By: Aaron W. Brooks
In February, 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) as part of the American Recovery and Reinvestment Act of 2009. Included within the statute was a new rule that anyone covered by the HIPAA privacy and security regulations must give certain notifications when they experience a “breach” of certain health information. Congress directed the Department of Health and Human Services (“DHHS”) to write a set of regulations to implement the new breach notification requirements, and those regulations were issued on August 24, 2009.
When Did They Go Into Effect?
The new regulations apply to “breaches” that occurred on or after September 23, 2009. The State of Illinois has also passed the Personal Information Protection Act, which has breach notification requirements similar to the new HIPAA regulations. The Illinois statute has been effective since January 1, 2006. Thus, “breaches” of covered information must be addressed under both laws.
What Situations Are Covered?
The new regulations apply to a “breach” of certain types of health information. The term “breach” has a technical definition with several exceptions, but generally means a scenario where information is accessed, used, or disclosed in a manner that poses significant risk of financial, reputational, or other harm to the individual.
What Happens After A Breach?
When a breach occurs, the covered entity must notify the affected individuals “without unreasonable delay” (but in no case later than 60 days after the first day that the covered entity would have discovered the breach if it had been exercising reasonable diligence). Under certain circumstances, a covered entity may be required to delay notice due to law enforcement activity.
A notice must contain several specific elements that are outlined in the new regulations. Generally, the notice must be sent via first-class mail to the last known address of the individual, but other notification methods are described in the regulations. If the breach involves more than 500 people, additional notifications must be given. The DHHS must also be notified of all reportable breaches.
Are There Exceptions?
Not every situation requires notice, because not every loss of information is considered a “breach”. The most important exception relates to information that is properly secured or encrypted.
On April 17, 2009, the DHHS issued guidance about how to create secure information. The guidance is clear that their methodologies are not merely examples, but are the exclusive method of securing information for purposes of the breach notification rules. The DHHS guidance is highly technical; however it may be summarized by saying that electronic data must be encrypted using methodologies approved by the National Institute of Standards and Technology (“NIST”). Paper and other physical forms of information must be shredded or destroyed in a manner that it cannot be read or reconstructed.
Other exceptions may apply on a case by case basis. The exceptions are fact intensive and require exercise of discretion. Thus, a decision to not issue a breach notification should only be made in consultation with competent legal counsel.
Covered Entities and their business associates should begin doing four things immediately. First, consideration should be given to how the entity will monitor its information to ensure that it becomes aware of a breach in a timely fashion. The time allowed to give a breach notification begins ticking when the entity should have known about the breach using reasonable diligence, not when the entity actually became aware of the breach. Thus, a proactive approach is necessary.
Second, information security policies must be modified to incorporate the new breach notification requirements. These modifications should conform with identity theft policies and procedures (such as policies that may have been implemented based on the FTC “Red Flags Rule”) so that all information security and loss procedures work together.
Third, and to the greatest extent possible, information should be made “secure” as defined by the DHHS guidance. If information is “secure” when it is lost or a system is improperly accessed, the breach notification requirements are not triggered.
Finally, business associates should be contacted and business associate agreements should be amended. The breach notification requirements apply directly to all business associates, but they are only required to give notice to their covered entities. The timing and procedure for doing this should be understood and agreed upon. Also, business associates should be required to make their PHI “secure” wherever reasonable to reduce all parties’ compliance obligations.
Aaron Brooks is Of Counsel to HolmstromKennedyPC in Rockford, where he serves as the firm’s Chief Information Officer and Intellectual Property practice group leader. His practice focuses on technology-based transactions, privacy law and information security.