As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act. Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules. That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS’s Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR’s web site. This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.
The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach. Business associates who discover a breach must notify the covered entity.
By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial “harm threshold” to this requirement: covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual. This “harm threshold” essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause “significant harm” to the affected person.
The HITECH Act defines “breach” as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The Act includes two important (albeit vague) exceptions to this definition for cases in which: (1) “the unauthorized acquisition, access, or use of PHI is unintentional and made by an employee or individual acting under authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship with the covered entity or business associate, and such information is not further acquired, accessed, used, or disclosed”; or (2) “where an inadvertent disclosure occurs by an individual who is authorized to access PHI at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility, as long as the PHI is not further acquired, accessed, used, or disclosed without authorization.
The HITECH Act imposes a similar notification requirement on a business associate “that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured” PHI. In the event of a breach, the business associate shall provide notice to the covered entity, including “the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.”
The term “unsecured protected health information” refers to PHI that is not secured through the use of a “technology or methodology” specified by the Secretary in a “Guidance” issued as part of the breach notification regulation in the Federal Register on August 24, 2009 (see link above). The Guidance, which is to be updated annually, specifies two basic ways of rendering PHI “secure:” encryption and destruction. Electronic PHI must be properly encrypted “by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.” The Guidance provided an exhaustive list of technologies which would encrypt PHI, referencing “approved” processes and methods from the National Institute of Standards and Technology (NIST). Electronic PHI may be properly destroyed in the hard copy media (e.g., paper, tapes) on which the PHI is stored is shredded or destroyed “suchin such a way “that the PHI cannot be read or otherwise cannot be reconstructed;” electronic media containing PHI “must be cleared, purged, or destroyed consistent with NIST [Guidelines] such that the PHI cannot be retrieved.”
Securing PHI in accordance with this Guidance will be the safest way to protect a healthcare organization from a serious breach of patient data privacy. Organizations that suffer a breach involving disclosed, stolen or lost data that was not “secured” may be subject to a wide range of newly established breach notification requirements. It is important to note, however, that for both covered entities and business associates, the breach shall be deemed to have been discovered on the first day on which it is “known to such entity or associate.” The term “known” means that the circumstances of the breach are known by any “employee, officer, or other agent of such entity or associate,” other than the person who committed the breach. Furthermore, all notifications (by both covered entities and business associates) must be made “without unreasonable delay,” which, in Congressional time, means no later than 60 calendar days after discovery of the breach. The entity making the notification has the burden of demonstrating that all required notifications were made, as well as explaining the necessity of any delay.
There is a lot more information that covered entities and business associates must know about the new rules, including, for example, requirements regarding the content of breach notices. For more information on these matters, please do not hesitate to contact us.