September 8, 2009
The Health Information Technology for Economic and Clinical Health (HITECH)
Act, which was enacted as part of the American Recovery and Reinvestment Act of
2009, contains several significant changes to the privacy rules contained in the
Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HITECH requires that covered entities subject to the HIPAA privacy
rule and their business associates must provide notice when unsecured protected
health information has been breached. The Department of Health and Human
Services (HHS) issued the
interim final rule for this new security breach notification requirement on
August 24, 2009.
Implications of a HIPAA Security Breach
HITECH requires notice to affected individuals, HHS and possibly the media
when HIPAA-covered entities and their business associates discover a breach of
unsecured protected health information (PHI). For purposes of this new
regulation, a breach is defined as the acquisition, access, use or disclosure of
PHI in violation of the HIPAA privacy rule that compromises PHI security or
privacy.
Unsecured PHI is PHI that is not secured through the use of the technology or
methodology specified by the HHS Secretary through published guidance. The
interim final rule specifies encryption and destruction technology as the only
“safe harbor” methods for rendering PHI secure. Thus, disclosure of PHI that is
secured by either encryption or destruction technology does not trigger a breach
or a breach notification requirement.
When analyzing potential security breaches, the covered entity or business
associate must first determine whether an impermissible use or disclosure of PHI
has occurred. If there has been no HIPAA privacy rule violation, there can be no
breach under the HITECH interim final rule.
The covered entity or business associate must then conduct a risk assessment
to determine – and document – whether the impermissible use or disclosure has
compromised PHI security or privacy. In order to reach the harm threshold for a
breach, the incident must create “a significant risk of financial, reputational,
or other harm to the individual” (or individuals, if a group is affected) when
the use or disclosure occurs. The interim final rule includes a list of factors
for a covered entity to consider when conducting its risk assessment.
Finally, unless the incident falls under one of the exceptions noted in the
breach definition under the interim final rule, the incident constitutes a
breach requiring notification.
Breach Timing
Breaches are treated as discovered on the first day that they are known or
would be known to the covered entity or business associate by exercising
“reasonable diligence.” The breach is considered discovered when the incident
becomes known – not when the covered entity or business associate concludes its
analysis of whether the incident constitutes a breach.
Breach Notification Requirements
After performing the risk assessment relating to the incident and determining
that a breach occurred, a notification must be made within 60 calendar days
after the date on which the covered entity or business associate discovered the
breach. The specific notification requirements under the interim final rule are
as follows:
Notice to Individuals.
Affected individuals must be notified without reasonable delay, but in no
case later than 60 calendar days after discovery. The notices must be
written in plain language and include basic information that is detailed in
the interim final rule. Under certain circumstances, a substitute notice may
be used.
Notice to Media.
If a breach affects more than 500 residents of a state or smaller
jurisdiction (such as a county, city or town), the covered entity or
business associate must also notify a prominent media outlet that is
appropriate for the size of the location with affected individuals. The
preamble to the interim final rule indicates that the notice may be provided
in the form of a press release.
Notice to HHS.
Information regarding breaches involving 500 or more individuals
(regardless of location) must be submitted to HHS at the same time that
notices to individuals are issued. If a particular breach involves fewer
than 500 individuals, the covered entity or business associate will be
required to keep track of all breaches and to notify HHS within 60 days
after the end of the calendar year. HHS will provide instructions on its
website regarding the content and manner of such notices.
Notice by Business Associates to Covered Entities.
Business associates of an employer-sponsored group health plan must
notify the covered entity/group health plan sponsor if the business
associate incurs a breach of unsecured PHI. Notice must be provided without
unreasonable delay and in no case later than 60 days after discovery of the
breach.
Effective Date of New Rules
Due to the timeframe within which Congress required HHS to issue final
regulations, the August guidance was issued as an interim final rule that
becomes effective for breaches occurring on or after September 23, 2009.
However, because of the short turnaround time, a continuing comment period and
the additional business associate guidance still to be issued, there may be
additional revisions to the interim final rule.
HHS has indicated that it will not impose sanctions for failure to provide
notifications that are discovered in the period ending 180 days after the date
of publication of the interim final rule (February 22, 2010) in order to provide
covered entities and business associates time to implement compliance
procedures. However, covered entities and business associates are expected to
maintain compliance during the transition period and to implement necessary
changes to HIPAA privacy policies and procedures, as outlined below. HHS will
assist covered entities and business associates with achieving compliance
through further technical assistance and voluntary corrective action.
What Employers Should Do Now
With the compliance time frame fast approaching, group health plan sponsors
should begin their compliance efforts now. Most of the compliance procedures
outlined below should be included in the HIPAA privacy policies and procedures
maintained by the plan.
- Develop policies and procedures for determining
whether a breach has occurred. Issues to cover include:
- Steps for identifying a potential breach incident.
- Steps for determining whether the incident is an impermissible use
or disclosure of PHI under the HIPAA privacy rule.
- Steps for performing a risk assessment analysis to determine the
level of harm that the breach has caused to any individuals.
- Steps to ensure that affected individuals, the media and/or HHS
receive proper notification, as required.
- Documentation for each step of these processes.
- Discussion of the new policies and procedures with the employer’s
HIPAA privacy officer, who will be responsible for this additional
enforcement.
- Provide additional training on the security breach notification
requirements to group health plan employees and related staff.
- Work with each business associate regarding implementation of policies
and procedures relating to group health plan operations. Issues to cover
include:
- Requesting a copy of the security breach notification policies and
procedures that the business associate will implement.
- Discussing the reporting of reportable and non-reportable breaches
to the employer.
- Determining the role of the business associate in identifying
breaches and suspected breaches related to the business associate’s
service agreement.
- Allocating responsibility for fulfilling the notification
requirements when a reportable breach has occurred and maintaining any
related data required under the interim final rule. (Design Point: We
recommend that covered entities control the issuance of any required
notification).
- Amending the indemnification provisions of the business associate
agreement to ensure that the appropriate party bears the costs
associated with the notification requirements and liability for failure
to comply with them.
Employer Responsibility
Generally, the group health plan (as the covered entity) will have the
ultimate responsibility to ensure that breaches are identified and assessed and
that notifications are provided. However, business associates (e.g., third-party
administrators and claims administrators) will often be in the best position to
investigate potential breaches and determine whether, in fact, a breach has
occurred; whether the harm is significant; and what notification, if any, is
required.
The covered entity and the business associate should agree on which party
will carry out the breach determination, based on which party has responsibility
for the breach and which has access to information related to the incident.
Similarly, parties should negotiate the level of control that the covered entity
will have over the content of each notification. Unless service agreements with
business associates include language on these points, the employer sponsoring
the group health plan will be responsible for handling the breach.
To this end, the McGuireWoods LLP Employee Benefits Group is updating its
HIPAA compliance program to steer employers through the steps necessary to
comply with the new guidance. The program offers an examination of existing plan
documents and HIPAA privacy policies and procedures, as well as model documents.
The program also guides employers through the process of implementing changes to
administrative policies and practices and offers training to ensure that
administrative team members are equipped to meet the new requirements.
Further, we will continue to keep you up-to-date with the rapid developments
and shifting landscape in HITECH compliance.
For additional information, please contact the authors or any member of the
McGuireWoods LLP
Employee
Benefits or Labor &
Employment teams.