September 18, 2009
Previously published on September 16, 2009
The U.S. Department of Health and Human Services ("HHS") recently published rules that require group health plans to notify individuals as soon as reasonably possible, but no more than 60 days, after their protected health information's security or privacy has been compromised. The plan also must provide notice of such a breach to HHS and, in some cases, to major media.
The new rules require business associates to notify a plan of such breaches as well. A business associate is already contractually bound to notify a plan of any privacy or security breach of which it becomes aware, but it now will be subject to statutory penalties if it fails to provide notice consistent with the new rules.
The breach notification rules are effective September 23, 2009, just 30 days after they were published. Until February 22, 2010, HHS will focus on compliance and not impose sanctions for violations of the new rules, but plan administrators and business associates must take steps now to comply.
New Rules, New Definitions
Notice Is Required Only if PHI Is "Unsecured"
The new notice is required only for breaches of "unsecured" protected health information ("PHI"). PHI is secured for this purpose if it is either destroyed or encrypted consistent with National Institute of Standards and Technology ("NIST") protocols. Access controls (e.g., firewalls), redaction, and "limited data sets" are not sufficient to make PHI secure. If a plan administrator or business associate implements the specified methodologies and technologies to make all its PHI secure, the breach notification rules will be inapplicable.
"Breach" Must Pose a Significant Risk of Harm
Subject to the exceptions described below, a "breach" for purposes of the notice requirement is an acquisition, access, use, or disclosure of an individual's unsecured PHI that violates HIPAA's privacy rule and poses a significant risk of financial, reputational, or other harm to the individual.
Plan administrators and business associates should already be very familiar with the use and disclosure restrictions that are integral to HIPAA's privacy rule. Under the new rules, when the business associate notifies the plan or the plan otherwise discovers a violation of the HIPAA privacy rule, the plan administrator must evaluate whether that violation poses a significant risk of harm to the individual and therefore qualifies as a "breach" for which notice is required. (Unless a business associate has agreed to provide breach notices on behalf of the plan, a business associate may not need to conduct such a risk assessment because it is contractually required to notify the plan of every HIPAA privacy rule violation of which it becomes aware, regardless of whether the violation poses a risk of harm.)
The plan administrator's risk assessment should weigh factors such as the nature of the PHI disclosed, to whom the PHI was impermissibly disclosed, the likelihood that the disclosed PHI is accessible and will be used, and the manner of breach. If the PHI was stolen, for example, the thief is more likely to know its value and use the PHI and so will pose a higher risk of harm than PHI that is accidentally disclosed or is disclosed to another entity that must comply with HIPAA.
A "breach" does not include the following:
» Any unintentional acquisition, access, or use of PHI by a workforce member or person acting on the plan's or business associate's behalf that was made in good faith, was within the scope of employment (or other professional relationship), and does not result in a further use or disclosure that violates the HIPAA privacy rule.
» Violations of the HIPAA privacy rule involving a "limited data set" that also excludes both dates of birth and ZIP codes.
» Disclosures of PHI if the plan or business associate has a good faith belief that the unauthorized person to whom the PHI was disclosed would not reasonably have been able to retain the information—for example, if mistakenly disclosed PHI was retrieved before the recipient could read it.
» Any inadvertent disclosure of PHI between individuals who are both authorized to access PHI at the plan or business associate, even if not authorized to access the same type of PHI, and the PHI is not further used or disclosed in a manner that violates the HIPAA privacy rule.
Date of "Discovery" Determines Timeliness of Notice
The required notice must be provided as soon as reasonably possible under the circumstances, but not more than 60 days, after the breach is "discovered." The plan or business associate "discovers" the breach if it is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is in its workforce or is its agent.
Consequently, if a business associate is the plan's agent (as determined under federal common law), the plan's timeline for providing notice begins the date on which the business associate knows or would have known of the breach if exercising reasonable diligence. Likewise, a plan administrator's timely notice will be based on the date on which one of its employees knows or, if exercising reasonable diligence, would have known of an unauthorized use or disclosure of PHI, even if the employee does not actually know of or report the violation to the plan's designated privacy officer. If the business associate is not the plan's agent, however, the plan's timely notice is based on the date on which the business associate notifies it of the breach.
Notice Contents and Delivery
A plan administrator must provide written notice of a breach to each individual whose PHI was involved, to HHS, and, in some cases, to broadcast or print media.
Notice to Individuals
The notice to each individual must describe the type of PHI breached, the date of the breach and of its discovery, steps the individual should take and that the plan is taking to protect against potential harm, whom to contact with questions, and other relevant information. The notice must be sent via first-class mail to the individual's last known address or via electronic mail if the individual has specified that method as a preference. If the plan has insufficient or out-of-date contact information for an individual, it must provide a substitute notice by an alternative form that is designed to reach him or her (such as by telephone). If a substitute notice is required for ten or more individuals, the plan must post a conspicuous notice, including a toll-free number for inquiries, on its Web site for at least 90 days or in major print or broadcast media. A plan may contact an individual by telephone or other appropriate means if imminent misuse of PHI is possible, but such notice would only supplement the required notice described above.
Notice to HHS
A plan must record information about the breach and submit it to HHS annually, within 60 days after the end of the calendar year. If 500 or more individuals' PHI was involved in the breach, however, the plan must notify HHS concurrently with the individual notice. HHS will post a list on its Web site of plans that notified HHS of a breach involving 500 or more individuals.
Notice to Media
If the breach affects the PHI of more than 500 residents of a state or jurisdiction, the plan must also notify prominent print or broadcast media and set up a toll-free number for inquiries.
Notice From Business Associate to Plan
In its breach notice to a plan, a business associate must provide the identity of the affected individuals, to the extent possible, and any other information that the plan will need to include in its notice to affected individuals. A business associate must provide a plan with this information as it becomes available, even if after the 60-day notice period has lapsed.
Administrative Requirements
As both a technical and practical matter, compliance with the rules requires a plan administrator or business associate to develop and document policies and procedures for proper handling of potential and actual breaches. The rules specify a number of elements that the policies and procedures must include, such as sanctions for failure to comply and a mechanism to file complaints and report noncompliance. The plan administrator or business associate must train its workforce and agents on the new policies and procedures, emphasizing the importance of promptly reporting any privacy or security incidents.
The plan or business associate has the burden of showing that a violation of HIPAA's privacy rule was not a "breach" or, if it was, that notice was properly provided. The plan administrator or business associate must document its risk assessment or timely provision of notice and retain such documentation consistent with HIPAA's recordkeeping requirements.
Action Needed
If a plan administrator or business associate decides not to secure all PHI through NIST encryption or destruction, it should:
- Identify all its "agents" as determined under federal common law.
- Revise agreements with each agent and business associate to require that the agent or business associate implement reasonable monitoring systems to discover HIPAA privacy rule violations, comply with the new rules, and provide the plan with notice of any breaches within a specified number of days and with the legally required content.
- If a business associate agrees to provide notice on the plan's behalf to individuals whose PHI was affected by a breach, to HHS, and, if applicable, to the media, update the business associate agreement accordingly.
- Implement reasonable monitoring systems to discover HIPAA privacy rule violations. Develop and document legally compliant policies and procedures for actual and potential privacy breaches, and train workforce members and agents accordingly. Review and, if needed, revise current documents, such as the notice of privacy practice or employee handbook, to reflect the new policies and procedures, including sanctions or complaint procedures therein.
- Develop model breach notices that include all legally required information.
- If the plan or business associate does not have a Web site, consider whether to create a Web site on which to post substitute notices (in lieu of notifying major media).
|