The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, contains several significant changes to the privacy rules contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HITECH requires that covered entities subject to the HIPAA privacy rule and their business associates must provide notice when unsecured protected health information has been breached. The Department of Health and Human Services (HHS) issued the interim final rule for this new security breach notification requirement on August 24, 2009.
Implications of a HIPAA Security Breach
HITECH requires notice to affected individuals, HHS and possibly the media when HIPAA-covered entities and their business associates discover a breach of unsecured protected health information (PHI). For purposes of this new regulation, a breach is defined as the acquisition, access, use or disclosure of PHI in violation of the HIPAA privacy rule that compromises PHI security or privacy.
Unsecured PHI is PHI that is not secured through the use of the technology or methodology specified by the HHS Secretary through published guidance. The interim final rule specifies encryption and destruction technology as the only “safe harbor” methods for rendering PHI secure. Thus, disclosure of PHI that is secured by either encryption or destruction technology does not trigger a breach or a breach notification requirement.
When analyzing potential security breaches, the covered entity or business associate must first determine whether an impermissible use or disclosure of PHI has occurred. If there has been no HIPAA privacy rule violation, there can be no breach under the HITECH interim final rule.
The covered entity or business associate must then conduct a risk assessment to determine – and document – whether the impermissible use or disclosure has compromised PHI security or privacy. In order to reach the harm threshold for a breach, the incident must create “a significant risk of financial, reputational, or other harm to the individual” (or individuals, if a group is affected) when the use or disclosure occurs. The interim final rule includes a list of factors for a covered entity to consider when conducting its risk assessment.
Finally, unless the incident falls under one of the exceptions noted in the breach definition under the interim final rule, the incident constitutes a breach requiring notification.
Breach Timing
Breaches are treated as discovered on the first day that they are known or would be known to the covered entity or business associate by exercising “reasonable diligence.” The breach is considered discovered when the incident becomes known – not when the covered entity or business associate concludes its analysis of whether the incident constitutes a breach.
Breach Notification Requirements
After performing the risk assessment relating to the incident and determining that a breach occurred, a notification must be made within 60 calendar days after the date on which the covered entity or business associate discovered the breach. The specific notification requirements under the interim final rule are as follows:
Notice to Individuals.
Affected individuals must be notified without reasonable delay, but in no case later than 60 calendar days after discovery. The notices must be written in plain language and include basic information that is detailed in the interim final rule. Under certain circumstances, a substitute notice may be used.
Notice to Media.
If a breach affects more than 500 residents of a state or smaller jurisdiction (such as a county, city or town), the covered entity or business associate must also notify a prominent media outlet that is appropriate for the size of the location with affected individuals. The preamble to the interim final rule indicates that the notice may be provided in the form of a press release.
Notice to HHS.
Information regarding breaches involving 500 or more individuals (regardless of location) must be submitted to HHS at the same time that notices to individuals are issued. If a particular breach involves fewer than 500 individuals, the covered entity or business associate will be required to keep track of all breaches and to notify HHS within 60 days after the end of the calendar year. HHS will provide instructions on its website regarding the content and manner of such notices.
Notice by Business Associates to Covered Entities.
Business associates of an employer-sponsored group health plan must notify the covered entity/group health plan sponsor if the business associate incurs a breach of unsecured PHI. Notice must be provided without unreasonable delay and in no case later than 60 days after discovery of the breach.
Effective Date of New Rules
Due to the timeframe within which Congress required HHS to issue final regulations, the August guidance was issued as an interim final rule that becomes effective for breaches occurring on or after September 23, 2009. However, because of the short turnaround time, a continuing comment period and the additional business associate guidance still to be issued, there may be additional revisions to the interim final rule.
HHS has indicated that it will not impose sanctions for failure to provide notifications that are discovered in the period ending 180 days after the date of publication of the interim final rule (February 22, 2010) in order to provide covered entities and business associates time to implement compliance procedures. However, covered entities and business associates are expected to maintain compliance during the transition period and to implement necessary changes to HIPAA privacy policies and procedures, as outlined below. HHS will assist covered entities and business associates with achieving compliance through further technical assistance and voluntary corrective action.
What Employers Should Do Now
With the compliance time frame fast approaching, group health plan sponsors should begin their compliance efforts now. Most of the compliance procedures outlined below should be included in the HIPAA privacy policies and procedures maintained by the plan.
- Develop policies and procedures for determining whether a breach has occurred. Issues to cover include:
- Steps for identifying a potential breach incident.
- Steps for determining whether the incident is an impermissible use or disclosure of PHI under the HIPAA privacy rule.
- Steps for performing a risk assessment analysis to determine the level of harm that the breach has caused to any individuals.
- Steps to ensure that affected individuals, the media and/or HHS receive proper notification, as required.
- Documentation for each step of these processes.
- Discussion of the new policies and procedures with the employer’s HIPAA privacy officer, who will be responsible for this additional enforcement.
- Provide additional training on the security breach notification requirements to group health plan employees and related staff.
- Work with each business associate regarding implementation of policies and procedures relating to group health plan operations. Issues to cover include:
- Requesting a copy of the security breach notification policies and procedures that the business associate will implement.
- Discussing the reporting of reportable and non-reportable breaches to the employer.
- Determining the role of the business associate in identifying breaches and suspected breaches related to the business associate’s service agreement.
- Allocating responsibility for fulfilling the notification requirements when a reportable breach has occurred and maintaining any related data required under the interim final rule. (Design Point: We recommend that covered entities control the issuance of any required notification).
- Amending the indemnification provisions of the business associate agreement to ensure that the appropriate party bears the costs associated with the notification requirements and liability for failure to comply with them.
Employer Responsibility
Generally, the group health plan (as the covered entity) will have the ultimate responsibility to ensure that breaches are identified and assessed and that notifications are provided. However, business associates (e.g., third-party administrators and claims administrators) will often be in the best position to investigate potential breaches and determine whether, in fact, a breach has occurred; whether the harm is significant; and what notification, if any, is required.
The covered entity and the business associate should agree on which party will carry out the breach determination, based on which party has responsibility for the breach and which has access to information related to the incident. Similarly, parties should negotiate the level of control that the covered entity will have over the content of each notification. Unless service agreements with business associates include language on these points, the employer sponsoring the group health plan will be responsible for handling the breach.
To this end, the McGuireWoods LLP Employee Benefits Group is updating its HIPAA compliance program to steer employers through the steps necessary to comply with the new guidance. The program offers an examination of existing plan documents and HIPAA privacy policies and procedures, as well as model documents. The program also guides employers through the process of implementing changes to administrative policies and practices and offers training to ensure that administrative team members are equipped to meet the new requirements.
Further, we will continue to keep you up-to-date with the rapid developments and shifting landscape in HITECH compliance.
For additional information, please contact the authors or any member of the McGuireWoods LLP Employee Benefits or Labor & Employment teams.