HIPAA Breach Notification Rules

October 6, 2009

The U.S. Department of Health and Human Services (HHS) recently issued regulations to implement new breach notification rules on required notifications following any breach of the Health Insurance Portability and Accountability Act (HIPAA) privacy rules for healthcare providers, insurers and health benefit plans. The new breach notice rules were added to HIPAA by the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009. These Regulations are effective for HIPAA breaches that occur on or after September 23, 2009. HHS has announced that it will not impose sanctions for failure to provide notifications for breaches that occur before February 20, 2010, but HHS will require compliance for breaches on or after September 23, 2009. Healthcare providers and plans should implement policies and procedures and train employees on these new requirements as soon as possible.

When is Disclosure Required?

Under existing rules, healthcare providers, insurers and health benefit plans must take necessary and appropriate steps to protect all information related to treated or covered individuals. This protected information is called "protected health information" or "PHI", and includes both health information and personal or coverage information. When an improper disclosure (a "breach") occurs, the responsible party is required to take available steps to "mitigate" the harm of disclosure, which may mean notifying the individual whose information was disclosed.

The new rules add a specific disclosure requirement when unsecured PHI is improperly disclosed in breach of the HIPAA privacy rules. No notice is required under the new rules for improper disclosure of secured PHI, although the existing "mitigation" standard may require notice depending on the circumstances. Secured PHI is PHI that has been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology specified by the HHS Secretary on its website. Currently, there are only two methods to "secure" PHI, encryption or destruction. It is important to note that the new rules do not require the encryption of PHI; they merely exempt encrypted PHI from the new disclosure requirements.

What Constitutes A Breach of the HIPAA Privacy Rules?

A breach of HIPAA privacy rules for PHI is an impermissible use or disclosure which compromises the security or privacy of the PHI. Security or privacy is compromised if the breach poses a significant risk of any financial, reputational, or other harm to the individual. To determine if there is a significant risk of any harm, a covered entity or business associate will need to perform and document a risk assessment. A use or disclosure of PHI that has been de-identified (i.e., stripped of 18 direct identifiers which could be used to identify an individual, such as name, address, phone number, date of birth, zip code, etc.) will not be considered to compromise the security or privacy of PHI and thus will not be subject to these notification rules.

When and How Must Disclosure Be Made?

When a breach of unsecured PHI is discovered, the healthcare provider, insurer or health benefit plan has these requirements:

  1. Notify the individual whose PHI has been, or is reasonably believed to have been, disclosed as a result of the breach, in writing, without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. A breach is discovered when any member of the provider, insurer or plan's workforce or an agent has knowledge of the breach. Often, a covered entity's business associate is its agent. Thus, a discovery by a business associate will often start the clock running for giving the notice. Covered entities should ensure that their business associates provide prompt notice following discovery of any potential breach.

    The 60-day time limit is intended to be an outer limit and HHS states that it may be unreasonable in some cases to wait until the 60th day to provide a "meaningful" notice. The Regulations include specific information which must be included in the notice to the individual, provide a substitute notice procedure if no address is available, and describe how to handle urgent situations.
  2. Notify the media if the breach involves more than 500 residents of a state or jurisdiction. This notice must be given within the same time limits and with the same details as the notice to the affected individuals.
  3. Notify the HHS Secretary
  • if the breach involves 500 or more individuals, contemporaneously with the notice to the affected individual and in the manner specified on the HHS website (the website does not yet include this information); or
  • if the breach involves less than 500 individuals, on an annual basis within 60 days after the end of each calendar year.

Business associates, which provide services for providers, insurers or plans and may come in contact with PHI in connection with those services, will be directly regulated by the HIPAA privacy rules effective in February 2010. Business associates obligations are addressed in the new rules. When a business associate discovers a breach has occurred, the business associate is required to notify the provider, insurer or plan for whom it is providing services without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.

Next Steps:

Covered entities and business associates should:

Frost Brown Todd can assist you with all of these compliance steps for the new breach notice rules and other HIPAA changes in the HITECH Act. Employers should take steps now to ensure compliance with the breach notice rules. Other changes contained in the HITECH Act are effective in February, 2010. For more information, contact:

Michael Bindner (IN), mbindner@fbtlaw.com
Bill Mabry (KY), bmabry@fbtlaw.com
Alison Stemler (KY), astemler@fbtlaw.com
Jeff Stodghill (KY), jstodghill@fbtlaw.com
Kristen Holt (KY), kholt@fbtlaw.com

For any other Frost Brown Todd attorneys in our Health Law or Employee Benefits Law Practice Groups.