HIPAA Covered Entities and Business Associates Must Give Notification of Disclosure of Unsecured Protected Health Information Due to Security Breaches

On August 24, 2009, the U.S. Department of Health and Human Services (DHHS) published in the Federal Register an interim final rule that requires HIPAA covered entities and business associates to notify individuals, DHHS, and, in some circumstances, the media, of breaches of information systems that result in the access, acquisition, use or disclosure of unsecured protected health information. The interim final rule is effective September 23, 2009, and comments to it are due by October 23, 2009.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which is a part of the American Recovery and Reinvestment Act of 2009 (commonly referred to as the economic stimulus package), requires DHHS to issue regulations requiring HIPAA covered entities and their business associates to provide notification of breaches of unsecured protected health information. The interim final rule sets forth what circumstances constitute a breach, provides guidance as to what comprises unsecured protected health information, and specifies in detail how notice is to be given to individuals, DHHS and the media.

Notification to Individuals
A covered entity must notify affected individuals within 60 days after discovery of a security breach, unless notification would impede a criminal investigation or cause damage to national security according to a law enforcement official. The notification must include: a description of what happened and of the types of unsecured protected health information that were involved in the breach; any steps individuals should take to protect themselves from potential harm; a description of what the covered entity is doing to solve the problem; and procedures by which individuals can contact the covered entity to ask questions about the breach. The notification must be sent by first-class mail, or by another method specified by the rule if notice by mail is not possible.

Breaches Involving More Than 500 Individuals
If the breach involves more than 500 residents of a state or jurisdiction, the covered entity must, within 60 days after discovery of the breach, notify prominent media outlets serving the state or jurisdiction. The required content of the notification to the media is the same as that of notices to individuals. The covered entity must also notify DHHS of such a breach within 60 days. Notification may be delayed if it would impede a criminal investigation or cause damage to national security according to a law enforcement official. If the breach involves fewer than 500 individuals, the covered entity must maintain a log of all breaches occurring in a calendar year and notify DHHS of such breaches within 60 days of the end of the calendar year.

Notification by Business Associates
A business associate must notify the covered entity within 60 days of the discovery of a breach unless notification would impede a criminal investigation or cause damage to national security according to a law enforcement official. The notification must identify each individual whose unsecured protected health information was accessed, acquired, used or disclosed during the breach. It must also contain all the information that the covered entity is required to include in its notices to affected individuals.

Planning for and Responding to Breaches
Covered entities must develop policies and procedures designed to ensure compliance with the new breach notification rules, train their staff members regarding such policies and procedures, and apply appropriate sanctions against staff members who fail to comply with the policies and procedures. They must also develop a process by which individuals may make complaints concerning the breach notification policies and procedures.

Covered entities and business associates are advised to contact legal counsel in the event of a suspected breach of unsecured protected health information, as the duty to notify individuals, DHHS or the media does not apply in all situations. Not every instance of unauthorized access, acquisition, use or disclosure of protection health information constitutes a security breach under the interim final rule. Rather, the disclosure must pose a significant risk of financial, reputational or other harm to the individual. The rule excludes from the definition of “breach” a number of types of disclosures. Additionally, the notification requirements apply only to “unsecured” protected health information, which is protected health information that is not encrypted or destroyed using technologies or methods specified by DHHS in published guidance.