September 14, 2009
This article is an update to the June 1, 2009 issue of the HRBenefits Authority. It has been updated to reflect new regulations implementing the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”).
On August 19, 2009, the Department of Health and Human Services (“HHS”) issued interim final regulations for notifications following a breach of unsecured protected health information (“PHI”). Health Insurance Portability and Accountability Act (“HIPAA”) covered entities (e.g. certain group health plans) and business associates must comply with the new regulations by September 23, 2009. However, HHS has indicated that it will use its enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches discovered before February 22, 2010.
In addition to the new regulations, HHS also issued an update to its guidance specifying the technologies and methodologies that render PHI secure.
Breach of Unsecured PHI. A “breach” of unsecured PHI occurs when unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted by the HIPAA privacy rules, and the security or privacy of the unsecured PHI is compromised as a result. For example, a breach may result if a hacker gains access to an employer’s database of group health plan participant files without authorization, a manager accesses group health plan records without authorization, or a laptop containing electronic group health plan records is lost or stolen.
Under the regulations, to determine if there is a breach, the covered entity must determine the following:
- Whether an “unauthorized” acquisition, use, or disclosure of unsecured PHI that violates the HIPAA privacy rules has occurred;
- Whether the breach poses a significant risk of financial, reputational, or other harm to the affected individual; and
- Whether the breach falls within one of the following exceptions to the breach notification requirements:
- Unintentional acquisition by an employee in good faith;
- Inadvertent disclosure to another person authorized to access PHI; or
- Good faith belief that the unauthorized person to whom an unauthorized disclosure was made could not have reasonably retained such information (e.g., a covered entity mails an explanation of benefits to the wrong individual but the explanation is returned unopened and undeliverable).
Notification When PHI is Breached. If a breach of unsecured PHI occurs, covered entities and business associates are required to notify affected individuals, the media, and/or the HHS Secretary as follows:
- Notification to Individuals. Within 60 days after the discovery of a breach of unsecured PHI, a covered entity must notify each individual whose unsecured PHI has been breached. Notice may be sent by first-class or, if the individual agrees, by electronic mail.
- Notification to the Media. A covered entity must report a breach of unsecured PHI involving more than 500 residents of a single state or jurisdiction to a prominent media outlet of the relevant state or jurisdiction.
- Notification to HHS Secretary. A covered entity must immediately report a breach affecting 500 or more individuals to the HHS Secretary, and it must report breaches affecting fewer than 500 individuals to the HHS Secretary on an annual basis.
- Notification by a Business Associate. The HHS regulations also require business associates to notify the covered entity of any breach of unsecured PHI discovered by the business associate.
Methods for Securing PHI. A breach involving secured PHI is not subject to the notification requirements. PHI is “secured” if it is rendered unusable, unreadable, or indecipherable either through encryption or destruction.
Encryption. For PHI to be validly encrypted, the encryption process must include two elements:
- A process or key that is kept confidential; and
- An algorithm to transfer data into a form where there is a low probability that the data can be given meaning without the use of the process or key.
The HHS guidance provides an exclusive list of acceptable encryption methodologies that have been tested by the National Institute of Standards and Technology (the “NIST”) and judged to meet this standard. The guidance further instructs covered entities to keep decryption tools on a device or at a location separate from the data they are used to encrypt or decrypt.
Destruction. PHI is also considered secured if the medium on which it is stored or recorded is destroyed. Media will be considered destroyed if:
- Paper, film, or any other hard-copy media are unreadable and cannot be reconstructed; and
- Electronic media have been cleared, purged, or destroyed consistent with standards described in publications issued by the NIST so that PHI cannot be retrieved.
Importantly, HHS clarified in the regulations that redacting PHI from paper documents will not render the documents secure.
Note that encryption and destruction are the only ways that PHI may be properly secured. For example, PHI cannot be secured through the use of access controls (e.g., security firewalls) even if the use of access controls complies with the HIPAA security rules.
Practical Steps. Covered entities and business associates have little time to comply with these new breach notification requirements. To ensure compliance, group health plan administrators and designated HIPAA privacy and security officials should:
- Provide thorough training on the new breach notification regulations to all workforce members and update HIPAA policies and procedures to include sanctions for violations of the new regulations;
- Amend HIPAA policies and procedures to add procedures for detecting and documenting breaches of unsecured PHI, and for preparing and sending any required breach notifications;
- Review and amend existing business associate agreements to account for appropriate reporting of these breaches and for the allocation of responsibilities in the event of a breach;
- Amend HIPAA policies and procedures to add any necessary standards to keep PHI from being unsecured;
- Consult with information technology professionals to determine if electronic systems on which PHI is stored, used, or destroyed or over which PHI is transmitted comply with the new standards; and
- Review disposal policies for destroyed hard copies of PHI to ensure the procedures comply with the new standard.
Please click here for a PDF of this newsletter.