On September 23, 2009 the Department of Health and Human Services (HHS) regulations on Breach Notification for Unsecured Protected Health Information became effective. These are interim final regulations, which means they are open for public comment until October and based on those comments HHS may modify the regulations.
The Breach Notification regulations are to enact the statute from the American Recovery and Reinvestment Act of 2009 (ARRA). In ARRA, there are provisions to expand the HIPAA rules and place requirements on covered entities and business associates to notify individuals, the media, and even the Secretary of HHS of inappropriate releases, or breaches, of protected health information. ARRA also requires non-covered entities to provide breach notification through regulations from the Federal Trade Commission (FTC). HIPAA-covered entities are not subject to FTC regulations.
HHS Regulations on Breach Notification
What is unsecure?
The regulations define “unsecured protected health information” as “protected health information that is not secured through the use of a technology or methodology specified by the Secretary of HHS in guidance.” This guidance was published in the Federal Register (5-page PDF file; About PDFs) on April 27, 2009.
In essence, the guidance outlines ways to render the protected health information (PHI) as unusable, unreadable, or indecipherable to unauthorized individuals.
If the protected health information is secured in accordance with the guidance, there is no need to provide notification if there is a breach of that information.
In essence, the guidance outlines ways to render the protected health information (PHI) as unusable, unreadable, or indecipherable to unauthorized individuals.
- Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”
- The media on which the PHI is stored or recorded have been destroyed in one of the following ways:
- Paper, film, or other hard copy media have been shredded or destroyed. (Redaction is explicitly not acceptable.)
- Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Guidelines for Media Sanitization (43-page PDF file; About PDFs).
- If the information is de-identified, then it is not protected health information and thus does not require breach notification.
If the protected health information is secured in accordance with the guidance, there is no need to provide notification if there is a breach of that information.
What's a breach?
A “breach” is defined as the “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information [e.g. poses a significant risk of financial, reputational, or other harm to the individual], except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
There are some statutory exceptions to the breach rule. One being the unintentional acquisition, access, or use of PHI by a workforce member (i.e. employee, volunteers, trainees, etc.) if it was made in good faith, within the course and scope of employment or other professional relationship, and does not result in further use or disclosure. Another exception applies when a recipient could not have retained the information, such as mail sent to the wrong individual but returned as undeliverable or a nurse handing the wrong chart to an individual but intervening before the individual has a chance to look at the chart. For any exception, the burden of proof lies with the covered entity.
There are some statutory exceptions to the breach rule. One being the unintentional acquisition, access, or use of PHI by a workforce member (i.e. employee, volunteers, trainees, etc.) if it was made in good faith, within the course and scope of employment or other professional relationship, and does not result in further use or disclosure. Another exception applies when a recipient could not have retained the information, such as mail sent to the wrong individual but returned as undeliverable or a nurse handing the wrong chart to an individual but intervening before the individual has a chance to look at the chart. For any exception, the burden of proof lies with the covered entity.
Who must be notified?
In all breaches, any individual whose PHI has been inappropriately released is to be notified. The notification must contain the following information:
This notice must be provided by first class mail, unless the individual has authorized the use of an electronic mail address for such notices. All notices must be issued within 60 days of discovery of the potential breach and there cannot be unreasonable delays in providing notice (i.e., if one discovers and confirms a breach in 10 days they cannot wait until day 60 to provide the notice).
If there are fewer than 10 individuals for whom the covered entity does not have sufficient contact information to provide written notice, the covered entity can provide substitute notice through an alternative form of written notice, by telephone or other means.
If there are 10 or more individuals for whom the covered entity does not have sufficient contact information to provide written notice, the covered entity must provide substitute notice through either a posting on their Web home page for 90 days or notice in major print or broadcast media. The covered entity must also provide a toll-free phone number, active for 90 days, where individuals can learn whether their information was part of the breach.
If there are over 500 individuals involved in the breach, the covered entity must notify the Secretary of HHS within 60 days. If there are 500 individuals from the same state or jurisdiction, the covered entity must also notify the local media that a breach occurred.
The covered entity is required to retain a log of all breaches and submit an annual report to the Secretary of HHS on those breaches. Since the burden of proof for breach exceptions and adequate notification lies with the covered entity, it is important for them also to keep documentation of any investigation of potential breaches and all notification activities.
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach
- A description of the types of unsecure PHI involved
- Any steps individuals should take to protect themselves from potential harm resulting from the breach
- Brief description of actions taken by the covered entity to investigate the breach and mitigate potential harm
- Contact information, including a toll-free phone number
This notice must be provided by first class mail, unless the individual has authorized the use of an electronic mail address for such notices. All notices must be issued within 60 days of discovery of the potential breach and there cannot be unreasonable delays in providing notice (i.e., if one discovers and confirms a breach in 10 days they cannot wait until day 60 to provide the notice).
If there are fewer than 10 individuals for whom the covered entity does not have sufficient contact information to provide written notice, the covered entity can provide substitute notice through an alternative form of written notice, by telephone or other means.
If there are 10 or more individuals for whom the covered entity does not have sufficient contact information to provide written notice, the covered entity must provide substitute notice through either a posting on their Web home page for 90 days or notice in major print or broadcast media. The covered entity must also provide a toll-free phone number, active for 90 days, where individuals can learn whether their information was part of the breach.
If there are over 500 individuals involved in the breach, the covered entity must notify the Secretary of HHS within 60 days. If there are 500 individuals from the same state or jurisdiction, the covered entity must also notify the local media that a breach occurred.
The covered entity is required to retain a log of all breaches and submit an annual report to the Secretary of HHS on those breaches. Since the burden of proof for breach exceptions and adequate notification lies with the covered entity, it is important for them also to keep documentation of any investigation of potential breaches and all notification activities.
How can I ease compliance?
- Encrypt all electronic information when feasible
- Establish a plan to investigate potential breaches and deploy notifications
- Educate workforce on requirements for breach identification
- Discuss ways to decrease the likelihood of breaches
- Create a documentation process for cataloging real and potential breaches and resulting actions
- Ask vendors and business associates how they are protecting health information and complying with the breach notification requirements
- Set up a process to make sure your contact information for all patients remains up to date and that you ask for authority to send breach notification via electronic mail
Additional Resources
Federal Register Notice of Interim Final Rule with Discussion of the Rule
http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf (32-page PDF file; About PDFs)
Federal Register Notice of Guidance to Secure Protected Health Information
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf (5-page PDF file; About PDFs)
HHS Web site on Health Information Privacy – for new information on breach notification rule and for further information on the reporting requirements to Secretary of HHS
http://www.hhs.gov/ocr/privacy/
http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf (32-page PDF file; About PDFs)
Federal Register Notice of Guidance to Secure Protected Health Information
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf (5-page PDF file; About PDFs)
HHS Web site on Health Information Privacy – for new information on breach notification rule and for further information on the reporting requirements to Secretary of HHS
http://www.hhs.gov/ocr/privacy/
Government Health IT Advocacy
Advocating for Standards-Based PHRs
AAFP Policy Statement on ASTM CCR
HHS Regulations on Breach Notification