The HITECH Act makes a number of significant changes to the data privacy and security standards within the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The first of these changes, concerning data breach notification requirements, will go into effect in the fall of 2009. On April 17th, the Department of Health and Human Services (“HHS”) issued proposed regulations offering safe harbor status for incidents where the data is considered to be “secured” under federal standards. Final regulations are to be issued by the end of the summer.
It is important for healthcare organizations to understand these new rules and to begin planning now to address the additional compliance obligations. This article provides additional detail regarding the new breach notification requirement as well as information related to the NIST standards suggested by HHS.
HITECH ACT CREATES NEW
HIPAA BREACH NOTIFICATION REQUIREMENTS
On February 17, 2009, President Obama signed into law the Health Information Technology for Economic and Clinical Health (“HITECH”) Act as part of the economic stimulus package. In addition to providing incentive payments to hospitals and physicians who adopt electronic health records systems, the HITECH Act makes a number of significant changes to the data privacy and security standards within the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
The first of these changes, concerning data breach notification requirements, will go into effect in the fall of 2009. On April 17th, the Department of Health and Human Services (“HHS”) issued proposed regulations offering safe harbor status for incidents where the data is considered to be “secured” under federal standards. Final regulations are to be issued by the end of the summer.
It is important for healthcare organizations to understand these new rules and to begin planning now to address the additional compliance obligations. This article provides additional detail regarding the new breach notification requirement.
Breach Notification Requirements
Breach Notification. Currently, HIPAA requires that covered entities mitigate known harm that could result from the unauthorized use or disclosure of a patient’s protected health information (“PHI”). Covered entities are healthcare providers such as physician practices, health plans and hospitals. Under the present rules, covered entities may, at their discretion, notify patients of a breach. The HITECH Act eliminates this discretion and requires that covered entities notify patients of any unauthorized acquisition, access, use, or disclosure of unsecured PHI. Covered entities must notify patients if the unsecured PHI has been or is reasonably believed to be disclosed. Business associates who have access to PHI are required to notify the covered entity of any such breach, including the name of any individual whose unsecured PHI has been released.
Discovery of Breaches. Breaches are treated as discovered as of the first day on which the breach is known or should have been known to the covered entity (or business associate). Once a breach is discovered the entity must notify patients without unreasonable delay but not later than 60 calendar days after discovery.
How to Provide Notice. The covered entity should send written notification via first class mail to the patient (or if deceased the patient’s next of kin) at the last known address, unless the patient has indicated a preference for e-mail. If the address is unknown for more than 10 individuals then substitute notice should be provided which may include a posting on the entity’s homepage (for a period of time to be determined by HHS) or publication in major media sources in the geographic area. This notification must include a toll-free phone number. In situations where there is an urgency because of possible imminent misuse of the data, covered entities may also choose to provide other forms of notice, such as telephone or e-mail, in addition to the written notice.
Notice to 500+ Patients. If the breach affects 500 or more patients then notice must also be provided to major media outlets. Additionally, the covered entity must notify HHS immediately. The HHS website will have a list that identifies the covered entities involved in a breach in which more than 500 individual are affected. If less than 500 patients are affected then the covered entity may maintain a log of the breaches and submit this log annually to HHS.
Contents of Notice. The notice must contain the following content:
- A description of what happened, including the date of the breach and the date of the discovery of the breach to the extent these dates are known.
- A description of the types of unsecured PHI that were disclosed (i.e. name, social security number, date of birth, etc.).
- Steps that the patients should take to protect themselves.
- A description of the actions taken by the covered entity to investigate the breach, mitigate the losses, and to protect against further breaches.
- Contact procedures, including a toll-free number, e-mail address, website or postal address so that the patient may contact the covered entity.
Exceptions. The HITECH Act excludes two situations from the definition of breach. In these situations the covered entity is not required to provide notice to the affected patients. The first is the unintentional acquisition, access or use of the PHI by an employee or individual acting upon authority of the covered entity who accessed the PHI in good faith and within the normal scope of his/her employment and if that PHI is not further acquired, accessed, used or disclosed. The second situation is the inadvertent disclosure between an individual who is authorized to access the PHI at a facility to another similarly situated individual at the same facility, provided that the PHI is not further acquired, accessed, used or disclosed. Additionally, covered entities are allowed to delay notification if law enforcement determines that notification would impede a criminal investigation or cause damage to national security.[1]
Safe Harbor for Secured Protected Health Information
Guidance. The new rules include what amounts to a safe harbor for data that meets federal security standards. The HITECH Act authorized HHS to issue guidance regarding the definition of secured versus unsecured PHI. Initial guidance was issued on April 17th, 2009 along with a solicitation for public comments. The purpose of this guidance is to assist covered entities and business associates in determining whether a breach has occurred triggering the notification obligations. Covered entities and business associates are not required to follow the guidance but if these methodologies and technologies are used it will function as the equivalent of a safe harbor and thus result in relieving the covered entities of the notification obligation (unless otherwise required by federal or state law or necessary to mitigate the harmful effect of the breach).
Encryption. PHI is rendered unusable, unreadable or indecipherable to unauthorized individuals by employing one of two methods: encryption or destruction. Encryption is “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”[2] The guidance relies on the encryption processes tested by the National Institute of Standards and Technology (“NIST”). For data at rest, which is data that resides on the computer system, databases, and in storage, the guidance directs covered entities to the NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.[3] For data in motion, which includes data that is moving through the network including via a wireless transmission, the guidance directs covered entities to comply with the requirements of the Federal Information Processing Standards (“FIPS”) 140-2.[4]
Destruction. Destruction of PHI for paper, film or other hard copies may be achieved by shredding or destroying the PHI so that it cannot be reconstructed. For electronic media the PHI must be cleared, purged or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, to ensure that the PHI cannot be retrieved.[5]
Interim Final Regulations
In August, HHS will publish interim final regulations. The breach notification requirements and the guidance will not apply until 30 days after the publication of those regulations. In the meantime HHS is asking for public comments regarding the breach notification requirements and the guidance.
[1] In such a situation the procedure outlined in 45 CFR 164.528(a)(2) should be followed.
[2] 45 CFR 164.304.
[3] Available at: http://www.csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
[4] This includes the following NIST Special Publications:
- 800-52, Guidelines for the Selection and Use of Transport Layer Security Implementation
Available at: http://www.csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf
- 800-77, Guide to IPsec VPNS
Available at: http://www.csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf
- 800-113, Guide to SSL VPNs
Available at: http://www.csrc.nist.gov/publications/nistpubs/800-113/SP800-113.pdf
[5] Available at: http://www.csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf