Home > Legal Updates >

HHS Issues HIPAA Breach Notification Rules: New Mandate for Covered Entities and Business Associates

Beginning September 23, 2009, covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA) will be required to notify individuals affected by certain “breaches” of unsecured protected health information. The notification mandate, enacted under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, as part of the American Recovery and Reinvestment Act of 2009 (ARRA), was signed into law by President Barack Obama on February 17, 2009. Following the general framework established by the 45 states that have adopted similar laws over the past few years, the Department of Health and Human Services (HHS) issued interim final regulations on August 24, 2009, interpreting the new notification requirement.

While not an expansive description of the new rules, this article discusses some of the key points of the regulations and some preventive strategies to assist you with being prepared should a breach occur.

Who is affected by this change?

The HHS regulations generally apply to HIPAA “covered entities” and “business associates.”

Covered entities include most health care providers, health plans and health care clearinghouses. This means that if your company sponsors a fully-insured group health plan and one of your laptops that contained enrollment information constituting protected health information is lost or stolen, you may need to notify the affected individuals. Likewise, if you operate a HIPAA-covered medical practice and become aware that a member of your staff impermissibly downloaded patient protected health information to his or her personal computer in violation of HIPAA, you likely will be required to notify affected patients.

Business associates also have notification obligations under the HITECH Act. Assume, for example, a business associate of your health plan, such as an employee benefits broker or consultant, learns that its systems were hacked into, resulting in impermissible access to unsecured protected health information of your plan participants. In this instance, assuming no exception applies, the business associate would be required to notify your plan, the covered entity in this case. In turn, your plan would be required to notify the affected plan participants.

Note also that under separate regulations issued by the Federal Trade Commission (FTC), vendors of public health records have similar breach notification obligations. In some cases, an entity can be subject to both the HHS and the FTC regulations. While the FTC regulations are beyond the scope of this article, companies handling certain personal health records should be aware of the FTC requirements and, in particular, where they intersect with the HHS regulations.

Preventive Strategy – Covered entities and business associates should review their policies and develop a plan for responding to a breach, should one occur. The breach notification plan should cover steps for determining, among other things: (i) whether a breach has occurred, (ii) whether the breach requires notification, (iii) the content of the notification, (iv) how to coordinate conflicting state and federal notification laws, and (v) the vendors who will assist in the notification process – such as data monitoring providers, public relations consultants, call center services, legal counsel and so on. 

What is a breach?

The term “breach” means the “acquisition, access, use or disclosure of protected health information in a manner not permitted [under the privacy regulations] which compromises the security or privacy of the protected health information.” A breach will compromise security or privacy if it “poses a significant risk of financial, reputational or other harm to the individual.” The regulators instruct that determining whether there is significant risk of harm to an individual will require assessing a number of factors, such as who impermissibly used the information, and the type and amount of the information.

Preventive Strategy – The regulators remind covered entities and business associates that many forms of health information should be considered sensitive when assessing the potential for reputational harm, especially considering fears about employment discrimination. Thus, when investigating whether a breach has occurred, covered entities and business associates should think carefully about the nature of the information involved and how the access to that information could cause harm to an individual. 

Do all breaches require notification?

No. Covered entities and business associates must do the following to determine whether notification is required under the HHS regulations:

• Determine if there has been an impermissible use or disclosure under the HIPAA privacy regulations.

• Determine (and document) if the impermissible use or disclosure compromises the privacy or security of protected health information.

• Determine whether any exceptions apply.

• Determine whether the breach involves unsecured protected health information.

With three exceptions, notification generally is required in the case of an impermissible use or disclosure of unsecured protected health information that compromises the privacy or security of the information.

These are the three exceptions:

• Unintentional acquisition, access or use: This applies where the acquisition, access or use was made in good faith, within the course and scope of employment or other professional relationship, and does not result in further use or disclosure.

• Inadvertent disclosure: This covers disclosures from an otherwise authorized individual to another similarly-situated individual at the same facility, if the information is not further used or disclosed without authorization. The preamble to the regulations clarifies that “facility” does not mean the particular building, but the same covered entity or business associate.

• Inability to retain the information: This applies where the unauthorized person to whom the protected health information was disclosed would not have been able to retain the information. For example, a human resources employee acting for the company health plan may have sent protected health information to the wrong employee via interoffice mail. If the HR employee retrieves the envelope before the employee could open it, it would not constitute a breach. 

 
Preventive Strategy – Be certain you are dealing with “protected health information” under HIPAA. Employment records, such as FMLA leave certifications or medical documentation obtained in the ADA interactive process, in the hands of the employer do not constitute protected health information, even though the records include individually identifiable health information. Note, however, that breaches of employment records containing health information or other personal information still may require notification under state or other federal regulations.

Do we have to amend the agreements with business associates?

Generally, no. While it may make sense to do so, the HHS breach notification regulations do not require amendments to business associate agreements.

Preventive Strategy – Covered entities, however, should consider revisiting their business associate agreements to cover this new mandate, in particular, with regard to the time for providing the notice and its contents. Also, while business associates need to notify only the covered entity, and the covered entity (i.e., the health plan) must notify the affected individuals, the parties are permitted to agree that the business associate will provide notice to all of the affected individuals directly. This may prove advantageous in certain cases.  Further, many entities functioning as business associates with regard to “protected health information” also handle “personal information” as defined under an increasing number of state laws. Some of these state laws require contract provisions with such vendors.

Do we follow the HIPAA notification rules or those of the state in which the affected individuals reside?

It depends. If the breach triggers both the HIPAA and state law notification requirements, the state requirement will have to be examined to see if it is contrary to HIPAA. A state law is contrary to HIPAA if the covered entity would find it impossible to comply with both or if the state law presents an obstacle to complying with the HIPAA requirements. If the state law is contrary to HIPAA, HIPAA preempts the state law. However, the preamble to the regulations state that the regulators expect that a single notification would be sufficient to satisfy the requirements under HIPAA and state laws. Of course, in addition to any requirement under HIPAA to notify the media or the Secretary of Health and Human Services (see below), certain states require notice of a breach be made to certain state agencies/officials, such as the state’s Attorney General, as well as credit reporting agencies.

Do I have to report breaches to the government?

Yes. Covered entities that experience breaches requiring notification must report those breaches to the Secretary of Health and Human Services, as follows:

• For breaches involving 500 or more individuals, covered entities must notify the Secretary immediately.

• For breaches involving fewer than 500 individuals, the covered entity must maintain a log of the breaches and report them to the Secretary annually, no later than the 60th day following the preceding plan year.

What are some of the key notice requirements?

If you experience a breach requiring notification, be mindful of the following:

• Unless a delay in notification is permitted for law enforcement purposes, notification must be provided without unreasonable delay, but not later than 60 days after “discovery” of the breach. If the covered entity could have provided the notification within 30 days, waiting until the 60th day to do so will constitute an unreasonable delay. However, it is permissible to investigate the incident to determine whether there has been a breach, and its nature and scope. The investigation period must be reasonable.

• “Discovery” of the breach happens when the breach becomes known to the covered entity, or would have been known to the covered entity with the exercise of reasonable diligence. A covered entity is deemed to know of a breach if it is known, or, by exercising reasonable diligence, would have been known, by an employee of the covered entity. However, a covered entity is not deemed to know of a breach if it is known by its business associate, unless the business associate is an agent of the covered entity. 

• If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, it must provide substitute notice either through: (i) a conspicuous post on the homepage of its website, or (ii) a conspicuous notice in major print or broadcast media in the geographic areas where the affected individuals likely reside. In addition, it must make a toll-free number available for 90 days for affected individuals to learn about the breach.

• If the breach involves more than 500 individuals of a state or jurisdiction, notice of the breach must be provided to prominent media outlets serving that state or jurisdiction. This notice must be provided within the same period as notice to the affected individuals. 

 
The HIPAA breach notification mandate likely will add to the confusion many businesses face when individually identifiable health information it owns or maintains is impermissibly accessed or acquired. Careful consideration and assessment will be needed to determine, among other things, which laws apply, what notices need to be provided and to whom. Companies, therefore, should develop an overall strategy for protecting information from unauthorized access and for responding when a breach occurs. If you have any questions regarding this issue or any other workplace privacy issues, the Firm’s Employee Benefits, including Complex ERISA Litigation, Workplace Privacy and Executive Compensation Practice Group is available to assist you.