September 23, 2009 – Breach Notification Requirements Now Effective: Hitesman & Wold, P.A. News & Events

September 23, 2009 – Breach Notification Requirements Now Effective

As part of the American Recovery and Reinvestment Act of 2009 (ARRA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act) significantly expands the Privacy Rules and the Security Rules under the Health Insurance Portability and Accountability Act (HIPAA). The HITECH Act addresses a number of areas, including:

• notification requirements where a “breach” involving protected health information (PHI) occurs,
• imposition of direct business associate liability for violations of the HIPAA Privacy and Security Rules,
• expanded individual rights with respect to PHI disclosures,
• further restrictions on the amount of PHI that may be disclosed,
• more restrictions on the sale of PHI and the use of PHI in marketing activities, and
• more stringent enforcement provisions.

Note:  This alert focuses on the notification requirements when a “breach” involving protected health information (PHI) occurs.  Subsequent alerts will address the other provisions, most of which have effective dates after January 1, 2010.  Although penalties will not be imposed until February 22, 2010, the breach notification requirements apply to a “breach” occurring on or after September 23, 2009.

In general, the HITECH Act requires group health plans and business associates to provide certain notifications when a “breach” involving PHI occurs.  As with the existing HIPAA Privacy and Security Rules, defined terms are critical to compliance efforts.

Breach.  The breach notification requirements introduce the term “breach”.  “Breach” is broadly defined and includes any acquisition, access, use, or disclosure of “unsecured” PHI that:

• violates a HIPAA Privacy Rule; and
• poses a significant risk of financial, reputational, or other harm to the individual.

Note:  Not every HIPAA violation requires a breach notification.

Both elements must exist in order for there to be a “breach.”  There can be a violation of a HIPAA Privacy Rule that is not a “breach” (e.g., if there is no significant risk of harm).   Similarly, there can be a very harmful disclosure that is not a “breach” (e.g., if the disclosure is not a violation of the HIPAA Privacy Rule).

Unsecured PHI.  A breach can only occur with respect to “unsecured” PHI.  If PHI is not “secured,” it is “unsecured” for purposes of the breach notification requirement.  “Secured” PHI is PHI that is unusable, unreadable, and undecipherable to unauthorized individuals.  Currently, there are two approved, safe harbor methods to secure PHI:  (1) encryption in accordance with standards developed by the National Institute of Standards and Technology (NIST), and (2) destruction.

Note:  As a practical matter, a lot of PHI will be maintained and used that is not (and perhaps cannot be) “secured.”  If it is not “secured,” then it is “unsecured” and subject to the breach notification requirements.   

Significant Risk of Harm.  A breach can occur only if the improper (i.e., violates a HIPAA Privacy Rule) use, disclosure, etc. poses a “significant risk” of harm to the individual.  This element looks at potential harm, whether or not it is actually realized.  Upon discovery of an improper acquisition, access, use, or disclosure of PHI, the group health plan or business associates must assess (1) the risk of harm, and (2) whether it is significant.  This assessment is based upon the facts and circumstances of the particular situation.  Factors that should be considered include the following:

• Who impermissibly used the information, or to whom the information was impermissibly disclosed. 

• For example, if the impermissible disclosure of PHI is to another entity governed by the HIPAA Privacy and Security Rules or to a Federal agency, there may be less risk of harm to the individual because the recipient entity is obligated to protect the information in the same, or similar, manner.   

• Compare if PHI is impermissibly disclosed to an entity or person not subject to the same, or similar, obligations. The risk of harm to the individual is much greater.

• The type and amount of PHI involved in the impermissible use or disclosure. If the nature of the PHI does not pose a significant risk of financial, reputational, or other harm, then the violation is not a breach.

• For example, a group health plan improperly discloses PHI that merely includes the name of an individual and the fact the individual received services from a hospital.  This would constitute a violation of the Privacy Rule, but it may not be a breach.  The disclosure may not pose a significant risk of financial or reputational harm to the individual.

• Compare if the improperly disclosed PHI (1) indicates the  type of services the individual received from the hospital (e.g., oncology services, services related to a contagious disease, etc.), (2) indicates the individual received services from a specialized facility, (e.g., a substance abuse treatment program), or (3) includes information that increases the risk of identity theft (e.g., social security number, account number, or mother’s maiden name), then there is a higher likelihood that the impermissible use or disclosure poses a significant risk of harm. 

• The types of harm that could result from the impermissible use, or disclosure (e.g., identify theft, adverse employment decisions, blackmail, emotional distress, humiliation, etc.).

Note:  The risk assessment should be documented.  It is the group health plan or business associate’s responsibility to demonstrate compliance.

Breach Exceptions.  In certain situations, the acquisition, access, use, or disclosure of PHI that would otherwise constitute a breach does not trigger breach notification.  Those situations include the following:

• The unintentional acquisition, access, or use of PHI by a workforce member or person if:
• the person is acting under authority of a group health plan or business associate;
• the acquisition, access, or use occurs in good faith and within scope of that authority; and
• there is no further impermissible use or disclosure.

• The inadvertent disclosure by a person who is authorized to access PHI at a group health plan or business associate if:
• the inadvertent disclosure is to another person authorized to access PHI at the same group health plan or business associate; and
• there is no further impermissible use of disclosure.

• The impermissible disclosure of PHI by a group health plan or business associate in cases in which the group health plan or business associate has a good faith belief that the unauthorized person to whom PHI was disclosed would not reasonably have been able to retain the information.

Very Important Note:  While these situations do not constitute a “breach” requiring notification, they are still violations of the HIPAA Privacy Rule.

Notification.  The occurrence of a breach triggers notification responsibilities for the group health plan and business associate that “discover” the breach.  In most cases, notification must be provided without unreasonable delay, no later than sixty (60) calendar days after “discovery” of the breach. 

Discovery.  “Discovery” is determined on an entity wide basis and it is not limited to actual knowledge.  With respect to a group health plan, discovery generally occurs when a breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is a member of the group health plan’s workforce or its agent.  There is no requirement that the person hold a particular position or title (e.g., human resources, responsible for benefits, etc.) in order to impute knowledge to the group health plan.

With respect to a business associate, discovery occurs when it is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer, or agent (e.g., subcontractor) of the business associate.  Again, there is no requirement that the person hold a particular position or title in order to impute knowledge to the business associate. 

Who Has To Be Notified?  Who must be provided the notification depends on (1) who discovered the breach (i.e., group health plan or business associate); and (2) the number of individuals impacted.  If the business associate discovers the breach (i.e., makes the assessment that a violation of a HIPAA Privacy Rule poses a significant risk of harm), the business associate must provide notification of the breach to the group health plan.  If the group health plan discovers the breach (i.e., makes the assessment that a violation of a HIPAA Privacy Rule poses a significant risk of harm), the group health plan’s notification responsibilities are considerably more onerous.  And, in some cases, the media must be notified.

Note:  There remains some uncertainty regarding the time frames for notification where the business associate discovers the breach and notifies the group health plan.  It is not clear whether a separate time frame applies to the group health plan based upon the date the business associate’s notification is received; or whether the notification to the group health plan by the business associate and the subsequent notification by the group health plan must all take place within a single time frame.  Additional regulatory guidance is anticipated.

Department of Health and Human Services.  A special timing rule applies with respect to notifications by the Department of Health and Human Services (HHS).  If the breach involves 500 or more individuals, the group health plan must notify HHS immediately (i.e., concurrently with the notification to the individuals).  If the breach involves less than 500 individuals, no immediate notification is required.  Instead, the group health plan must keep a log of all such breaches occurring during a calendar year and notify HHS of them within the first sixty (60) days of the following year.

Media Notification.  Where the breach involves more than 500 residents of any one state or jurisdiction, the group health plan must notify “a prominent media outlet” serving that state or jurisdiction.  The notification must be made within the same time frame as the individual notice (described above) and must include the same information provided in the individual notification (described below).

Individual Notification.  The notification to the individual must include the following information:

• a description of what happened;
• a description of the types of unsecured PHI involved;
• the steps individuals should take to protect themselves;
• a description of what is being done to investigate, mitigate and protect from repeat occurrences in future; and
• contact information for people with questions.

In general, the notification should be in writing and mailed first class to the individual’s last known mailing address.  Notification can be provided electronically if the individual agrees.

Action Items.   In light of the new breach notification requirements included in the HITECH Act, we recommend employers sponsoring group health plans and business associates working with group health plans take the following actions:

• prepare a policy & procedure reflecting the new requirements;

• develop a skeleton template form for providing the required breach notifications that assures all required elements will be addressed;

• modify business associate agreements and/or administrative services agreements to address each respective party’s obligations with respect to breaches and notifications upon the discovery of a breach;

Note:  The other changes to HIPAA by the HITECH Act will require additional changes to the business associate agreement.  Group health plans and business associates may want to incorporate all of the new requirements into a single amendment to the business associate agreement.

• review existing HIPAA violation detection practices and evaluate whether they are adequate to satisfy the “reasonable diligence” standard applicable for determining when a breach is deemed to be discovered; and

• train workforce members to identify breaches and report them to the appropriate person within the organization.

Remember:  If any person other than the person that committed the HIPAA Privacy Violation knows, or reasonably should have known of, the facts and circumstances constituting a breach, that knowledge is imputed to the entity as a whole (e.g., group health plan, business associate).

Please contact us if you have questions regarding the requirements, or if you need our assistance with any of the foregoing action items.

__________________________________________________________________

The information contained in this ALERT is intended for general information purposes only and does not constitute legal advice relative to a specific situation.