| On February 17, 2009, Congress enacted the | | | | person authorized to access PHI to another |
| Health Information Technology for Economic and | | | | person also authorized to access PHI within the |
| Clinical Health (HITECH) Act as part of the | | | | same covered entity, business associate, or |
| American Recovery and Reinvestment Act of | | | | organized health care system; and 3) situations in |
| 2009. In response to a mandate in the HITECH | | | | which the covered entity or business associate |
| Act, the Department of Health and Human | | | | has a good faith belief that an unauthorized |
| Services (HHS) issued an interim final rule with | | | | person receiving the PHI could not reasonably |
| request for comments for Breach Notification for | | | | have been able to retain the information. |
| Unsecured Protected Health Information (the | | | | What Are the Notification Requirements? |
| “Rule”) on August 19, 2009. | | | | Individual Notice |
| The Rule establishes significant new notification | | | | In situations in which a covered entity or business |
| obligations for covered entities and business | | | | associate has a reasonable belief that the breach |
| associates that are subject to HIPAA. | | | | involved an individual’s PHI, the entity must |
| Specifically, the new regulations establish guidelines | | | | provide written notice to each affected individual. |
| for determining when a breach of unsecured PHI | | | | Such notice must be provided without |
| occurs; dictates who must notify of such a | | | | “unreasonable delay,” but in no case later |
| breach and to whom notification must be made; | | | | than sixty days after discovery of the breach. |
| and establishes the timeframe and contents of | | | | To the extent possible, the notice should include |
| such notification. | | | | the following information: 1) a brief description of |
| The Rule became effective on September 23, | | | | what happened; 2) the types of information that |
| 2009. However, HHS has requested additional | | | | were involved in the breach; 3) steps that |
| comments that were due on October 23, 2009 | | | | affected individuals should take to protect |
| and that may ultimately result in further | | | | themselves from potential harm; 4) a description |
| modifications to the notification obligations. | | | | of what the entity is doing to investigate the |
| Covered entities and business associates must be | | | | incident, mitigate harm, and protect against |
| aware of the new obligations under the Rule and | | | | further breaches; and 5) contact procedures by |
| should begin taking steps immediately to ensure | | | | which affected individuals may learn additional |
| compliance. In addition, these entities must | | | | information. In certain situations, such as when |
| remain cognizant of additional changes and | | | | the covered entity or business associate |
| modifications that may develop and must be | | | | determines that misuse of the PHI is imminent or |
| prepared to alter their compliance efforts with | | | | when the entity has insufficient contact |
| these additional potential changes in mind. | | | | information for the affected individuals, additional |
| When Are the Notification Requirements | | | | or substitute notice by alternative means may be |
| Triggered? | | | | made. |
| The Rule only requires notification if the incident | | | | Media Notice |
| qualifies as a “breach” of unsecured PHI. | | | | Covered entities and business associates must |
| The Rule defines “breach” as the | | | | also notify a prominent media outlet within the |
| “acquisition, access, use or disclosure of | | | | same timeframe as required for individual notice in |
| protected health information in a manner not | | | | situations in which a breach involves the PHI of |
| permitted under [the HIPAA Privacy Rule] which | | | | more than 500 individuals within a state or |
| compromises the security or privacy of | | | | jurisdiction. |
| [PHI].” Therefore, a use or disclosure that | | | | When Must an Entity Report Breaches to HHS? |
| violates the HIPAA Privacy Rule is a prerequisite, | | | | Finally, covered entities and business associates |
| and any uses or disclosures that do not violate | | | | must track and report all breaches to HHS. |
| the Privacy Rule cannot constitute a | | | | Breaches involving the PHI of more than 500 |
| “breach” requiring notification under the | | | | individuals (in any state or jurisdiction) must be |
| Rule. | | | | reported “immediately.” All other |
| In addition, an incident will only qualify as a | | | | breaches must be recorded and annually reported |
| “breach” if it meets a certain “harm | | | | no later than sixty days after the end of each |
| threshold.” In other words, the use or | | | | calendar year. |
| disclosure must “pose a significant risk of | | | | Summary |
| financial, reputational, or other harm to the | | | | The Rule establishes significant new breach |
| individual.” To determine whether this harm | | | | notification obligations for covered entities and |
| threshold has been met, covered entities and | | | | business associates covered by HIPAA. In sum, |
| business associates must conduct and document | | | | the Rule requires such entities to provide individual |
| a fact specific “risk assessment.” The | | | | and/or media notice when there has been a |
| risk assessment should take into account the | | | | breach of unsecured PHI and to track and report |
| following factors: (1) the identity of the entity or | | | | such breaches to HHS. |
| individual that impermissibly used the information | | | | Affected entities should review HIPAA compliance |
| or to whom the information was impermissibly | | | | efforts with these new obligations in mind. For |
| disclosed; (2) the steps taken to mitigate harm | | | | example, entities should ensure that policies are in |
| and the immediacy with which such steps were | | | | place requiring workforce members to |
| taken; (3) whether the information was returned | | | | immediately report any potential privacy violations |
| before being accessed; and (4) the type and | | | | or security incidents so that they can effectively |
| amount of information disclosed. | | | | and promptly evaluate the incident to determine |
| Finally, the Rule also contains three statutory | | | | whether notification obligations are triggered. |
| exceptions to the “breach” definition. | | | | Entities should also establish policies and conduct |
| These exceptions are as follows: 1) uses or | | | | training to communicate what notification will be |
| disclosures by persons acting under the authority | | | | required and should maintain accurate records to |
| of the covered entity or business associate that | | | | prepare required reports to HHS. Affected |
| are made in good faith, that fall within the scope | | | | entities must remain aware of potential changes |
| of the disclosing individual’s authority, and that | | | | to these requirements in the future, and be |
| do not result in further violations of the HIPAA | | | | prepared to revise policies and procedures |
| Privacy Rule; 2) inadvertent disclosures from one | | | | accordingly. |