The Department of Health and Human Services issued an interim final rule on Aug. 19, 2009, establishing standards for notification of breaches of unsecured protected health information (PHI).

The rule clarifies certain key definitions and concepts, generally in a manner that is favorable to covered entities and business associates, while remaining true to the Health Insurance Portability and Accountability Act of 1996 and the new Health Information Technology for Economic and Clinical Health Act.

The bulk of the interim final rule implements the breach notification provisions of the Act as they apply to HIPAA covered entities and their business associates.

The HITECH breach notice rules will go live in about a month, so there is little time to waste. HITECH encourages HHS to step up its audit activities. Sanctions have been increased, and state attorneys general have been given concurrent jurisdiction over the HITECH mandates. As a consequence,the compliance bar has been raised significantly.

Determining a breach

The rule makes clear that the definition of “breach” is limited to PHI. In determining whether notification is required under the Act, one must first determine whether a use or disclosure violates the privacy rule. This means, among other things, that the breach notice rules do not apply to employment records, which are not PHI. (Notification requirements under other laws may still apply to employment records).

A “breach” must relate to a use or disclosure that “compromises the security or privacy” of PHI. Once it is established that a use or disclosure violates the privacy rule, the covered entity must determine whether the violation compromises the security or privacy of the PHI. Here, HHS officials said that the breach must “pose a significant risk of financial, reputational, or other harm to the individual” to trigger the obligation to provide notice.

In appropriate instances, this will require covered entities and business associates to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure.

Covered entities and business associates are also instructed to consider who impermissibly used the information or to whom the information was impermissibly disclosed when evaluating the risk of harm to individuals.

For example, if PHI is impermissibly disclosed to another covered entity, the chance of significant harm may be more remote, since the recipient is already obligated to protect PHI. Covered entities and business associates should also consider the type and amount of PHI involved in the impermissible use or disclosure.

Notice’s language

Notice of a breach must be provided without unreasonable delay and within 60 days after “discovery.” A breach is “discovered” as of the first day that it is known (or reasonably should have been known) to the covered entity or the business associate. (A business associate that discovers a breach is required to notify the covered entity.)

A covered entity or business associate is treated as having knowledge of a breach on the day that any employee, officer, or other agent has such knowledge (except for the individual who committed the breach).

The Notice of breach must, at a minimum, contain (i) a brief description of the breach, including dates; (ii) a description of types of unsecured PHI involved; (iii) the steps the individual should take to protect against potential harm; (iv) a brief description of steps the covered entity or business associate has taken to investigate the incident, mitigate harm, and protect against further breaches; and (v) contact information.

The interim final rule requires that the notices be written in plain language and that they not include the actual PHI that was the subject of the breach (e.g., social security numbers). Notices must also tell the individual how to mitigate harm (e.g., by notifying his or her credit card company if the breach included related financial information).

Additional notice requirements include the following:

  • Written notice must be provided to the individual (or next of kin if the individual is deceased) at the last known address of the individual (or next of kin) by first-class mail (or by electronic mail if specified by the individual). Notices to minors, incapacitated persons, and deceased persons may be made to their personal representatives.
  • Where there is insufficient or out-of-date contact information, or in the case of 10 or more individuals for which there is insufficient contact information, conspicuous posting (for a period determined by the Secretary) on the home page of the Web site of the covered entity or notice in major print or broadcast media is required.
  • Where there is a possibility of imminent misuse of the unsecured PHI, notice by telephone or other method is permitted in addition to the methods described above. Substitute notice for breaches involving fewer than 10 people may include alternative forms of written notice, telephone, email, or other means. Where the substitute notice covers more than 10 individuals, a toll-free telephone number must be provided for at least 90 days.
  • What constitutes a prominent local media outlet depends on the circumstances. In the case of a small town, an appropriate media outlet may be the local newspaper. In other cases, a prominent local media outlet may be a major general interest newspaper with state-wide circulation. Notices to the media are in addition to individual notices.
  • Notice is required to be provided to prominent media outlets within the state or jurisdiction if a breach of unsecured PHI affects or is reasonably believed to affect more than 500 residents of that state or jurisdiction.
  • Notice must be furnished to HHS by covered entities immediately for breaches involving more than 500 individuals and annually for all other breaches.

Course of action

Covered entities and business associates should take steps to protect their PHI, so as to avoid having to provide breach notifications. The preamble to the interim final rule places a premium both on workforce training and on adopting and routinely revisiting policies and procedures regarding securing PHI.

Policies and procedures also should be put in place to accommodate breach notifications, including guidelines for performing assessments and determining whether a breach that requires notice has occurred. Business associate agreements should also be revised to include specific references to the breach notice requirements.

Register or login for access to this item and much more

All Digital Insurance content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access