Interim HIPAA breach notification regulations from the U.S. Department of Health and Human Services, (“HHS”) became effective September 23, 2009, requiring entities to give notice to affected individuals of any breach of unsecured, protected health information. These rules originate with the Stimulus Bill and are part of the administration’s promotion of “electronic health records.”

Safe Harbor

The new rules contain a safe-harbor. Entities that use HHS-approved technologies and methodologies that result in the encryption and destruction of certain health records need not comply with the notification rules (although notification is still considered a best practice).

Key to the safe-harbor is the fact that the rules apply only to breaches of “unsecured” Protected Health Information (“PHI”). The term “unsecured” refers to PHI that has not been secured through the use of technology or methodology approved by HHS. HHS Guidance (called the “HITECH Breach Notification Guidance”) describes those approved technologies and methodologies, making PHI “unusable, unreadable, or indecipherable to unauthorized individuals”. Electronic PHI is secured when it has been adequately encrypted. Hard copies of PHI can only be secured when shredded or destroyed such that they cannot be read or reconstructed.

Current Obligations

A covered entity and a business associate must be able to identify, record, investigate and report to an affected individual and HHS any breach occurring after September 23, 2009. A covered entity’s work force must be trained on the new breach notification regulations. Additionally, a covered entity must include sanctions for violating the new breach of notification rules, and the sanction must be included in the covered entity’s policies. Therefore, covered entities should examine their handbooks or other provisions regarding sanctions to insure that they are broad enough to include sanctions relating to the breach of notification rules. If not, they need to be updated.

Definition of Breach

If there is a saving grace in all of this, it is that the definition of a “breach” has been modified as well. The regulations now provide that a “breach” exists if there is an acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rules and such action “compromises” the security or the privacy of the PHI. The definition of “compromise” now includes a helpful risk analysis, and under that analysis the PHI is compromised only if the event poses “a significant risk of financial, reputational, or other harm to the individual.” In other words, many minor or insignificant breaches may not pose a significant risk of such harm, and need not be reported to the affected individual or to HHS. A breach of unsecured PHI is also not considered to have occurred under certain exceptions:

  1. If an unauthorized person to whom the unsecure PHI is disclosed would not reasonably have been able to retain the PHI;
  2. An unintentional acquisition, access, or use of unsecured PHI occurs by an employee or individual acting under the authority of a HIPAA covered entity or business associate, but only if (a) the acquisition, access or use is made in good faith and within the course and scope of employment or other professional relationship with the covered entity or business associate and (b) such unsecured PHI is not further acquired, accessed, used, disclosed by anyone; or
  3. Where the inadvertent disclosure occurs from an individual who is otherwise authorized access to unsecure PHI at a facility operated by a HIPAA covered entity or business associate, to another similarly situated individual at the same facility, but only if the unsecured PHI is not further accessed, acquired, used or disclosed without authorization.

HIPAA covered entities and business associates should each identify their business associates, agents and sub-contractors and review their agreements to include compliance with the new regulations. Handbooks and training need to be updated as well.

Kevin McManaman