New HIPAA Privacy Breach Rules Require
Immediate Action – Steep Penalties for
Noncompliance

By Lenna R. Chambers

For any entity that is subject to the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), such as health care providers, health care plans, and health care clearinghouses (collectively called “covered entities”), and entities providing services to covered entities (called “business associates”), new guidance issued by the U.S. Department of Health and Human Services (“HHS”) becomes effective September 23, 2009, that will require the entities to notify affected individuals of any breaches of unsecured protected health information (“PHI”).

HIPAA covered entities and their business associates need to take immediate action to review the new rules, adopt a breach notification policy and procedure, and consider ways to minimize the risk of having to implement these potentially expensive requirements. Penalties for noncompliance with any of HIPAA’s provisions, including the new breach notification rules, will range from $100 to $50,000 per violation.

Applicability: The Interim Final Rule (the “Rule”) requiring notification of breaches of unsecured PHI was promulgated under Section 13402 of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which was part of the American Recovery and Reinvestment Act of 2009. The Rule’s provisions are triggered by a “breach” of “unsecured PHI.” A “breach” of unsecured PHI occurs if PHI is used or disclosed in a manner not permitted under existing HIPAA privacy regulations, and that use or disclosure presents a significant risk of financial, reputational or other harm to the individual. “Unsecured PHI” is defined as PHI that is not made “unusable, unreadable, or indecipherable” to unauthorized individuals through the use of a method approved by the Secretary of HHS in guidance.” In addition to issuing the new Rule, HHS issued an update to its “encryption guidance” and specifically identified which technologies and methodologies are acceptable to use in securing PHI. Note that similar rules will apply to vendors of personal health records and their third party service providers.

Notification Requirements: Prior to the enactment of the HITECH Act, HIPAA’s privacy and security rules did not require individuals to be notified when a breach of PHI occurred, although some entities voluntarily notified affected individuals as a measure to mitigate the risks of such breaches. The Rule, once effective, requires covered entities to notify affected individuals upon discovering a breach of unsecured PHI in compliance with the Rule’s provisions regarding timeliness, content and method. The notification requirements are also triggered by a breach that, through the exercise of reasonable diligence, would have been known to the entity. Generally, notification is required within 60 calendar days of the discovery of the breach by the covered entity, and must include a brief description of what happened, the types of unsecured PHI involved, any steps affected individuals should take to protect themselves from harm, what the covered entity is doing to investigate and mitigate potential harm, and contact procedures for individuals to ask questions or learn additional information. Written notice by first-class mail to each affected individual is generally required, but the Rule also includes provisions allowing for substitute notice, including in some cases, notice to broadcast and print media.

Business associates are required to notify covered entities within 60 days of discovering a breach so that the covered entity can implement the above notification requirements. While generally covered entities then have 60 days from receiving notification from the business associate, the Rule suggests that a business associate’s discovery of a breach can be imputed to a covered entity in some situations, in which case only one 60-day period will be available to the covered entity.

HIPAA’s Security Rule Not Modified: Neither the new Rule nor the encryption guidance modify HIPAA’s Security Rule, which requires covered entities to safeguard electronic PHI by using security measures that allow them to reasonably and appropriately implement all safeguard requirements. Thus, a covered entity that decides not to adopt the encryption guidance may still be required to implement the breach notification rule, notwithstanding that the entity is in full compliance with HIPAA’s Security Rule.

Limit Your Risk: Every covered entity and business associate should adopt a breach notification policy and procedure to be prepared for a breach of unsecured PHI. This policy should, at a minimum, address who will investigate potential breaches to determine what occurred and whether the notification requirements apply, how notice will be made, how the company will mitigate harm, and who will be responsible for communicating with affected individuals, any business associates and/or covered entities involved, and the media. In addition, because the notification requirements apply to breaches that could have, with reasonable diligence, been discovered by the entity, covered entities and business associates should have systems in place to detect breaches.

Covered entities and business associates should become familiar with the guidance on encrypting PHI, and consider implementing the approved methods and technologies to make PHI secured and therefore exempt from the notification requirements in the event of a breach. Covered entities and business associates should also consider addressing the issues raised by these new requirements, such as the cost and timing of notification and the adoption of the guidance, in all of their Business Associate Agreements.

In issuing the Rule, HHS stated that it would use its enforcement discretion to not impose sanctions for violations of the notifications for breaches discovered before February 22, 2010, and that it would work with entities, through technical assistance and voluntary correction, to achieve compliance. However, establishing and implementing the policies and procedures, encryption guidance, and systems to detect breaches of PHI will undoubtedly take months, so this temporary reprieve should not be viewed as justification for postponing action.

To review HIPAA's Privacy and Security Regulations, click here.

To review the breach notification regulations and encryption guidance, click here.

Dont Forget – Other HIPPA Changes Go Into Effect Soon

The breach notification provisions are only one set of many changes to HIPAA made by the HITECH Act. For example, effective February 17, 2010, business associates must comply with many of the requirements of HIPAA’s Security Rule, including the administrative, physical and technical safeguards for electronic PHI, and the policies, procedures and documentation standards. Coming into compliance with these new rules will require business associates to perform an extensive review of their operations, which should be started as soon as possible.

If you need assistance in complying with the new breach notification provisions or any other compliance initiatives regarding HIPAA, please contact:

Lenna R. Chambers
lchambers@bowlesrice.com
304-347-1777

Patrick E. Clark
pclark@bowlesrice.com
304-347-1130

Lynn S. Clarke
lclarke@bowlesrice.com
304-347-2122