The New Health Care Breach Notification Landscape -- HHS Rules

On February 17, 2009, Congress signed into law the Health Information Technology for Economic and Clinical Health or “HITECH” Act (“HITECH” or the “Act”) as part of the American Recovery and Reinvestment Act. The HITECH Act requires entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to provide notification to affected individuals and to the Secretary of Health and Human Services (“HHS”) following the discovery of a breach of unsecured protected health information. HITECH also requires business associates of HIPAA-covered entities to notify the covered entity in the event of the breach.  The Act required HHS to issue interim final regulations with respect to the new breach notification requirements. On August 24, 2009, the HHS interim final regulations were published in the Federal Register.  This post addresses some of the requirements of the HHS rules -- it does not address the FTC's rules for personal health records.

The HHS Rule was effective, and compliance was required, for breaches occurring on or after September 23, 2009. However, HHS will not impose sanctions for failure to provide the required notification for breaches discovered before 180 calendar days from August 24, 2009 (publication in the Federal Register).

When Is Notification Required?

Organizations subject to the HHS Rule can follow three steps to determine whether there has been a breach requiring notification:

1. Has there been an impermissible use or disclosure of unsecured PHI under the Privacy Rule?

2. Has the impermissible use or disclosure compromised the security or privacy of the PHI? That is to say, is there a significant risk of financial, reputational, or other harm to the individual?

3. Does the incident fall under one of three exceptions?

Is There a Breach?

The Rule defines a breach as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of such information.

Is There a Significant Risk of Financial, Reputational, or Other Harm to the Individual?

Importantly, the HHS Rule incorporates a harm threshold into the definition of breach by requiring that the incident “[c]ompromise[] the security or privacy of” PHI. HHS interprets that language to mean that the incident “poses a significant risk of financial, reputational, or other harm to the individual.” Thus, covered entities and business associates facing a potential breach incident must perform a risk assessment to determine whether the breach triggers a notification obligation.

Risk assessments must be fact-specific inquiries. A risk assessment performed pursuant to the Rule should determine who impermissibly used the information and/or to whom the information was impermissibly disclosed, and should address the type and amount of PHI involved in the impermissible use or disclosure.

Covered entities and business associates bear the burden of proof of demonstrating that no breach occurred because the impermissible use or disclosure did not pose a significant risk of harm to the individual.

What Are the Three Exceptions?

There are three exceptions to the HHS Breach Rule. They are:

1. Certain unintentional acquisition, access, or use by workforce members or persons acting under the authority [i.e., on behalf] of a covered entity or business associate, if made in good faith, within the course and scope of employment or other professional relationship, and that does not result in further use or disclosure in violation of the Privacy Rule;

2. Certain inadvertent disclosures among similarly situated persons authorized to access PHI at the same covered entity, business associate, or organized health care arrangement, if the information is not further used or disclosed without authorization; or

3. Where the covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure of PHI was made would not reasonably have been able to retain the information.

Notice to Individuals

If notice is required, covered entities must provide notice to affected individuals in written form by first-class mail at the last known address of the individual without unreasonable delay and in no case later than 60 days following the discovery of a breach. Notice may be in the form of electronic mail, provided the individual agrees to receive electronic notice and such agreement has not been withdrawn.

If the covered entity lacks sufficient contact information for some or all of the individuals, or if some notices are returned as undeliverable, the covered entity must provide substitute notice as soon as reasonably possible after it becomes aware that it has insufficient or out-of-date contact information for one or more affected individuals.  Substitute notice must be reasonably calculated to reach the affected individuals. If there are fewer than 10 affected individuals, the covered entity can provide substitute notice through an alternative form of written notice, by telephone, or other means. If 10 or more individuals are affected, the covered entity must provide substitute notice by either (a) conspicuous posting for a period of 90 days on the home page of its website; or (b) conspicuous notice in major print or broadcast media in the geographic areas where the individuals affected by the breach likely reside. This notice must include a toll-free phone number active for 90 days where the individual can learn whether unsecured PHI may be included in the breach.

Content of the Notice

Notices must be in plain language. The notice must include the following:

1. a brief description of what happened, including the date of breach and date of discovery of the breach, if known;

2. a description of the types of unsecured PHI that were involved in the breach;

3. any steps the individuals should take to protect themselves from potential harm resulting from the breach;

4. a brief description of what the entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and

5. Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an e-mail address, web site, or postal address.
Notices must comply with any other applicable laws.

Notice to the Secretary of HHS

Covered entities must notify the Secretary of HHS immediately following the discovery of a breach of unsecured PHI involving 500 or more individuals. HHS must post a list identifying each such covered entity on its website.  For breaches involving less than 500 individuals, the covered entity must maintain a log and annually submit the log to the Secretary documenting the breaches occurring during the year involved. The log must be provided to HHS no later than 60 days after the end of each calendar year. These logs must be kept for six years (like other records subject to HIPAA records retention requirements). Covered entities must make the records available to the Secretary upon request.

Notification of the Media

Covered entities must notify prominent media outlets serving a State or jurisdiction without unreasonable delay and in no case later than 60 calendar days after discovery of the breach, if unsecured PHI of more than 500 residents of such State or jurisdiction is the subject of a breach. This notice should include the same information provided in notices to individuals. This can be done by a press release. “Jurisdiction” is defined as a geographic area smaller than a state, such as a county, city, or town.

Business Associate Notice Obligations

Following discovery of a breach of unsecured PHI, a business associate must notify the covered entity of the breach without unreasonable delay and in no case later than 60 days following the discovery of a breach.  As with covered entities, the breach is discovered as of first day on which it is known or, by exercising reasonable diligence, would have been known. The business associate is deemed to have knowledge if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer or other agent of the business associate, determined in accordance with the federal common law of agency. If the business associate is an agent, then the business associate’s discovery of the breach is imputed to the covered entity and the covered entity must provide notifications based on the time of the business associate’s discovery of the breach. However, if the business associate is an independent contractor, then the covered entity must provide notification based on the time the business associate notifies the covered entity. For this reason, it is important that covered entities and business associates address timing of notification in their contracts.

To the extent possible, the business associate must provide the identity of each individual whose unsecured PHI has been or is reasonably believed to have been breached. In addition, the business associate must provide the covered entity with any other available information that the covered entity is required to include in notification to the individual, either at the time it provides notice to the covered entity of the breach, or promptly thereafter as information becomes available.
Of course, covered entities and business associates can still set forth specific obligations in contracts, provided that all required notifications under the Rule are provided and that the other requirements of the interim final rule are met. Indeed, HHS encourages the parties to ensure that individuals do not receive notifications from both the covered entity and the business associate.

Law Enforcement Delay

Like some state breach notification laws, the HHS Rule requires covered entities to temporarily delay notification if instructed to do so by a law enforcement official. Such a request tolls the time within which notification is required.