The Department of Health and Human Services (“HHS”) has issued final regulations implementing the new breach notification requirements under the Health Insurance Portability and Accountability Act (“HIPAA”), which were adopted under the HITECH Act as part of the stimulus bill. Generally, the new breach notification rules require HIPAA-covered entities (including group health plans) and their business associates to satisfy notification obligations when a breach of unsecured protected health information (“PHI”) has occurred or face penalties from HHS. (Generally, penalties range from $100 per violation to $50,000 per violation with a maximum penalty of $1.5 million.)
The breach notification requirements apply to “unsecure” PHI – PHI that has not been secured by encryption or destruction. That is, if PHI has been either encrypted or completely destroyed, HIPAA-covered entities and their business associates would not be required to provide the breach notifications specified under the HITECH Act and the final regulations.
The final regulations provide that a “breach” has occurred if the following elements are met:
- The information is unsecure (not encrypted or destroyed);
- The information was used or disclosed in a manner that is not permitted under the HIPAA privacy rule;
- The use or disclosure poses a significant risk of financial, reputational, or other harm to the individual;
- The use or disclosure does not fall under one of the three exceptions listed in the regulations (including (1) an unintentional access by a covered entity’s or business associate’s employee, (2) an inadvertent disclosure from one covered entity or business associate employee to another similarly situated employee, and (3) a situation in which the recipient would not reasonably have been able to retain the information).
The HITECH Act requires a covered entity to notify individuals whose unsecured PHI has been – or is reasonably believed by the covered entity to have been – accessed, acquired or disclosed as a result of the breach. The notice must be provided no later than 60 calendar days after the breach is discovered, and must be provided to the following individuals and entities:
- To each affected individual, by first-class mail at the individual’s last known address, or by e-mail if the individual specifically indicated a preference for it;
- To prominent media outlets in the state or other jurisdiction if the breach involves more than 500 residents of the state or jurisdiction; and
- To HHS – immediately if the breach affected 500 or more individuals – which in turn must post information about the breach on the HHS website.
The HITECH Act requires the breach notification rules to become effective 30 days after HHS publishes final regulations in the Federal Register. Since the rules were published on August 24, 2009, they become effective September 23, 2009. However, HHS has stated that it will not impose sanctions for failure to provide notifications that are discovered before 180 days from the date of publication – February 22, 2010. In the meantime, however, HIPAA-covered entities and business associates are expected to comply with the new breach notification rules.
For more information on the HITECH Act, the final regulations issued by HHS, and the steps your company should take to prepare for the quick effective date, contact your SGR Executive Compensation and Employee Benefits counsel.