Responding to breaches of unsecured health data
| September 2, 2009
| Healthcare Group
Effective September 23 you may be required to know and be ready to implement new data breach response protocols that relate to unsecured protected health information. The government has just released its interim final rules on the subject and there are significant changes for which you need to be prepared if you are a HIPAA covered entity, business associate, a vendor of personal health records or a vendor’s third party service provider.
General notification rule
At the most basic level, the regulations (and the Act that preceded it) require any covered entity discovering a breach of unsecured PHI to notify each individual whose unsecured PHI was (or is reasonably believed to have been) accessed, acquired, used or disclosed as a result of that breach. In certain circumstances, the covered entity must give additional notices to the media and/or the Secretary of Health and Human Services. The covered entity has the burden of demonstrating that it complied with the notification requirements or that the impermissible use or disclosure of unsecured PHI did not constitute a breach. Below are some key questions and answers to help you understand the new rules.
What is unsecured PHI?
Unsecured PHI is protected health information that is not rendered unusable, unreadable or indecipherable either by encryption or destruction, using methods approved by HHS.
What is a breach?
A “breach” requiring individual notification occurs when the acquisition, access, use or disclosure of PHI violates the HIPAA Privacy Rule and poses a significant risk of financial, reputational or other harm to the individual. This harm threshold will require covered entities and business associates to perform a risk assessment when they discover an impermissible use or disclosure to determine if it will require notification. There are a number of statutory exceptions which outline certain unauthorized acquisitions, accesses, uses or disclosures of PHI that pose a low level of risk and will not be considered breaches. In general, these exceptions apply to certain inadvertent acquisitions or disclosures where there is no further use or disclosure of the information, and instances where there is a good faith belief that the unauthorized person receiving the disclosure would not reasonably have been able to retain the information.
When is a breach discovered?
A breach is “discovered” as of the first day the covered entity or business associate knew of the breach, or would have known of the breach if it was exercising reasonable diligence. Importantly, the regulations impute the knowledge of any “workforce member” (other than the person committing the breach) to the covered entity or business associate. The term “workforce member” can include independent contractors and vendors with whom you work and highlights the importance of adequately training employees, agents and contractors on HIPAA generally, but especially on breaches of unsecured PHI. It also highlights the need to ensure that your entire workforce understands the obligation to report a breach to your privacy officer or another responsible official within your organization.
How quickly do I need to provide notice of a breach?
Covered entities must notify individuals affected by a breach “without unreasonable delay” and in no case later than sixty calendar days after discovery of the breach. HHS stresses that covered entities are expected “to make the individual notifications as soon as reasonably possible” and should not wait until the sixty day limit for notification. Business associates must notify the covered entity to which the breached information relates within the same timeframe in order to facilitate timely notice to the affected individuals. You should review and update, if necessary, your business associate agreements to make this requirement (and the timeframes) clear.
What does the notice have to say?
New commentary provides useful guidance on what should and should not be included in this notification. For example, the notification should include the following information:
- A brief description of the breach, including the date on which it occurred;
- A description of the types of information that was disclosed. This description should not include a listing of the actual PHI that was breached;
- The steps that affected individuals should take to protect themselves from potential harm resulting from the breach;
- A description of the actions that the covered entity is taking to mitigate the damages of the breach as well as the steps being taken to prevent future breaches; and
- Contact information for those individuals who may have questions about the breach.
Business associates should provide the same level of information when they disclose a breach to a covered entity, to the extent possible (keeping in mind that business associates may have access only to limited data).
How do I give notice?
Written notice generally is required by first class mail, though it may be provided by email in limited circumstances. If a covered entity has insufficient or out-of-date contact information, it must provide “substitute notice” reasonably calculated to reach the individual. The formal method of substitute notice is determined by the number of individuals for whom the covered entity has insufficient or out-of-date contact information (ten individuals is the threshold), and may involve either a posting on the entity’s webpage or publication in a major newspaper.
When do I have to notify the media?
The Act requires notice to the media when the breach affects more than 500 individuals in a State or jurisdiction. Commentary provided in the interim regulations provides useful examples of what constitutes a “prominent media outlet” and how to address a breach involving residents in multiple States or jurisdictions through the media.
Which breaches require notification to HHS?
Only those breaches occurring after September 23, 2009 must be reported to HHS. All breaches should be reported to HHS. Smaller ones can be logged and submitted to HHS on an annual basis, but larger notifications (those involving more than 500 individuals) should be made to HHS at the same time as to the affected individuals or media.
What if law enforcement asks me not to disclose a breach?
A covered entity may delay notification of a breach to individuals if directed to do so by a law enforcement official. The length of the delay is largely dependent on how law enforcement notifies the covered entity of the need for the delay, and you should consult the regulators if such a request is made.