Breach Notification for Protected Health Information. Part 2.
This is a continuation of the previous post. Included is a summary and commentary concerning the recent announcement of an Interim Final Rule (IFR) on health information breach notification by the Secretary of Health and Human Services (HHS). Those participating in the field of medical informatics should become familiar with this IFR. As a reminder, unsecured protected health information can include information in any form or medium, including electronic, paper, or oral. An important element of the Act applies to possible conflicts between federal and state privacy and breach reporting laws. In general, the effect of the new HIPAA regulations provides that HIPAA administrative simplification provisions generally preempt conflicting State law.
There is a three-step process to determining if breach notification is required. The first step is to determine whether a use or disclosure of protected health information violates the HIPAA Privacy Rule. If a violation of the Privacy Rule has occurred then the next step is to determine whether the violation compromises the security or privacy of the protected health information.
The compromise of protected health information must pose a significant risk of financial, reputational, or other harm to the individual. This means that covered entities (CEs) and business associates (BAs) will need to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. This risk assessment should be based on known facts. The risk assessment must be documented and retained against the possibility of an Office of Civil Rights investigation. Risk assessments should consider to whom the information was disclosed and who used it. Other considerations include the type and amount of protected health information involved in the disclosure. If the type of information disclosed does not pose a significant risk of financial, reputational, or other harm, then the violation does not constitute a breach under the Rule. It should be noted that limited data sets are considered protected health information under the Act unless identifiers such as birth date and zip code are removed. This decision was made by policy makers because of the risk of re-identification when only the 16 identifiers listed in the HIPAA Privacy Rule for limited data sets are removed.
The final step is to determine if the breach falls under one of the three exceptions to the definition of breach: 1) Unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered or business associate, 2) inadvertent disclosure of protected health information from one person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, and 3) unauthorized disclosures in which an unauthorized person to whom protected health information is disclosed would not reasonably have been able to retain the information. Notification is not required if one of these exceptions apply.
A breach is considered discovered when the incident becomes known, not when the CE or BA concludes the risk analysis and decides on the basis of the facts that a breach has occurred. The Act states that a breach shall be treated as discovered by a covered entity as of the first day the breach is known to the covered entity or by exercising reasonable diligence would have been known to the covered entity. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. This means that it is important for CEs and BAs to implement systems for discovery of breaches. This should include workforce training about the importance of timely reporting of privacy and security incidents and the consequences of failing to do so.
A CE may take a reasonable time to investigate the circumstances surrounding the breach in order to collect and develop the information required to be included in the notice of a data breach to individuals. The IFR states that a CE shall send the required notification without unreasonable delay and, in no case later than 60 calendar days after the date the breach was discovered. The Act specifies five elements that must be included in the breach notice: 1) a brief description of what happened, including the date of the breach and the date of the discovery of the breach, 2) a description of the types of unsecured protected health information that that were involved in the breach, 3) steps individuals should take to protect themselves from potential harem resulting from the breach, 4) a brief description of what the CE involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches, and 5) contact procedures for individuals to ask question or learn additional information, which must include a toll-free telephone number, an e-mail address, Web site, or postal address. The notice should not contain any unsecured protected health information itself. The written notice will be sent by first-class mail to the last known address of the individual.
If there is out-of-date contact information for 10 or more individuals, then the CE must provide substitute notice through either a conspicuous posting for a period of 90 days on the home page of its Web site or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. As described above, these substitute notifications must be provided in a manner that is reasonably calculated to reach the affected individuals. In addition, the CE must have a toll-free phone number, active for 90 days, where an individual can learn whether the their unsecured protected health information may be included in the breach and include the number in the notice.
For breaches involving less than 500 individuals, a CE must maintain a log or other documentation to be submitted annually to the Secretary of HHS for breaches that occurred during the preceding calendar year. For breaches involving more than 500 individuals, the Secretary must be notified immediately. The instructions for notification will be posted on the HHS Web site. Furthermore, if the unsecured protected health information of more than 500 residents of a state or jurisdiction is breached then notice must be provided to prominent media outlets serving that area. This media notice requirement is different from the substitute media notice mentioned above. The notification of the media must be carried out within the same timeframe required for the notice to individuals. In other words, media outlets must be notified without unreasonable delay, but in no case later than sixty calendar days following discovery of a breach.
Finally, the Act requires a business associate of a covered entity that accesses, maintains, retains, modifies, records, destroys, or otherwise holds, uses, or discloses unsecured protected health information to notify the covered entity when it discovers a breach of such information. The CE then must provide the notices to individuals and the media as outlined above. A business associate that maintains the protected health information of multiple covered entities need notify only the covered entity(s) to which the breached information relates.
Monday, October 26, 2009
Thursday, October 15, 2009
Medical Information Breach Notification
The American Recovery and Reinvestment Act (ARRA) of February 2009 contained sections that outlined new requirements for breach notification. The Protection of the Privacy and Security of protected health information was outlined in HIPAA in 1996. ARRA imposes new requirements for Covered Entities, Business Associates, and certain other organizations such as personal health record vendors to report breach events to consumers and the Secretary of Health and Human Services. Virtually everyone who handles, maintains, or forwards protected health information will need to be very familiar with the new breach notification law. The Department of Health and Human Services published an Interim Final Rule (IFR) with request for comments August 24, 2009 in the Federal Register. The next few posts of this blog will address the key sections of the newly released regulations.
The breach notification provisions apply to "HIPAA covered entities and their business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information." The Office of Civil Rights will be responsible for enforcing the regulations except for portions that apply to Personal Health Records (PHRs, see below.)The definitions of the terms used here conform to those provided in the original HIPAA regulations. The key words here are "covered entities," "business associates," and "unsecured protected health information." After a breach of unsecured protected health information has been discovered by a covered entity, notice must be provided to all affected individuals and to the Secretary of Health and Human Services (HHS.) If a data breach occurs at a business associate of a covered entity, then the business associate must notify the covered entity. Furthermore, the Secretary of HHS must post a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals on an HHS Web site. Similar breach notification requirements will be imposed by the Federal Trade Commission (FTC) on vendors of PHRs and their third party service providers. This is an important additional protection to consumers that was not provided by the original version of HIPAA.
The definition of an information breach as defined by the regulations is critical. A breach is "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information." Several exceptions are called out by the regulations such as instances where the information is retrieved before it can be viewed and unintentional acquisition of information that has no potential harmful effect and appropriate mitigation actions are implemented.
The IFR defines unsecured protected health information as "protected health information that is not secured through the use of a technology or methodology specified by the Secretary, in guidance, that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals." The guidance was published in the Federal Register on April 27, 2009 (74 FR 19006). This is an important notice that must be considered hand-in-hand with the IFR. It lists encryption and destruction as the two technologies and methodologies approved by the Secretary. Covered entities and business associates that implement encryption or destruction with respect to protected health information are not required to report a breach, if one occurs, because the information will not be considered "unsecured." This section will certainly have a major impact on how information is managed by health care organizations, providers, and insurance plans. The Act introduces strong incentives for investment in data security improvements to minimize the possibility of reportable data breaches. Consider how an organization would choose to mitigate the risk of the most common cause of data breaches- a lost or stolen laptop computer.
The IFR does not modify the HIPAA Security Rule. For example, it does not mandate encryption of protected health information. However if a data breach occurs, and even if an organization is in compliance with the Security Rule, if an encryption algorithm that is not specified in the guidance was not used to safeguard protected health information, then the breach notification requirement would apply. To ensure that encryption keys are not breached, the guidance advises covered entities and business associates to keep encryption keys on a separate device from that used to encrypt or decrypt data. Also, access controls do not meet the statutory requirement of rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. For paper-based health information redaction is not an acceptable method to secure protected health information either. Only destructive methods fulfill the standards mentioned in the guidance. See for further information on these topics:
Data at rest encryption: NIST Special Publication 800-111
Data in motion encryption: NIST Special Publication 800-52, 800-77, 800-113, and others which are Federal Information Processing Standards (FIPS) 140-2 validated
Destruction of electronic media: NIST Special Publication 800-88
The publications are easily accessible on the Web.
Coming up next: How to detect data breaches. What to do when a breach occurs.
The American Recovery and Reinvestment Act (ARRA) of February 2009 contained sections that outlined new requirements for breach notification. The Protection of the Privacy and Security of protected health information was outlined in HIPAA in 1996. ARRA imposes new requirements for Covered Entities, Business Associates, and certain other organizations such as personal health record vendors to report breach events to consumers and the Secretary of Health and Human Services. Virtually everyone who handles, maintains, or forwards protected health information will need to be very familiar with the new breach notification law. The Department of Health and Human Services published an Interim Final Rule (IFR) with request for comments August 24, 2009 in the Federal Register. The next few posts of this blog will address the key sections of the newly released regulations.
The breach notification provisions apply to "HIPAA covered entities and their business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information." The Office of Civil Rights will be responsible for enforcing the regulations except for portions that apply to Personal Health Records (PHRs, see below.)The definitions of the terms used here conform to those provided in the original HIPAA regulations. The key words here are "covered entities," "business associates," and "unsecured protected health information." After a breach of unsecured protected health information has been discovered by a covered entity, notice must be provided to all affected individuals and to the Secretary of Health and Human Services (HHS.) If a data breach occurs at a business associate of a covered entity, then the business associate must notify the covered entity. Furthermore, the Secretary of HHS must post a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals on an HHS Web site. Similar breach notification requirements will be imposed by the Federal Trade Commission (FTC) on vendors of PHRs and their third party service providers. This is an important additional protection to consumers that was not provided by the original version of HIPAA.
The definition of an information breach as defined by the regulations is critical. A breach is "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information." Several exceptions are called out by the regulations such as instances where the information is retrieved before it can be viewed and unintentional acquisition of information that has no potential harmful effect and appropriate mitigation actions are implemented.
The IFR defines unsecured protected health information as "protected health information that is not secured through the use of a technology or methodology specified by the Secretary, in guidance, that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals." The guidance was published in the Federal Register on April 27, 2009 (74 FR 19006). This is an important notice that must be considered hand-in-hand with the IFR. It lists encryption and destruction as the two technologies and methodologies approved by the Secretary. Covered entities and business associates that implement encryption or destruction with respect to protected health information are not required to report a breach, if one occurs, because the information will not be considered "unsecured." This section will certainly have a major impact on how information is managed by health care organizations, providers, and insurance plans. The Act introduces strong incentives for investment in data security improvements to minimize the possibility of reportable data breaches. Consider how an organization would choose to mitigate the risk of the most common cause of data breaches- a lost or stolen laptop computer.
The IFR does not modify the HIPAA Security Rule. For example, it does not mandate encryption of protected health information. However if a data breach occurs, and even if an organization is in compliance with the Security Rule, if an encryption algorithm that is not specified in the guidance was not used to safeguard protected health information, then the breach notification requirement would apply. To ensure that encryption keys are not breached, the guidance advises covered entities and business associates to keep encryption keys on a separate device from that used to encrypt or decrypt data. Also, access controls do not meet the statutory requirement of rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. For paper-based health information redaction is not an acceptable method to secure protected health information either. Only destructive methods fulfill the standards mentioned in the guidance. See for further information on these topics:
Data at rest encryption: NIST Special Publication 800-111
Data in motion encryption: NIST Special Publication 800-52, 800-77, 800-113, and others which are Federal Information Processing Standards (FIPS) 140-2 validated
Destruction of electronic media: NIST Special Publication 800-88
The publications are easily accessible on the Web.
Coming up next: How to detect data breaches. What to do when a breach occurs.
Subscribe to:
Posts (Atom)
Posts
