Mid-Atlantic Health Law TOPICS
HIPAA Breach Notification
Effective September 23, 2009, entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must follow different notification paths to mitigate the effects of a security breach, depending upon whether the breach involves "secured" or "unsecured" protected health information (PHI).
The recently enacted Health Information Technology for Economic and Clinical Health Act (HITECH) requires a covered entity to follow mandatory notification procedures, if a HIPAA security breach involves unsecured PHI. Accordingly, covered entities now need to know: the difference between secured PHI and unsecured PHI; what constitutes a security breach; and the mandatory notification procedures for unsecured PHI.
A. Secured vs. Unsecured
For electronic PHI, the Department of Health and Human Services (HHS) defines secured PHI as data that is encrypted consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices (for data at rest); Federal Information Processing Standards 140-2 (for data in motion); or NIST Special Publication 800-88, Guidelines for Media Sanitization (for the destruction of data). These guidelines are available at www.csrc.nist.gov.
Electronic PHI that is encrypted under a different standard, as well as unencrypted electronic PHI, is unsecured PHI. For example, PHI that is merely protected by a password or a firewall is unsecured.
Hard copy PHI, which includes paper records, film and other media, must be shredded or destroyed so that the PHI cannot be read or reconstructed. Hard copy PHI that is destroyed in some other fashion, as well as hard copy PHI that is stored or used, is unsecured PHI. However, PHI that has been redacted to eliminate patient identification is not PHI, and not subject to breach notification at all.
B. Breach vs. Non-Breach
If a covered entity or a business associate has an unauthorized disclosure of unsecured PHI, then that covered entity or business associate must determine if a "breach" occurs.
According to HITECH, a breach is an unauthorized acquisition, access, use or disclosure of PHI that "compromises" the security or privacy of that information. Moreover, the security or privacy of PHI is "compromised" when there is a significant risk of financial, reputational or other harm to the affected individual.
However, there are four statutory exceptions that allow unauthorized disclosures without becoming a "breach."
First, it is not a breach when the unauthorized person would not reasonably be able to retain the information obtained through the unauthorized disclosure. This might occur with a momentary unauthorized use or disclosure.
Second, any unintentional acquisition, use or access by employees or contractors acting under the authority of a covered entity or business associate is also not a breach if the information acquired is not further accessed, used or disclosed. However, those employers or contractors must have acquired, accessed, used or disclosed the information in good faith and in the scope of their employment or professional relationship with the covered entity or business associate.
Third, an inadvertent disclosure of PHI from one authorized person at a facility operated by a covered entity or business associate to another person in a similar role at the same facility is exempt from becoming a breach.
Fourth, a breach does not occur if the information received as a result of the unauthorized disclosure is not further acquired, accessed, used or disclosed without authorization. This fourth exception contemplates that inadvertent disclosures outside the facility can be remedied by authorizing the future use or disclosure of the information, or if the recipient of the information agrees to destroy, clear or delete the information.
Covered entities and business associates that have secured PHI have latitude in determining the speed, type and extent of the notification to be followed in the event of a HIPAA breach.
However, covered entities must give notice of a breach of unsecured PHI to the affected individuals without unreasonable delay and no later than 60 calendar days after the discovery of the breach. A business associate that experiences a breach of unsecured PHI should notify the applicable covered entity, and the covered entity should then notify the individuals.
Further, while regulations provide greater detail, the notice of the breach of unsecured PHI must contain, at a minimum, the following information:
1. The date of the breach, if known;
2. The date of discovery of the breach;
3. The type of information breached;
4. A description of the investigation, the
steps taken by the covered entity or business associate to mitigate the effect of the breach, and any recommendations to current policies and procedures to prevent future breaches;
5. Recommendations as to how individuals may protect themselves from the effect of the
6. Instructions for further information,which should include a toll-free telephone number, email address, Internet website or postal address.
The method of delivering the notice varies depending on the situation. When the individual's contact information is known, notification may be by first class mail or email (if the individual permits electronic communications). If there is imminent danger of misuse of PHI, the covered entity may notify the affected persons by telephone. If the contact information is out of date or unknown, the notice must be posted on the Internet for 90 days, or the covered entity must establish a 90-day toll free number, and advertise the number through major print or broadcast media.
If the breach involves 500 or more individuals, then the notice must be provided to major media outlets and to HHS. HHS will keep an historical listing of these large breaches on the Internet. Covered entities must also inform HHS of smaller breaches at the end of each calendar year.
Covered entities should weigh (1) the cost-effectiveness of converting unsecured PHI to secured PHI against (2) the risks and expense of providing the mandatory notification for unsecured PHI, and act accordingly.
September 20, 2009