June 1, 2009
The Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which was signed into law on February 17, 2009 as part of the American Recovery and Reinvestment Act, introduced a number of significant changes to the HIPAA Privacy and Security Rules. Among these changes, covered entities and business associates are now required to provide notification if unsecured protected health information (“PHI”) is breached.
Notification When PHI is Breached
Unsecured PHI is “breached” if it is accessed, used, or disclosed without proper authorization. The HITECH Act requires a covered entity to notify each individual whose unsecured PHI has been breached. Similarly, business associates are required to notify the covered entity when they discover a breach of unsecured PHI.
The notice may be by first-class mail to the individual at his or her last known address or, if specified as a preference by the individual, by electronic mail. The covered entity must also annually submit a log to the Department of Health and Human Services (“HHS”) documenting any breaches of PHI. Moreover, if unsecured PHI of 500 or more individuals is breached, notice must be provided to prominent media outlets (i.e., major print or broadcast media), and immediate notice must be sent to HHS.
Methods for Securing PHI
A breach involving secured PHI is not subject to the notification requirements. Under guidance that was recently proposed by HHS, PHI is “secured” if it is rendered unusable, unreadable, or indecipherable to unauthorized individuals through either encryption or destruction.
Encryption. For PHI to be validly encrypted, the encryption process must include two elements:
- A process or key that is kept confidential; and
- An algorithm to transform data into a form where there is a low probability that the data can be given meaning without the use of that process or key.
Whether or not PHI is properly encrypted depends upon the strength of the encryption algorithm and the security of the decryption key or process. The proposed guidance provides an exclusive list of acceptable encryption methodologies which have been tested by the National Institute of Standards and Technology (the “NIST”) and judged to meet this standard.
Destruction. PHI is also considered secured if the medium on which it is stored or recorded is destroyed. Media will be considered destroyed if:
- Paper, film, or any other hard-copy media are unreadable and cannot be reconstructed; and
- Electronic media have been cleared, purged, or destroyed consistent with standards described in publications issued by the NIST so that PHI cannot be retrieved.
Effective Date. Although the guidance is proposed to be immediately effective, it will not apply to breaches until 30 days after publication of the forthcoming interim final regulations, which are set to be issued no later than August 16, 2009. As such, to avoid potential application of notification requirements, covered entities and business associates will generally need to implement appropriate encryption and destruction processes no later than September 15, 2009.
Action Items. With such a short time period between the scheduled issuance of final regulations and the deadline for compliance, covered entities and business associates may want to begin the process of coming into compliance now. To do so, group health plan administrators and designated HIPAA Privacy and Security Officials should:
- Review disposal policies for destroyed hard copies of PHI to ensure the procedures comply with the new standard;
- Consult with information technology professionals to determine if electronic systems on which PHI is stored, used, or destroyed or over which PHI is transmitted comply with the new standards;
- Amend HIPAA policies and procedures to add any necessary standards to keep PHI from being unsecured and to add procedures for complying with the breach notification requirements for any PHI that is considered unsecured; and
- Review and amend existing business associate agreements to account for appropriate reporting of these breaches (i.e., require business associates to provide the information necessary for the plan to satisfy the notice requirement) and for the allocation of responsibilities in the event of a breach.
Contact Information. Please contact Amy Heppner C(404.888.8825) or Kelly Meyers (404.888.8838) if you have any questions.
Please click here for a PDF of this newsletter.