May 7, 2009
The American Recovery and Reinvestment Act of 2009 (ARRA) provides
significant changes to the privacy and security rules under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) through incorporation of the
Health Information Technology for Economic and Clinical Health Act (HITECH).
The changes to HIPAA impact both covered entities and business associates. Among
these changes, covered entities and business associates are now required to
provide notification if unsecured protected health information (PHI) has been
Related Guidance and Request for Comments Issued
As required under HITECH, on April 17, 2009, the Department of Health and
Human Services (HHS) issued guidance regarding the proper methods for securing
PHI. Also contained in the guidance is a request for information on: (1) the
introduced methods for securing PHI, and (2) the breach notification process.
Comments must be submitted on or before May 21, 2009.
Securing Protected Health Information
The guidance defines secured PHI as PHI that is “unusable, unreadable, or
indecipherable to unauthorized individuals.” A breach involving secured PHI will
not trigger the HITECH Act’s notification requirements. However, the covered
entity may still be required to take steps under the HIPAA privacy and security
rules to correct or mitigate circumstances surrounding the breach of secured
PHI. The two methods for rendering PHI as unusable, unreadable, or
indecipherable to unauthorized individuals – “Encryption” and “Destruction” –
are described in further detail below.
To be secured PHI, electronic PHI must be encrypted as specified in the HIPAA
Security Rule by “the use of an algorithmic process to transform data into a
form in which there is a low probability of assigning meaning without use of a
confidential process or key.” Further, the confidential process must not be
breached (for example, the key must not be accessible to unauthorized users).
The encryption process used must also comply with federal guidelines, and
covered entities and business associates should be prepared to update
methodologies as further guidance is issued.
The media on which PHI is stored must be so thoroughly destroyed that it may
not be reconstructed. Paper, film or other hard copies must be shredded or
rendered unreadable. Any electronic media must be cleared, purged or destroyed
consistent again with federal guidelines in such a manner that data cannot be
Further details regarding federally approved encryption and destruction
guidelines can be found at the NIST website.
Under the HITECH Act, a breach is defined as “an unauthorized acquisition,
access, use, or disclosure of protected health information which compromises the
security or privacy of such information, except where an unauthorized person to
whom such information is disclosed would not reasonably have been able to retain
such information.” HITECH provides that a breach will be treated as discovered
as of the day on which the breach is known or the entity or associate reasonably
should have known it had occurred. Generally notifications are to be prompt and
in no case later than 60 days after discovery of the breach. If the breach
involved PHI secured in accordance with the guidance, then notification is not
required. Both covered entities and business associates have responsibility for
breach notification. However, the guidance allows for limited exceptions for
unintentional or inadvertent breaches made in the normal course of handling PHI.
Upon discovery of a breach, notice shall be given to all affected individuals
and, in some cases, to HHS and the media.
A business associate must notify the covered entity of a breach, upon
discovery. The notice should include the identification of each individual whose
unsecured PHI has been (or is reasonably believed to have been) accessed,
acquired or disclosed during the breach.
The covered entity must provide notices to affected individuals that include
the following information:
- A brief description of what occurred, including
the date of the breach and the date of the discovery.
- A description of the types of unsecured PHI that were involved.
- The steps individuals should take to protect themselves from harm as a
result of the breach.
- A brief description of what the plan is doing to investigate the breach,
to mitigate losses and to protect against further breaches.
- Contact procedures for individuals to ask questions or obtain additional
information, including a toll-free telephone number, e-mail address, website
or postal address.
Breach Affecting 500 or More Individuals
In addition to the general notice requirements outlined above, with respect
to breaches affecting 500 or more individuals, additional obligations will
- The notice to HHS must be provided immediately. HHS will post the name
of any entity involved in a breach of this size on its website.
- If the breach affects 500 or more individuals in a single state or
jurisdiction, the notice must be provided in prominent local media outlets
Interim final regulations on breach notifications are to be published no
later than August 16, 2009. The provisions are then currently scheduled to
become effective and apply to any breach 30 days after publication of the final
regulations (i.e., September 15, 2009).
In light of the changes outlined above, covered entities and business
associates should review and update their security infrastructures to minimize
exposure to PHI security and breach notification requirements. McGuireWoods is
prepared to assist in creating and revising HIPAA privacy and security
procedures, training materials, business associate agreements and any other
required process as it applies to HIPAA under HITECH.
To view the guidance or submit a comment in response to the request for
information, visit the HHS Health
Information Privacy page.
In addition, for additional information regarding the manner in which the
amended HIPAA provisions may impact your entity, please contact the authors or any member of
Labor & Employment or
Health Care teams.
Updates on related regulatory and business matters can be found in our Stimulus Package section.