Confession is Good for the Soul, or So Says HHS’s Newly Published Breach Notification Rule
The Business Advisor - Special Alert
September 9, 2009
One of the reasons Congress enacted the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) was to encourage the use of electronic medical records by health care providers and insurers. The regulations promulgated therefrom, most commonly known as the Privacy and Security Rules, had compliance deadlines beginning in 2003, but since that time, government enforcement of HIPAA compliance has been sporadic and tepid. This may be changing soon following the recent issuance of new HIPAA regulations that will affect the way businesses safeguard health information.
As part of the sweeping federal stimulus package, on February 17, 2009, President Obama signed into law the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which in part obligates “covered entities” and “business associates” to report improper uses and disclosures of individuals’ “unsecured protected health information.” Under the HITECH Act, Congress directed the U.S. Department of Health and Human Services (“HHS”) to issue regulations implementing the HITECH Act’s breach notification provisions. In compliance with that mandate, HHS published an interim final rule on August 24, 2009 (the “Rule”) governing breach notification for unsecured protected health information. The Rule becomes effective on September 23, 2009 and applies to privacy and security breaches of unsecured protected health information occurring on or after that date.
Definitions. The Rule applies to “covered entities” (“CEs”),” “business associates” (“BAs”)” and their use of “protected health information” (“PHI”) that is “unsecured.” The Rule incorporates the existing definitions of those terms from the current HIPAA regulations. 74 Fed. Reg. 42740 (Aug. 24, 2009). CEs, therefore, include health plans, health care clearinghouses and health care providers that transmit any health care information electronically in connection with a health-related transaction covered by HIPAA (e.g., submitting a claim for payment to a health plan). Id. Similarly, BAs are persons or entities that provide services to a CE, the provision of which requires access to or involves the use or disclosure of PHI. BAs include without limitation, third party administrators; pharmacy benefit managers; claim or bill processing companies; transcription companies; professionals retained by CEs to perform legal, actuarial, accounting, management or administrative services; or persons or entities retained to destroy or dispose of PHI. Id. Employees of a CE are not BAs, nor are persons or entities, such as cleaning services, whose services do not involve or require the use of or access to PHI, even if such entities may have incidental contact with PHI. PHI includes virtually all individually identifiable health information held or transmitted in any form or media by a CE or BA.
The HITECH Act and the recently published Rule introduce the concept of “unsecured” PHI, which is PHI “that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through a technology or methodology” approved by HHS. 45 C.F.R. §164.402. As set forth in the HHS’s guidance on the new HIPAA regulations (the “Guidance”), HHS has approved only encryption and destruction as means by which PHI can be rendered “secured.” 74 Fed. Reg. 42741-43. Redacting PHI in a hard copy format or converting electronic PHI to a hard copy format will not render it “secured.” See id. at 42742. Additionally, the use of computer access controls and firewalls alone are not sufficient to render PHI “secured” for purpose of the Rule. Id. HHS has also rejected the use of limited data sets as a means of rendering PHI “secured,” while, at the same time, recognizing that a limited data set may contain so little PHI that its unauthorized use, disclosure or acquisition will not so compromise the privacy and security of PHI as to trigger the notification obligations under Rule. Id. at 42746.
Safe Harbor. The Guidance makes clear that the HITECH Act does not require CEs and BAs to encrypt PHI. However, only the encryption or destruction of PHI will render it “secured” for purposes of the Rule. Id. at 42741. In other words, properly encrypting PHI provides a safe harbor for CEs and BAs. The unauthorized disclosure, use, acquisition of or access to encrypted PHI, therefore, will not trigger the Rule’s breach notification requirements. Properly encrypted PHI is deemed “unusable, unreadable or indecipherable,” to unauthorized persons and, for that reason, its unauthorized acquisition, access, use or disclosure is deemed not to be a risk of significant harm to a person’s privacy. Id. at 42741-45. Importantly, by contrast, the unauthorized acquisition, access, use or disclosure of PHI that is protected only by access controls or firewalls will trigger the Rule’s breach notification requirements.
HHS has approved certain encryption processes tested by the National Institute for Standards (the “NIST”) for purposes of the Rule. For PHI at rest, the approved encryption processes are located at NIST Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, which can be found at http://www.csrc.nist.gov/. For PHI in motion, approved encryption methods include those found in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, as well as those that have been Federal Information Processing Standards (FIPS) 140-2 validated (also available at http://www.csrc.nist.gov/). 74 Fed. Reg. 42745. HHS also recommends that CEs and BAs store their encryption keys on a separate device from the data they encrypt or decrypt. Id.
For purposes of the Rule, the destruction of PHI means the actual destruction of the media in which PHI is stored or recorded. Id. at 42743. For paper, film or other hard copy PHI, destruction means shredding or destruction by another form so that the PHI can neither be read nor reconstructed. As noted above, redacting PHI in a hard copy format or converting electronic PHI to a hard copy format does not constitute destruction. Electronic media is destroyed if it is cleared, purged or otherwise destroyed and rendered irretrievable in a manner consistent with the NIST Special Publication 800-88, Guidelines for Media Sanitization, available at http://www.csrc.nist.gov/.
What Constitutes A Breach? The Rule’s notification requirements are triggered by a breach. A “breach” is defined to include the “acquisition, access, use or disclosure of protected health information in a manner not permitted [by the Privacy Rule and] which compromises the security or privacy of the protected health information” (hereinafter, a “Breach”). 45 C.F.R. §164.402. HHS expressly declined to define the terms, “access” and “acquisition,” in either the Guidance or the Rule, preferring to rely on standard definitions of the terms. 74 Fed. Reg. 42744.
HHS has included an express “harm threshold” in its definition of Breach. The security and privacy of PHI are compromised only if the Breach in question poses a significant risk of harm (including financial and reputational) to the affected individual. 45 C.F.R. §164.402(1)(i). In other words, where the risk of harm arising from a Breach is minimal, the notification requirements of the Rule are not triggered. Consistent with the harm threshold, the Rule expressly provides that a Breach has not occurred if the PHI in question does not include any of (i) the affected individual’s date of birth; (ii) his or her zip code; or (iii) any the 16 identifiers listed in the Privacy Rule at 45 C.F.R. §164.514(e)(2), the removal of which from PHI will render it a limited data set. The Guidance makes clear, however, that if a CE or BA fails to follow the Breach notification regulations because it determines that the harm threshold was not met, the burden will be on the CE or BA to demonstrate to HHS that any risk of harm to the affected individuals was too slight to trigger the Rule’s notification requirements. 74 Fed. Reg. 42745-46.
In the Guidance, HHS lists examples of unauthorized uses, acquisitions or disclosures of or access to unsecured PHI that might not constitute Breaches for purposes of the Rule. For example, expeditious action taken in response to an unauthorized disclosure of unsecured PHI to mitigate the risk of harm to the affected individual may render that risk too slight to implicate the Rule. Similarly, the prompt return of improperly acquired PHI (e.g., the return of a laptop containing unsecured PHI) before the PHI could have been accessed could obviate the need for a Breach notification under the Rule. It is also possible that the PHI disclosed may contain so little individually identifying information that its disclosure may not give rise to a risk of harm serious enough to trigger the Rule’s notification requirements.
For purposes of the Rule, the unauthorized, but unintentional and good faith “acquisition, access or use” of PHI by an member of a CE’s or BA’s workforce is not a Breach as long as the acquisition, access or use was made within the scope of the recipient’s employment or authority and does not result in further unauthorized use or disclosure of PHI. 45 C.F.R. §164.402(2)(i). Similarly, the inadvertent disclosure of PHI by a person with authority to access PHI at a CE or BA to another person with such authority either at the same CE or BA or at an organized health care arrangement (such as a clinically integrated care setting) in which the CE participates does not constitute a Breach, if the PHI is not further used or disclosed in violation of the Privacy Rule. 45 C.F.R. §164.402(2)(ii).
The Guidance contains useful examples of what types of situations fall within (or do not fall within) these exceptions. 74 Fed. Reg. 42746-48. Disclosures of unsecured PHI such as a person momentarily viewing a laptop screen containing PHI, or a letter sent to an affected individual that was returned unopened, or records given to the wrong patient but retrieved before the patient had time to read them, do not give rise to a Breach. 45 C.F.R. §164.402(2)(iii); 74 Fed. Reg. 42748. CEs and BAs must remember, however, that they bear the burden of demonstrating that such disclosures do not meet the harm threshold and, therefore, do not trigger the notification requirements.
While not every violation of the Privacy and Security Rules will result in a notification requirement under the Rule, all Breaches that trigger the Rule are violations of the Privacy or Security Rules. 74 Fed. Reg. 42748. In determining whether a Breach has occurred, it must first be determined whether there has been a violation of HIPAA’s regulations. Hence, the Rule provides an additional incentive for CEs to be diligent about their HIPAA compliance. HHS recommends the following three-step process for CEs and BAs to help determine whether a Breach has occurred: (1) Determine whether PHI has been disclosed, used, acquired or accessed in violation of the Privacy Rule; (2) Determine (and document the steps taken to make the determination) whether the unauthorized use, disclosure, access or acquisition of the PHI gives rise to a significant risk of serious harm to the affected individual; and (3) Determine whether the unauthorized use, acquisition, access or disclosure falls under one of the exceptions to the definition of Breach under the HITECH Act and the Rule. 74 Fed. Reg. 42748.
Breach Notification Provisions – Notifying Individuals. Upon the discovery of a Breach, a CE must notify each individual whose unsecured PHI has been the subject of such Breach or whose unsecured PHI the CE believes has been the subject of the Breach. 45 C.F.R. §164.404(a)(1). A Breach will be deemed to have been discovered as of the first day the CE either actually knew about the Breach or “by exercising reasonable diligence” would have known about it. 45 C.F.R. §164.404(a)(2). The CE will be deemed to have known of the Breach on the first day a member of its workforce (other than the person committing the Breach) either actually knew or “by exercising reasonable diligence” should have known about the Breach. Id. Therefore, a CE will be liable if it fails to provide notification in cases when it was not aware of a Breach, but by exercising reasonable diligence would have known about it. Consequently, because the actual or imputed knowledge of workforce members will be imputed to the CE, it is important for CEs to implement internal systems designed to discover Breaches of unsecured PHI and to ensure the proper training of workforce members in HIPAA compliance.
The CE must notify any affected individual of a Breach “without unreasonable delay,” which in no event shall be later than 60 days after the discovery of the Breach. 45 C.F.R. §164.404(b). In the Guidance, HHS has made it clear that CEs may not wait the full 60 days to notify an affected individual if they are able to do so sooner. 74 Fed. Reg. 42749-50. Moreover, it is the CE’s burden to demonstrate that its notification of an affected individual was timely, even if the notification was made less than 60 days after the discovery of the Breach. Id.
Under the new regulation at 45 C.F.R. §164.404(c), the Breach notification must be drafted in simple and plan language and include, to the extent possible and known, the following information:
- A brief description of what happened, including the date of the Breach and the date of its discovery;
- A description of the types of unsecured PHI that was involved in the Breach (e.g., demographic information, diagnosis, or disability codes);
- Any steps the affected individual should take to protect themselves from further harm from the Breach (e.g., a recommendation to contact credit bureaus and information on how to do so; in cases of potential identity theft, a recommendation that a police report be filed);
- A brief description of the steps the CE is taking to (a) investigate the Breach, (b) mitigate the harm from the Breach, and (c) prevent further Breaches;
- Contact procedures for individuals to ask questions and obtain further information, including a toll-free telephone number, email address, website or postal address.
The CE must notify the affected individual of the Breach in writing. 45 C.F.R. §164.404(d)(1). The Breach notification must be sent by first class mail to the affected individual’s last known addresses, unless the affected individual has agreed to electronic notification and has not withdrawn that agreement. Id. The Breach notification can be provided in more than one mailing as information becomes available. Id. If the CE knows that the affected individual has died and it has the address of the individual’s next of kin or personal representative, the Breach notification shall be sent by first class mail to the next of kin or personal representative. 45 C.F.R. §164.404(d)(1)(ii). A Breach notification need not be provided if the affected individual has died and the CE does not have sufficient contact information for the next of kin or a personal representative. 45 C.F.R. §164.404(d)(2).
Substitute forms of notification may be used if the CE has insufficient or out-of-date contact information for the affected individuals that precludes written notice. 45 C.F.R. §164.404(d)(2). The Rule does not specify the form of substitute notification to be used, but it must be “reasonably calculated to reach the affected individual” and notice by telephone may be sufficient is these cases. 45 C.F.R. §164.404(d)(2)(ii).
Substitute notice of a Breach given directly to the affected individuals (or, in the case of deceased individuals, their personal representatives or next of kin) is sufficient if the CE lacks sufficient contact information for fewer than 10 individuals affected by the Breach. 45 C.F.R. §164.404(d)(1). However, if the CE lacks sufficient contact information to provide a written Breach notice to 10 or more individuals affected by a Breach, the CE must: (a) for a period of at least 90 days, either conspicuously post notice of the Breach on its website’s home page or provide conspicuous notice of the Breach in prominent print or broadcast media in the geographical areas in which the affected individuals are likely to live; and (b) provide a toll-free telephone number that remains active for at least 90 days where an individual can learn whether his or her unsecured PHI was affected by the Breach. 45 C.F.R. §164.404(d)(2)(ii).
If the CE believes that there is a possible imminent misuse of unsecured PHI, immediate notification of a Breach by telephone or other means is permitted. 45 C.F.R. §164.404(d)(3). Such emergent notice can only be supplemental to, and may not substitute for, written or substitute notice of the Breach as required by the Rule.
Breach Notification Provisions – Notifying the Media. A Breach involving the PHI of large numbers of people triggers the Rule’s media notification requirement. 45 C.F.R. §164.406. If a Breach involves the PHI of more than 500 residents of a state or similar jurisdiction, the CE must notify major media outlets serving the state or jurisdiction. 45 C.F.R. §164.406(a). As with notification directly to the affected individuals, notification to the media must be prompt. It must be provided “without unreasonable delay” and in no event later than 60 days after the discovery of the Breach. 45 C.F.R. §164.406(b). In other words, as with the Breach notification directly to affected individuals, the CE cannot simply wait 60 days after the discovery of a Breach to notify the media where such notification is required; notification must be made as soon as practical. The notification must contain the same information as the notification to the affected individuals. 45 C.F.R. §164.406(c).
Breach Notification Provisions – Notifying HHS. In addition to the obligation to notify individuals and in some cases the media of Breaches, CEs must also document Breaches for HHS. 45 C.F.R. §164.408 requires CEs to notify HHS within 60 days of discovering a Breach involving 500 or more individuals. For a Breach involving fewer than 500 persons, CEs must maintain a log of the Breach and submit the documentation to HHS on an annual basis. HHS will be posting instructions on its website for what must be submitted when notifying the agency. For larger Breaches, a CE must notify HHS concurrently with its notification to affected individuals, which must be sent without unreasonable delay, but in no case later than 60 days following discovery of the Breach.
Of particular note is how the new HIPAA regulations bifurcate a CE’s duties to notify HHS and the media. CEs must notify HHS whenever there is a known Breach (or one that should have been known) involving at least 500 persons wherever they may live, however, the media would only need to be notified if the Breach involves 500 residents of the same state or jurisdiction. For example, if a CE discovers a Breach involving 600 persons from New Jersey, both HHS and the media must be notified. If, however, the Breach involves 300 residents from New Jersey and 300 from New York, the CE must notify HHS, but would not be required to notify the media.
Breach Notification Provisions – BA Duties. BAs also have new notification requirements under the latest HIPAA regulations. Pursuant to 45 C.F.R. §164.410, following the discovery of a Breach, a BA must notify the CE so that the CE can then notify affected individuals. The same discovery and knowledge standards that apply to CEs apply to BAs. HHS considers a Breach discovered on the first day that the Breach is known to the BA, or by exercising reasonable diligence would have been known to the BA. A BA shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Breach) who is an employee, officer, or other agent of the BA. Notice to CEs must be sent without unreasonable delay, but in no case later than 60 days following discovery of the Breach.
A BA must also provide the CE with, to the extent possible, the identity of each individual whose unsecured PHI was breached and any other available information the CE would be required to provide to the affected individuals. HHS advises that BAs should not delay when providing CEs with their initial notification of a Breach, even if some or all of the information regarding the Breach is not immediately known. Additional information may be provided at a later date when it becomes known to the BA.
Law Enforcement Exception. There is a regulatory exception to the notification requirements under 45 C.F.R. §164.412. If a law enforcement official states to a CE or BA that a Breach notification would impede a criminal investigation or cause damage to national security, a CE or BA must postpone any notification that would otherwise be required under the new regulations. If a law enforcement official’s statement is in writing, CEs and BAs should follow the instructions in the document, most notably the time period for delaying notification. If the statement is made orally, CEs and BAs should document the statement, including the identity of the law enforcement official who made it, and delay the notification for no longer than 30 days, unless a written statement follows the oral instructions.
Administrative Requirements for CEs. Additional administrative requirements for CEs under the Rule at 45 C.F.R. §164.530 include:
- Policies and Procedures. A CE must implement policies and procedures designed to comply with the requirements under the new HIPAA regulations regarding Breaches and notification requirements related to such Breaches.
- Training. All members of the workforce must be trained regarding the CE’s policies and procedures on Breaches of unsecured PHI and related notification requirements. Training must be as necessary and appropriate for workforce members to carry out their functions within the CE.
- Complaints to the CE. A CE must provide a process for individuals to make complaints concerning a CE’s compliance with its policies and procedures regarding Breaches of unsecured PHI and applicable notifications.
- Sanctions. A CE must have and apply appropriate sanctions against members of its workforce who fail to comply with the policies and procedures regarding Breaches and the applicable notifications.
- Refraining from Intimidating or Retaliatory Acts. A CE may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual if that person exercises any right established under the Rule (e.g., the right to file a complaint).
- Waiver of Rights. A CE cannot require individuals to waive their right to file a complaint as a condition to the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
- Changes to Policies and Procedures. A CE must change its policies and procedures as necessary and appropriate to comply with changes in the law.
- Maintain Documentation. A CE must maintain sufficient documentation to demonstrate that (a) all notifications were made as required by the Rule; or (b) the use or disclosure of unsecured PHI did not constitute a Breach.
The HITECH Act, the Rule and Insolvency. The enactment of the HITECH Act and the promulgation of the Rule potentially increases the financial burdens on CEs (particularly financially strapped hospitals) and BAs, which previously did not have direct obligations under HIPAA except for the contractual obligations imposed by their BA agreements with CEs. Now, both CEs and BAs have potential Breach notification obligations. Moreover, although most of the financial burdens imposed by the HITECH Act and the Rule appear to fall on CEs, it is likely that CEs will attempt contractually to shift some of that burden to their BAs. In any event, as evidenced by a lengthy discussion by HHS in the Guidance, compliance with the Rule can be very expensive. (See 74 Fed. Reg. 42758-66 for a discussion of anticipated Breach notification costs.) That expense clearly provides added incentives for CEs and their BAs to comply with those provisions of the Privacy and Security Rules that apply to them so as to avoid Breaches and the resulting costs (both financial and reputational) of Breach notification. CEs and BAs must also keep in mind that the HITECH Act also significantly increased the civil and criminal penalties for HIPAA violations.
The Breach notification requirements may also complicate the bankruptcy process for the increasing number of CEs that find themselves resorting to bankruptcy for relief. Yet, while HIPAA compliance can be expensive, the cost of a Breach notification under the Rule can cost much more and could scuttle a reorganization.
Conclusion. Congress, by enacting the HITECH Act, and HHS, by promulgating the Rule, have concluded that the confession of Breaches is good for the souls of CEs and BAs. Such “confessions” can be burdensome and expensive. CEs and BAs are urged to avoid those burdens and expenses by ensuring that they are in compliance with the Privacy and Security Rules and, as much as is reasonably possible, meet the requirements of the PHI encryption and destruction safe harbor under the Rule.
If you have questions about HIPAA, the HITECH Act, the Rule and how they each affect your company, please contact the author, David N. Crapo.