On February 17, 2009, President Obama signed into law the America Recovery and Reinvestment Act of 2009 (ARRA), which includes the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Provisions of the HITECH Act substantially expand the HIPPA Privacy and Security Rules and increase the penalties for HIPAA violations, including: mandatory federal breach reporting requirements for HIPAA covered entities and their business associates; application of HIPAA privacy and security requirements directly to business associates; and new privacy requirements including restrictions on disclosures by providers to health plans, changes to the minimum necessary standard, and restrictions on marketing and fundraising. This article focuses on the recently mandated breach reporting requirements, designed to deal with the ongoing problem of lost, stolen or misplaced laptops, hard drives, memory sticks, and similar incidents that potentially expose sensitive patient data to unauthorized view. Interim final regulations were published in the Federal Register by The United States Department of Health & Human Services (HHS) on August 24, 2009, and the notification provisions became effective 30 days thereafter.
Under the HITECH Act a covered entity that “access, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” (PHI) is required to notify individuals “whose unsecured PHI has been, or is reasonably believed by the covered entity to have been accessed, acquired, or disclosed” because of the breach. A similar requirement is imposed on business associates, who must provide notification to the covered entity. Two terms are critical to understanding the notification obligations: “unsecured protected health information” (PHI) and “breach.”
Guidance from the HHS Secretary defines “unsecured PHI” as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption or destruction according to the National Institute of Standards and Technology (NIST) standards. The guidance, which is to be updated annually, does not impose new requirements upon covered entities to encrypt all PHI. However, if a covered entity chooses to encrypt PHI to comply with the Security Rule, does so pursuant to the guidance, and subsequently discovers a breach of that encrypted information, the covered entity will not be required to provide breach notification because the information is not considered “unsecured PHI.”
The term “breach” means the unauthorized acquisition, access, use, or disclosure of protected information which compromises the security or privacy of such information. Unintentional or inadvertent access to information by employees or agents of the covered entity is not a reportable breach unless that person further uses or discloses the PHI in an unauthorized manner. However, it does apply to unintentional disclosure to another covered entity such as a misdirected fax.
In the event of a breach, all notifications must be made without unreasonable delay and in no case later than 60 calendar days after the breach’s discovery. The regulations have very specific notification requirements, including the method and content of the notification for affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will are to be reported to the HHS Secretary on an annual basis.
Covered entities and business associates should address encryption as a method to comply with the HIPAA Security Rule, exempting them from the notification requirements, as well as be familiar with the requirements for responding in the event of a breach of unsecured PHI. In addition, covered entities and business associates should be familiar with and prepare for the impact of the other provision of the HITECH Act, many of which become effective February 18, 2010, including the extension of certain HIPAA Security Rule provisions to business associates.
NOTE: This general summary of the law should not be used to solve individual problems since slight changes in the fact situation may require a material variance in the applicable legal advice.