A HIPAA Breach Notification Handbook: Everything You Ever Wanted to Know About Breach Notification Requirements but Were Afraid to Ask
Health Law Update 08/27/09 Sarah E. Coyne, Kevin J. Eldridge
If you were afraid to ask about the breach notification requirements, there was probably a good reason! While the new rules certainly provide needed clarity and detail, some aspects of the new rules are onerous or unclear. Because there are bound to be bugs to work out, all covered entities (and most business associates) should immediately begin the process of mapping out compliance. The rules are technically effective on September 23, 2009. The Department of Health and Human Services ("DHHS") has clarified that it will not impose sanctions for failure to provide the required notifications for breaches discovered before February 22, 2010. As discussed below, however, it is unclear whether DHHS may impose sanctions for other non-compliance prior to that date, such as the failure to log breaches occurring on or after September 23, 2009. The new rules were formally issued on August 24, 2009, although display copies and preliminary copies were available as early as August 19.
What do the rules say you have to do to be compliant? Uh . . . good question. The essence of the requirement is that covered entities must notify patients and the government ("DHHS"), and sometimes the media, when they discover breaches of protected health information ("PHI") that has not been secured through encryption or destruction. Similarly, business associates must notify covered entities of breaches involving the covered entities' PHI.
What about state law? It still counts. The new breach notification regulations do not preempt state security breach notification laws, which may separately require covered entities and business associates to provide notice of a breach.
We haven't used quite enough acronyms yet (and we know you are going into withdrawal), so let us just clarify that the breach notification regulations were mandated by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), which was part of the American Recovery and Reinvestment Act of 2009 ("ARRA") - the so-called "stimulus bill."
So stay tuned! In this update, we will discuss how to determine whether a reportable breach occurred, how to provide proper notification if a breach did occur and how to comply with the administrative requirements of the new regulations.
To Report or Not to Report
Whether to report requires a covered entity to consider three easy steps (Well, three steps, anyway): (1) Was there an impermissible use or disclosure of PHI under the Privacy Rule? (2) Does the impermissible use or disclosure pose a significant risk of financial, reputational or other harm to the individual? (3) Are all of the exceptions to the definition of "breach" or the notification requirement inapplicable to the impermissible use or disclosure? The goal is to get a "no" answer to any one of the three questions, in which case reporting is not required.
The burden is on . . . you! (Did you think the government would put it anywhere else?) Covered entities and business associates have the burden of proof as to why breach notification is not required under any of the circumstances described below. This means that if you decide not to report, you should keep very good records of the facts and circumstances that led to this decision, and indicate which of the following three parameters was a "no."
1. Was there an impermissible use or disclosure of PHI?
An acquisition, access, use or disclosure of PHI does not constitute a reportable breach unless it violates the Privacy Rule. Violations of the Security Rule or the HIPAA administrative requirements in the absence of a corresponding Privacy Rule violation are not breaches, although they could lead to future breaches.
Not all Privacy Rule violations are reportable breaches - that determination will depend on the following two questions.
2. Does the impermissible use or disclosure pose a significant risk of financial, reputational or other harm to the individual?
Following the lead of many state security breach notification laws, DHHS incorporated a "harm threshold" into the HIPAA breach notification regulations. For a Privacy Rule violation to constitute a reportable breach, it also must pose a significant risk of financial, reputational or other harm to the individual whose PHI was impermissibly used or disclosed.
This means - and here is one of the potentially onerous parts - that covered entities and business associates must perform a risk assessment to determine whether individuals are subject to significant risk of harm. Covered entities and business associates must document this analysis because they will have the burden of proving that a Privacy Rule violation did not create significant risk of harm. Some commentators have speculated that this part of the rule might keep lawyers very busy. (Hmmm, maybe this is not so bad. . . .) However, while the process of doing the risk assessment may be difficult, DHHS has provided covered entities and business associates with some much needed flexibility which should avoid unnecessary notifications for insignificant breaches.
DHHS outlined several factors that may be relevant to what will be a fact-specific risk assessment:
- Who impermissibly used the information;
- To whom the information was impermissibly disclosed (e.g., was it disclosed to a recipient also governed by the Privacy Rule?);
- The type and amount of PHI (e.g., did an impermissible disclosure reveal the type of services an individual received?);
- Whether any immediate steps were taken to mitigate an impermissible use or disclosure, such that the risk of harm is thereby reduced to a "less than significant risk;"
- Whether the impermissibly disclosed PHI is returned prior to being accessed for an improper purpose.
Limited data sets may provide some safety, although the skeptics have opined that it is an empty promise because it is so difficult to remove all the required information, and the resulting information is rendered less useful. If an impermissible use or disclosure involved a limited data set that has also had individuals' dates of birth and zip codes removed, DHHS considers the use or disclosure not to pose a significant risk of financial, reputational or other harm to the individual. To render PHI a "limited data set," a covered entity or business associate must remove 16 specific identifiers, including names, telephone numbers and social security numbers, from the PHI. Thus, covered entities can avoid the notification requirement by using limited data sets with dates of birth and zip codes removed; limited data sets may be used only for research, public health, or health care operations.
3. Are all of the exceptions to the definition of "breach" or to the notification requirement inapplicable to the impermissible use or disclosure?
There are many regulatory exceptions to the definition of "breach" and to the requirement that covered entities and business associates provide notification in the event of a breach. "Breach" is defined as the acquisition, access, use or disclosure of protected health information in a manner not permitted under the Privacy Rule that poses a significant risk of financial, reputational or other harm to the individual.
Here are the exceptions to breach, i.e., situations where covered entities are not required to notify individuals of a breach of their PHI or report the breach to the media or DHHS.
Breach of Secured PHI: The breach notification requirement is not triggered when the breached PHI is "secured PHI." PHI is secured if it is "rendered unusable, unreadable or indecipherable to unauthorized individuals" by encryption (of electronic records) or destruction (of electronic or paper records). Thus, covered entities and business associates can avoid the breach notification requirement in many circumstances by encrypting or destroying records.
Refer to our April 2009 Health Law Update for a discussion of DHHS guidance on the acceptable methods of encryption and destruction. This guidance will be updated annually. Since our update, DHHS has further clarified that access controls and redaction of paper records do not secure PHI for purposes of the regulations. Also, encryption keys should be kept on a separate device from encrypted or decrypted data.
De-Identified Health Information: De-identified health information is not considered PHI in the first place, and thus the breach of de-identified health information does not trigger breach notification. Health information is considered de-identified only if it does not identify an individual, if there is no reasonable basis to believe the information can be used to identify an individual and if the covered entity or business associate complies with the Privacy Rule specifications for de-identifying information.
Good Faith, Unintentional Acquisition, Access or Use of PHI: Under certain circumstances, unauthorized acquisition, access or use of unsecured PHI does not constitute a breach that triggers the notification requirement. However, such unauthorized acquisition, access or use is not a breach only if:
- it was done in good faith;
- it was unintentional;
- it was done by a workforce member or person acting under the authority of a covered entity or business associate (i.e., acting on its behalf as an employee, volunteer, etc.);
- it was made within the scope of authority (i.e., acting on its behalf rather than his/her own behalf); and
- it does not result in a further use or disclosure prohibited by the Privacy Rule.
Inadvertent disclosure: In addition, certain inadvertent disclosures of PHI within a covered entity or business associate also are not considered breaches that require notification. No reportable breach occurs if:
- an inadvertent disclosure occurred;
- the disclosure was made by a person otherwise authorized to access PHI at a covered entity or business associate;
- the disclosure was made to another person authorized to access PHI (even if the two persons may not be authorized to access the same types of PHI);
- the recipient was at the same covered entity, business associate or organized health care arrangement in which the covered entity participates (e.g., a hospital and its medical staff), even if the disclosure was made between multiple locations of the same covered entity, business associate or organized health care arrangement; and
- the disclosed information was not further used or disclosed in a manner prohibited by the Privacy Rule.
Recipient Unable to Retain Information: A covered entity or business associate is not required to institute breach notification if it has a good faith belief that the unauthorized person to whom the disclosure of PHI was made would not reasonably have been able to retain the information. For example, when a nurse hands the wrong discharge papers to a patient but quickly realizes his or her mistake and recovers the PHI from the patient, the patient is probably unable to retain the information, and no breach has occurred.
If you answer "yes" to all three questions, it is notification time!
Notification by a Covered Entity
Following discovery of a breach, a covered entity must notify each individual whose unsecured PHI has been or is reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach. The covered entity also must notify DHHS and in some cases must notify the media.
Method of Notice:
Notice to Individuals: Covered entities must provide written notice in plain language to patients by first-class mail or, if the individual has agreed to electronic notice, by email. If the patient is deceased, the covered entity must provide written notice to the next of kin or personal representative, if their addresses are known.
Substitute Notice to Individuals: If the covered entity lacks sufficient contact information for patients, or if notices are returned as undeliverable, the covered entity must provide substitute notice. If the breach involves fewer than 10 patients, covered entities may provide substitute notice by telephone or other electronic written means, including email, even if the patient has not agreed to receive notice by email. If the breach involves more than 10 patients, covered entities must post the notice "conspicuously" for 90 days on the home page of their Web site or in major print or broadcast media in the geographic areas where individuals affected by the breach likely reside. The notice on the Web site or in the media must include a toll-free telephone number that remains active for at least 90 days and that allows individuals to call and learn whether their PHI may have been included in the breach.
Notice to the Media: In the event that a breach involves the PHI of more than 500 residents of a state or jurisdiction, the covered entity also must notify prominent media outlets in that state or jurisdiction of the breach.
Notice to DHHS: If the breach involves the PHI of more than 500 individuals, the covered entity must provide notification to DHHS at the same time it provides notice to the individuals. For breaches involving the PHI of fewer than 500 individuals, covered entities must maintain a log of such breaches and notify DHHS annually of all such breaches during the preceding year. Covered entities are required to provide this annual notification to DHHS, starting in 2010.
The annual notification must be made within 60 days of the end of the calendar year. DHHS will post future guidance for notifying DHHS in either scenario.
Content of Notice: Notice to individuals or the media must contain:
- A brief description of what happened, including the date of the breach and discovery of the breach, if known;
- A description of the types of unsecured PHI involved in the breach;
- Any steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals and to protect against any further breaches; and
- Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, email address, Web site or postal address.
Timing of Notice: Covered entities must provide notification without unreasonable delay and in no case later than 60 days after discovering the incident determined to be a breach. Covered entities are considered to have discovered a breach if a workforce member or agent of the covered entity discovers a breach.
However, covered entities may delay notice if law enforcement states that notice would impede a criminal investigation or cause damage to national security. If the law enforcement statement is in writing and specifies the time for which delay is required, the covered entity must delay notice for the time period specified by the law enforcement official. If the statement is made orally, the covered entity must document the statement (and include the law enforcement official's identity) and temporarily delay the notice for no more than 30 days from the oral statement.
Notification by a Business Associate
So, dear business associate readers, remember that you are directly regulated, and you have reporting obligations as well. In the event of a breach, business associates must notify the covered entity or entities whose information was breached, and each affected covered entity is then required to notify the individuals affected. (Sounds like a fun notification!) Business associates must notify affected covered entities "without unreasonable delay" but in no case more than 60 days after discovering the breach. To the extent possible, business associates are required to notify covered entities of the identity of persons whose PHI was breached and the information that covered entities must provide in the notice to individuals.
Covered entities and business associates may consider addressing breach notification issues in their business associate agreements. For example, covered entities may wish to require the business associate to provide immediate notice of any suspected breaches or may wish to have the business associate provide notice to individuals under certain circumstances.
And now the fun part (and by fun we mean "onerous"). Covered entities and business associates must:
- Develop and implement policies and procedures governing breach discovery, internal reporting and notification;
- Train all workforce members on the policies and procedures;
- Develop a process permitting individuals to file complaints regarding the policies or procedures or failures to follow the policies and procedures;
- Have and apply appropriate sanctions against workforce members who fail to comply with the breach notification policies and procedures;
- Refrain from intimidating or retaliatory action against individuals for exercising their rights, which include the right to file complaints;
- Not require individuals to waive their rights as a condition of the provision of treatment, payment, enrollment in a health plan or eligibility for benefits; and
- Maintain for six years all documentation of activities related to breach notification, including the determination that an impermissible use or disclosure did not constitute a breach.
Effective Date of Regulations
The regulations are technically effective September 23. DHHS will not begin to impose sanctions for failures to provide notification of breaches that occur before February 22, 2010, although it appears that DHHS could sanction covered entities and business associates for failing to track breaches occurring on or after September 23.
Such breaches must be included in the required annual report of breaches (that affect 500 or fewer individuals) to DHHS. The first such report is due sixty days after the end of calendar year 2009, i.e., before the scheduled enforcement date for failure to notify of such breaches (February 22, 2010). Thus, covered entities and business associates must have the infrastructure in place to detect and track the breaches by September 23, 2009. DHHS notes that most entities will already have such mechanisms in place due to similar requirements under many state laws. This will not always be the case, given the variety of state data breach laws, some of which exempt covered entities under HIPAA.
FTC Rules Regarding Personal Health Records
He who releases regulations first has the last laugh. On August 17, the Federal Trade Commission ("FTC") released regulations that parallel the DHHS breach notification regulations but that apply only to foreign and domestic vendors of personal health records (PHRs), PHR-related entities and third-party service providers. Covered entities as defined by HIPAA are not subject to the FTC's PHR breach notification regulations. Nor are business associates subject to the FTC regulations to the extent they are engaging in activities as a business associate and not as providers of PHRs. However, there may be some situations in which entities that provide PHRs directly to the public also offer PHRs to a covered entity's customers through a business associate agreement. Such entities will generally be subject to both the FTC and DHHS breach notification regulations.
The Value of Prompt Preventive Care
Investigating potential breaches and providing notification will be a costly undertaking. However, covered entities and business associates may be able to reduce future costs by immediately investing time and resources to develop effective breach prevention and notification policies and procedures. Perhaps in the "easier said than done" arena, the key will be to avoid breaches by encrypting electronic records and destroying discarded electronic and paper records such that there is no notification obligation. Where an ounce of prevention does not work, have a pound of well-trained employees and well-designed policies and implement promptly! Get busy!
* * *