Breach Notification for Protected Health Information. Part 2.

This is a continuation of the previous post. Included is a summary and commentary concerning the recent announcement of an Interim Final Rule (IFR) on health information breach notification by the Secretary of Health and Human Services (HHS). Those participating in the field of medical informatics should become familiar with this IFR. As a reminder, unsecured protected health information can include information in any form or medium, including electronic, paper, or oral. An important element of the Act applies to possible conflicts between federal and state privacy and breach reporting laws. In general, the effect of the new HIPAA regulations provides that HIPAA administrative simplification provisions generally preempt conflicting State law.

There is a three-step process to determining if breach notification is required. The first step is to determine whether a use or disclosure of protected health information violates the HIPAA Privacy Rule. If a violation of the Privacy Rule has occurred then the next step is to determine whether the violation compromises the security or privacy of the protected health information.

The compromise of protected health information must pose a significant risk of financial, reputational, or other harm to the individual. This means that covered entities (CEs) and business associates (BAs) will need to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. This risk assessment should be based on known facts. The risk assessment must be documented and retained against the possibility of an Office of Civil Rights investigation. Risk assessments should consider to whom the information was disclosed and who used it. Other considerations include the type and amount of protected health information involved in the disclosure. If the type of information disclosed does not pose a significant risk of financial, reputational, or other harm, then the violation does not constitute a breach under the Rule. It should be noted that limited data sets are considered protected health information under the Act unless identifiers such as birth date and zip code are removed. This decision was made by policy makers because of the risk of re-identification when only the 16 identifiers listed in the HIPAA Privacy Rule for limited data sets are removed.

The final step is to determine if the breach falls under one of the three exceptions to the definition of breach: 1) Unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered or business associate, 2) inadvertent disclosure of protected health information from one person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, and 3) unauthorized disclosures in which an unauthorized person to whom protected health information is disclosed would not reasonably have been able to retain the information. Notification is not required if one of these exceptions apply.

A breach is considered discovered when the incident becomes known, not when the CE or BA concludes the risk analysis and decides on the basis of the facts that a breach has occurred. The Act states that a breach shall be treated as discovered by a covered entity as of the first day the breach is known to the covered entity or by exercising reasonable diligence would have been known to the covered entity. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. This means that it is important for CEs and BAs to implement systems for discovery of breaches. This should include workforce training about the importance of timely reporting of privacy and security incidents and the consequences of failing to do so.

A CE may take a reasonable time to investigate the circumstances surrounding the breach in order to collect and develop the information required to be included in the notice of a data breach to individuals. The IFR states that a CE shall send the required notification without unreasonable delay and, in no case later than 60 calendar days after the date the breach was discovered. The Act specifies five elements that must be included in the breach notice: 1) a brief description of what happened, including the date of the breach and the date of the discovery of the breach, 2) a description of the types of unsecured protected health information that that were involved in the breach, 3) steps individuals should take to protect themselves from potential harem resulting from the breach, 4) a brief description of what the CE involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches, and 5) contact procedures for individuals to ask question or learn additional information, which must include a toll-free telephone number, an e-mail address, Web site, or postal address. The notice should not contain any unsecured protected health information itself. The written notice will be sent by first-class mail to the last known address of the individual.

If there is out-of-date contact information for 10 or more individuals, then the CE must provide substitute notice through either a conspicuous posting for a period of 90 days on the home page of its Web site or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. As described above, these substitute notifications must be provided in a manner that is reasonably calculated to reach the affected individuals. In addition, the CE must have a toll-free phone number, active for 90 days, where an individual can learn whether the their unsecured protected health information may be included in the breach and include the number in the notice.

For breaches involving less than 500 individuals, a CE must maintain a log or other documentation to be submitted annually to the Secretary of HHS for breaches that occurred during the preceding calendar year. For breaches involving more than 500 individuals, the Secretary must be notified immediately. The instructions for notification will be posted on the HHS Web site. Furthermore, if the unsecured protected health information of more than 500 residents of a state or jurisdiction is breached then notice must be provided to prominent media outlets serving that area. This media notice requirement is different from the substitute media notice mentioned above. The notification of the media must be carried out within the same timeframe required for the notice to individuals. In other words, media outlets must be notified without unreasonable delay, but in no case later than sixty calendar days following discovery of a breach.

Finally, the Act requires a business associate of a covered entity that accesses, maintains, retains, modifies, records, destroys, or otherwise holds, uses, or discloses unsecured protected health information to notify the covered entity when it discovers a breach of such information. The CE then must provide the notices to individuals and the media as outlined above. A business associate that maintains the protected health information of multiple covered entities need notify only the covered entity(s) to which the breached information relates.