Home > Resources > Compliance Resources > Compliance Quarterly > November 2009 Compliance Quarterly > Data Breach Regulations

Data Breach Regulations

The recently released Department of Health and Human Services (HHS) Data Breach Regulations ("Breach Regulations") were issued pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH) that was a part of the American Recovery and Reinvestment Act (ARRA) which made a series of changes to HIPAA's Privacy and Security Rules.

To Whom Do These Regulations Apply?
Covered Entities (which include health plans) and Business Associates of Covered Entities as defined under HIPAA. 

What is Required by the Regulations? 
The Breach Regulations impose new notification requirements on both Covered Entities and Business Associates when a breach of unsecured PHI occurs. Certain notifications, including notifications to the individuals whose PHI has been improperly disclosed, must now be given no later than 60 days after a breach of unsecured PHI occurs. If a breach involves 500 or more individuals of any one state or jurisdiction, then in addition to notifying the impacted individuals, notices must also be given to the media and HHS. These notices must also be provided within 60 days of the breach. 

Some other key highlights of the regulations are outlined below:

• The Breach Regulations apply only to extent that a breach of unsecured PHI has occurred that would pose a significant risk of financial, reputational or other harm to the individual. (See below.) 
• The Breach Regulations exclude the following three instances from the definition of breach:
  1. Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if the acquisition, access or use was made in good faith and within the scope of the person's duties and does not result in further use or disclosure in violation of the Privacy Rule;
  2. Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, or business associate, or organized health care arrangement in which the covered entity participates, and the information is not further used or disclosed in violation of the Privacy Rule;
  3. A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
• A breach is defined as acquiring, accessing, using or disclosing "unsecured" PHI that violates HIPAA's Privacy Rules and that compromises the security or privacy of such PHI.  
• Unsecured PHI is defined as being PHI that is usable, readable or decipherable and is not secured through the use of encryption or destruction that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals.  Electronic PHI that is sent encrypted would not be considered to have been sent unsecured under the Breach Regulations. 
• In order to determine if the breach posses a financial, reputation or other harm to the individual, the regulations provide for a "Significant Risk of Harm" standard to be conducted which would include considering the following issues:
  1. Who impermissibly used the information and to whom was the information impermissibly disclosed?
  2. Determine whether any immediate steps have been taken to mitigate the impermissible use or disclosure.
  3. Was the PHI returned prior to being accessed?
  4. What was the type and amount of PHI involved in the improper disclosure?
  5. Whether the improper disclosure dealt with a limited data set and is there any risk of re-identification of PHI contained in the data set?
• Written notification in plain English must be made by first-class mail, or electronic mail if agreed to by the individual and must include, to the extent possible, the following: 
  1. A brief description of the circumstances relating to the breach;
  2. A description of the type of unsecured PHI involved in the breach;
  3. Any steps individuals should take to protect themselves from potential harm from the breach;
  4. A brief description of what the covered entity is doing to investigate the breach, mitigate harm to individuals and protect against further breaches; and
  5. Contact procedures for notified individuals. 
• For urgent breaches of PHI, individuals must be contacted both my phone and mail.
• If the Covered Entity does not have sufficient contact information for the individuals involved, the Covered Entity must now take certain steps to obtain the information. If the Covered Entity has less than 10 individuals for whom they do not have information, the Breach Regulations state the individual may be contacted by telephone. If the Covered Entity is missing information on 10 or more employees, than the covered entity must post information on their Web site for a period of 90-days. 
• An annual notice requirement to the Secretary of HHS is now required 60 days after December 31st. The first annual filing must be made by March 1, 2010 and would include any breaches of unsecured PHI occurring after September 23, 2009.
• The Secretary of HHS is required to post publicly a list of Covered Entities who have had breaches involving more than 500 individuals. 
• Penalties for non-compliance are steep, depending on the level of knowledge; with the steepest tier being $50,000 per violation and up to $1.5 million for all such violations of an identical requirement or prohibition during a calendar year. 

When Do These Regulations Become Effective?
The Breach Regulations apply to beaches of unsecured PHI that happen on or after September 23, 2009. However, HHS has indicated that they will delay enforcement of these regulations until 180 days after their publication (or until February 22, 2010).

What Should Employers be Doing Now?
There are a number of tasks that employers should be taking now to ensure full compliance by the enforcement date. A few of these tasks are:

• Establish procedures for how you will identify when a breach has occurred.
• Establish procedures that will address who will be responsible for preparing and issuing the required notices.
• Amend Business Associate Agreements with all Business Associates.
• Train your workforce.
• Review and revise as necessary your HIPAA policies and procedures to include requirements of the Breach Regulations, including revisions to your sanction policies on how you will handle breaches by your workforce. In addition, Covered Entities need to ensure you have an established compliant process to comply with your new policies and procedures.
• Develop and maintain logs to assist with annual notification to HHS for breaches involving fewer than 500 individuals. In addition, Covered Entities should identify now who within your organization will be responsible for notifying HHS and mark your calendars to make sure the necessary filing is complete within 60 days after the end of each calendar year, which would be March 1st of each year. 

Meritain Health is in the process of taking the same steps identified above to ensure that we are in full compliance as well.  For a more detailed discussion of what the new Breach Regulations require, please listen to Meritain Health's Corporate Compliance Manager, Jennifer Moore, discuss these regulations in further detail. 

Source:  Alston & Bird