hipaa breach notification rule contains some

advertisement
ALERT
HEALTH LAW
News Concerning
Recent Health Law Issues
AUGUST 27, 2009
HIPAA BREACH NOTIFICATION RULE CONTAINS SOME GOOD NEWS
Gregory M. Fliszar • 215.665.7276 • gfliszar@cozen.com
Judy C. Wang • 215.665.4737 • jwang@cozen.com
HIPAA BREACH NOTIFICATION UPDATE
n August 19, 2009, the U.S. Department of Health
and Human Services (“HHS”) released an interim
final rule implementing the breach notification
provisions of the Health Information Technology for Economic
and Clinical Health (“HITECH”) Act, which was passed as part
of the American Recovery and Reinvestment Act of 2009.
While the new regulation takes effect September 23, 2009,
HHS will not impose sanctions for failure to provide notifications
for breaches discovered before February 22, 2010. The good
news, therefore, is that covered entities have additional time
to become compliant.
O
As explained further below, the HITECH breach notification
law requires healthcare providers, health plans, and other
covered entities subject to the Health Insurance Portability
and Accountability Act (“HIPAA”) to notify individuals
promptly if their unsecured electronic health information has
been breached. Prompt notification must also be made to
the Secretary of HHS and the media when a breach affects
more than 500 individuals. Breaches affecting fewer than 500
individuals must be annually reported to HHS. The rule
further requires “business associates” of HIPAA covered
entities to notify the covered entity of breaches by the
business associate. Unlike covered entities, however, business
associates are not required to notify individuals whose
electronic health information has been breached.
The regulation contains two particularly important
provisions:
• A “risk of harm” trigger on the duty to report breaches; and
•
Clarification that encryption and destruction of protected
health information (“PHI”) in accordance with the
guidance issued by HHS at 74 Fed. Reg. 19006 (April 27,
2009), although not required, means that the PHI will not
be considered “unsecured" and, thus, will not be subject
to the breach notification rules.
HHS developed this regulation after close consultation with
the Federal Trade Commission (“FTC”), which has issued its
own breach notification regulations that apply to vendors of
personal health records and certain other entities not covered
by HIPAA. Despite the consultation between the two agencies,
the FTC has not adopted an explicit “risk of harm” threshold
for notification.
OVERVIEW OF HITECH BREACH NOTIFICATION PROVISIONS
Although HIPAA previously imposed a duty to mitigate the
effects of a breach of PHI, it did not require covered entities to
notify affected persons. HITECH adds a provision requiring
covered entities to notify individuals whose “unsecured PHI”
has been or is reasonably believed to have been accessed,
acquired, or disclosed as a result of a breach.
HITECH defines a “breach” as an unauthorized acquisition,
access, use, or disclosure of PHI that compromises the security
or privacy of such information. A breach does not include:
• any unintentional acquisition, access, or use of PHI by an
employee or someone acting under the authority of a
covered entity or business associate, if such acquisition,
access, or use was made in good faith and within the
scope of employment or other professional relationship
with the covered entity or business associate, and the PHI
was not further acquired, accessed, used, or disclosed; or
• an inadvertent disclosure that occurs by an individual
authorized to access PHI at a facility operated by a covered
entity to another similarly situated individual at the same
facility, so long as the PHI is not further acquired, accessed,
used, or disclosed without authorization.
HEALTH LAW ALERT | News Concerning Health Law Issues
The breach notification provisions are only triggered if there is
a breach of “unsecured PHI,” which HITECH defines as PHI that
is not secured through the use of a technology or methodology
specified by HHS. The final rule reiterates previous guidance
to the effect that encryption of electronic PHI and destruction
of electronic or paper PHI in accordance with the standards
set forth in the guidance create the functional equivalent of a
safe harbor, and thus, absolve covered entities and business
associates of the duty to provide notification of a breach.
The most important provision in the new regulation is the
“risk of harm threshold,” implemented, according to HHS, to
avoid unnecessary notifications and to make its rule consistent
with many state breach notification laws. The threshold limits
the definition of a breach to those situations where there is a
significant risk of financial, reputational, or other harm to the
individual. By way of examples, HHS cites several situations
that would not be a risk of harm, including instances in which:
(1) impermissibly disclosed PHI (such as within a stolen or
lost laptop) is returned prior to it being accessed or (2) a
covered entity takes immediate steps to mitigate the harm of
a breach, such as by obtaining the recipient's assurance that
the information will not be further disclosed. HHS makes it
clear, however, that a covered entity must conduct a risk
assessment before concluding that a particular breach did
not cause a risk of harm.
All required notifications must be made without “unreasonable
delay” and in no case later than 60 days after the discovery of
the breach. A breach is treated as “discovered” as of the first
day the breach is known or reasonably should have been
known to the covered entity or business associate. Business
associates must notify covered entities of any breaches they
have discovered, however, neither HITECH nor the regulation
provides a timeline for such notification. The covered entity
must then notify the affected individuals.
NEXT STEPS
Currently, 45 states have their own breach notification laws,
which may have criteria and methods of notification that differ
from HITECH’s requirements. Thus, it is important to become
familiar with your state's breach notification laws as well as
HITECH’s. Although HITECH preempts state law as to health
information, many state laws encompass other “personal
information.” Therefore, if the breach included a social security
number, for example, covered entities could be required to
comply with both HITECH and the state law.
Note also, that HITECH requires business associates to inform
the covered entity of a breach; however, it provides no timeline
as to when this must be done. As the 60 day timeline for
notification to individuals of a breach begins to run from the
time the breach is first discovered by either the covered entity
or business associate, covered entities may need to negotiate
and include in their business associate agreements a timeframe
within which the business associate must inform the covered
entity of a breach.
Also, because compliance with the data encryption and data
destruction standards is the functional equivalent of a safe
harbor, covered entities should move now toward meeting
those standards to secure their PHI.
For more information about this Alert, please contact any
member of our health law group.
COZEN O’CONNOR HEALTH LAW PRACTICE GROUP
Mark H. Gallant, Co-Chair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215.665.4136 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .mgallant@cozen.com
John R. Washlick, Co-Chair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215.665.2134 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .jwashlick@cozen.com
Gregory M. Fliszar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215.665.7276 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .gfliszar@cozen.com
Katherine M. Layman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215.665.2746 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .klayman@cozen.com
Melanie K. Martin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215.665.2724 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .mmartin@cozen.com
E. Gerald Riesenbach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215.665.4159 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .griesenbach@cozen.com
Salvatore G. Rotella, Jr. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215.665.3729 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .srotella@cozen.com
Judy C. Wang . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215.665.4737 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . jwang@cozen.com
Atlanta • Charlotte • Cherry Hill • Chicago • Dallas • Denver • Harrisburg • Houston • London • Los Angeles • Miami • Newark • New York Downtown
New York Midtown • Philadelphia • San Diego • Santa Fe • Seattle • Toronto • Trenton • Washington, DC • West Conshohocken • Wilkes-Barre • Wilmington
© 2009 Cozen O’Connor. All Rights Reserved. Comments in the Cozen O’Connor Alert are not intended to provide legal advice. The analysis, conclusions, and/or views
expressed herein do not necessarily represent the position of the law firm of Cozen O’Connor or any of its employees, or the opinion of any current or former client of Cozen
O’Connor. Readers should not act or rely on information in the Alert without seeking specific legal advice from Cozen O’Connor on matters which concern them.
Download