data, can exempt an entity from the notification requirements.
Exceptions to breach definition. The second set of circumstances that will exempt an entity from the notification requirements are embodied in three exceptions to the definition of a breach.
First, there is an exception for the good faith, unintentional acquisition, access or use of PHI, which is not further disclosed, by a person authorized by a covered entity or business associate. HHS gives the example of a billing employee who accidentally receives and opens an e-mail containing PHI that was intended for a nurse, and immediately deletes it.
Second, there is an exception for the inadvertent disclosure of PHI from one authorized person to another without further disclosure, such as when a physician discloses PHI to a nurse in the same covered entity.
Third, there is an exception for the unauthorized disclosure of PHI to a person who cannot reasonably retain it, such as when a nurse mistakenly hands a patient another patient’s discharge papers, but recovers them before the patient has an opportunity to read them.
In all other situations involving data breaches, notification to affected individuals must be made without unreasonable delay, and no later than 60 days after discovery (which is deemed to occur when the breach is known or should reasonably have been known), unless a delay is required by a law enforcement official. If a law enforcement official determines that notice would impede a criminal investigation or damage national security, the period for notification is tolled for the period specified by the law enforcement official.
If a breach involves 500 or more people, notice must be provided to HHS contemporaneously with the notice to the affected individuals, and also to appropriate local media when 500 or more people are located within the same state or jurisdiction. A log of breaches involving fewer than 500 individuals must be submitted to HHS annually. The log for 2009 need contain only breaches occurring after the effective date of the regulation.
The notices must be in plain language, and must contain the following information:
- A description of what happened (including the date of the breach and the date of discovery)
- A description of the types of information involved
- Information about what steps individuals should take to protect themselves
- A brief description of what the entity is doing to mitigate loss and avoid further breaches, and
- Contact information for individuals to ask questions or obtain additional information, including a toll-free telephone number, an e-mail address, a Web site or a postal address.
The commentary notes that some covered entities may also be required by the Civil Rights Act of 1964 to provide notices in languages other than English, or by the Rehabilitation Act of 1973 or the Americans with Disabilities Act to provide notices in Braille, large font or audio.
The notice must be given by first-class mail. If the individual has agreed to electronic notice the notice may be sent by e-mail instead. If there are 10 or more individuals for whom the entity does not have current contact information, it must post the notice for 90 days on the home page of its Web site, or publish it in major print or broadcast media. In that event the entity must also maintain a toll-free telephone number for 90 days so that individuals can learn if their information was involved in the breach.
Business associates are required to notify a covered entity of any breaches, so that the covered entity can notify affected individuals. The notification must include any information the business associate has that the covered entity is required to include in its notification. The regulation leaves it up to covered entities and their business associates to determine how reports should be made. The standard HIPAA business associate contract requires the business associate to report to the covered entity unauthorized uses and disclosures, and security incidents.
The new regulation requires reports to be made without unreasonable delay and in any event within 60 days. Covered entities may address timing of reports in their business associate contracts, but are not required to do so. The rule does not preclude covered entities and business associates from agreeing that the business associate will give the required notice to individuals, but HHS encourages the parties to avoid sending duplicate notices.
How long does the covered entity have to notify individuals after receiving a report from a business associate? If the business associate is the agent of the covered entity under ordinary principles, the covered entity’s 60-day period begins when the business associate discovers (or should have discovered) the breach; if the business associate is an independent contractor, the period starts when the business associate notifies the covered entity. Business associates are typically independent contractors.
The administrative requirements of the Privacy Rule apply to this new rule, requiring covered entities to adopt policies and procedures for breach notification, and to train their workforce in the new requirements. Training in detection follow-up is particularly important because the 60-day notification period begins when a covered entity would have discovered a breach with reasonable diligence. It will not be a defense to say that an employee was unaware of the reporting requirement, or of the need to investigate possible breaches.
The new rule applies the HIPAA pre-emption rule to state breach notification laws: A covered entity must comply with both state and federal law unless it would be impossible to do so, or the state law stands as an obstacle to the federal requirements. So, for example, a covered entity would have to comply with a state law that required reporting within a shorter period, or required additional information in the report. However, a state law that did not permit delays for law enforcement might be pre-empted by the requirement in the federal rule that covered entities must delay reporting at the request of a law enforcement official.