HHS Issues Regulations Regarding Notification of Breaches of Unsecured Protected Health Information

August 24, 2009

On Aug. 24, 2009, the U.S. Department of Health and Human Services (HHS) published interim final regulations (the Rule) governing notification of breaches of unsecured protected health information (PHI) by HIPAA-covered entities and business associates. The Rule is one of several sets of regulations mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on Feb. 17, 2009, as a part of the American Recovery and Reinvestment Act of 2009 (ARRA). The Rule will be effective on Sept. 23, 2009.

The Basics

The Rule requires covered entities to notify affected individuals within 60 days of the discovery of a breach of unsecured PHI. When breaches affect more than 500 individuals, notification to the media and HHS is also required. For breaches of unsecured PHI at or by a business associate, notice to the covered entity is required within 60 days of discovery.


Under the Rule, “breach” is defined broadly to mean “acquisition, access, use, or disclosure” of unsecured PHI that is not otherwise permitted under HIPAA “which compromises the security or privacy” of the PHI.

Unsecured PHI

Under the HITECH Act, PHI is considered “unsecured” if it has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals using encryption and destruction technologies specified by HHS. Significantly, compliance with HHS-approved encryption and destruction technologies creates a “Breach Notification Safe Harbor,” such that compliance with the Rule is not required (although in certain cases it may be in the best interest of a covered entity or business associate to provide notifications even if safe harbor protection is available).

Timing of Discovery

Under the Rule, a breach is considered to be “discovered” as of the first day the breach is known or should have been known, based on the exercise of reasonable diligence.

Timing of Notice

Following discovery, covered entities are required to send written notice to the affected individuals as soon as possible, but no later than 60 calendar days after the breach was discovered. The Rule authorizes covered entities to take reasonable time to investigate the circumstances surrounding the breach in order to collect and develop the information required to be included in the notice of breach to the individual.

Additionally, within the required time period, covered entities may meet the notification requirements by sending multiple mailings as the information becomes available. The Rule also provides an exception to these timing rules, in the event of a law enforcement request.

Content of Notice

To the extent possible, notices are to include the following: (1) a brief description of what happened, including the date of the breach, if known, and the date of discovery; (2) a description of the types of unsecured PHI involved; (3) any steps individuals should take to protect themselves from potential harm from the breach; (4) a brief description of what actions the covered entity is taking to investigate the breach, mitigate harm to individuals, and protect against any further breaches; and (5) contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, e-mail address, website, or postal address.

Method of Notice

Notices under the Rule are required to be made by first-class mail at the last known address of the individual, or in the form of e-mail if the individual has agreed to receive electronic notification. The Rule also provides specific notice rules for minors, individuals who lack legal capacity, and those who are deceased.

For breaches involving insufficient or out-of-date contact information affecting 10 people or fewer, the covered entity may provide notice through an alternative form of writing, by phone, or other means. For more than 10 people, alternative notice must be made through either a 90-day posting on the covered entity’s home webpage, or by conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. In cases involving possible imminent misuse of unsecured PHI, the Rule permits the covered entity to provide notice by phone or other means in addition to a written notice.

Notice to Media

For breaches involving more than 500 individuals, the Rule requires a covered entity to notify prominent media outlets promptly, but no later than 60 calendar days after discovery of the breach. If a breach occurs at a business associate and involves the unsecured PHI of multiple covered entities, a covered entity is required to provide notification to the media only if the information breached included the PHI of 500 or more individuals located in any one state or jurisdiction. The notice content for the media is the same as that required for notice to individuals, as discussed above.

Notice to HHS

The Rule requires all breaches to be reported to HHS, but provides two different time frames. For breaches involving 500 or more individuals, a covered entity must notify HHS at the same time that notice is sent to the affected individuals. For breaches involving fewer than 500 individuals, a covered entity must submit to HHS an annual log of such breaches.

Business Associates

Under the Rule, business associates must provide notice of breaches to their respective covered entities within the same time periods and with the same level of detail as those mentioned above. Furthermore, in situations in which a business associate is acting as an agent of a covered entity, then the business associate’s discovery of the breach will be imputed to the covered entity and the covered entity must provide notifications to the affected individuals based on the time the business associate discovers the breach.

Required Policies & Procedures

The Rule requires covered entities and business associates to develop and document policies and procedures, train workforce members, and impose sanctions for failure to comply with the breach notification rules, as well as to permit individuals to file complaints regarding these policies and procedures, without intimidation or retaliation.

Additional Information

The information above is only a summary of the Rule. For additional information regarding the manner in which the amended HIPAA provisions may impact your entity, please contact the authors or any member of the McGuireWoods LLP Health Care or Employee Benefits Teams. Updates on related regulatory and business matters can be found in the Stimulus Package section of McGuireWoods’ website.

To view other articles regarding recent HIPAA privacy and security-related guidance, please click here or here. For information regarding the breach notification rule recently issued by the Federal Trade Commission and its implications for vendors of personal health records and certain other entities not covered under HIPAA, click here.

McGuireWoods Can Assist

In light of the Rule and the other changes to HIPAA as a result of the HITECH Act, covered entities and business associates are encouraged to review and update their privacy and security policies and programs. McGuireWoods is prepared to assist in creating and revising HIPAA privacy and security procedures, training materials, business associate agreements, and compliance programs to facility compliance with the HITECH Act, the Rule, and with HIPAA more generally.