On August 24, 2009, the Department of Health and Human Services (HHS) issued new regulations requiring health care providers and other entities subject to the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their unsecured protected health information (PHI) is breached. The regulations implement breach notification requirements enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

 

The regulations require HIPAA covered entities to notify each individual whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, used, or disclosed following a breach of that unsecured PHI. A "breach" is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information.  

 

The Act defines "unsecured" PHI as PHI that is not secured through the use of a methodology that renders PHI "unusable, unreadable or indecipherable to unauthorized individuals." HHS issued guidance on April 17, 2009, identifying two methods for securing PHI: encryption and destruction. Covered entities that take the steps specified in the HHS guidance to secure PHI will not be required to provide the notifications required by the breach notification regulations in the event of a breach. 

 

The regulations set forth the following three-step process to follow in determining when a breach notification must be made:

 

Step One: The covered entity must determine whether there has been an impermissible use or disclosure of unsecured PHI under the HIPAA Privacy Rule.

 

Step Two: The covered entity must determine whether the violation poses a significant risk of financial, reputational or other harm to an individual. Covered entities must perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible disclosure. 

 

Step Three: Finally, a covered entity must determine whether the incident is excluded from the definition of "breach" because it satisfies a statutory exception set forth in the HITECH Act.

 

If a covered entity determines that notice is required, the covered entity is required to notify each individual whose PHI is reasonably believed to have been accessed. Covered entities must deliver notices to individuals "without unreasonable delay" but no later than 60 calendar days after discovery of the breach. Breaches will be treated as "discovered" on the first day that the breach is known to the covered entity, or when, by exercising reasonable diligence, the breach would have been known to the covered entity.

 

Notifications must be written in plain language and must include, among other things, (i) a brief description of the breach, including the date the breach was discovered, if known; (ii) a description of the types of PHI subject to the breach; (iii) steps individuals should take to protect themselves from potential harm resulting from the breach; (iv) a brief description of the steps the covered entity is taking to investigate the breach, mitigate harm, and protect against future breaches; and (v) contact information for individuals to ask questions, including a toll-free number, email address, website, or postal address.

 

Notices must be delivered by first-class mail to the last known address of the affected individual or via email if the affected individual has agreed to email contact. If a covered entity does not have sufficient contact information for some or all of the affected individuals, or if some notices are returned as undeliverable, the covered entity must provide substitute notice for the unreachable individuals. 

 

If the breach affects more than 500 individuals, notice must be made to HHS contemporaneously with the notification to the affected individuals. If fewer than 500 individuals are affected, the covered entity must maintain a log of any such breaches, and submit the log annually to HHS no later than 60 days following the end of the calendar year.

 

If the breach affects more than 500 or more residents of a particular state or jurisdiction, the covered entity must notify "prominent media outlets" of the state or jurisdiction of the breach without unreasonable delay, but no later than 60 calendar days after discovery of the breach. There is no uniform definition of a "prominent local media outlet." Depending on circumstances, an appropriate media outlet may include a local television station or a newspaper. 

 

The regulations require a business associate of a covered entity to notify the covered entity when it discovers a breach of unsecured PHI. The business associate must provide notice of a breach to a covered entity without unreasonable delay, but in no case later than 60 days following the discovery of a breach. To the extent possible, business associates must provide affected covered entities with the identity of each individual whose unsecured PHI has been, or is reasonably believed to have been, breached.

The regulations will become effective on September 23, 2009, but HHS has indicated that it will not impose penalties based on violations of the regulations prior to February 22, 2010. However, covered entities and business associates are expected to comply with the breach notification regulations during this interim period. 

 

HIPAA covered entities and business associates must act quickly to implement the requirements set forth in the regulations. Steps to take include the following: