Medical Information Breach Notification

The American Recovery and Reinvestment Act (ARRA) of February 2009 contained sections that outlined new requirements for breach notification. The Protection of the Privacy and Security of protected health information was outlined in HIPAA in 1996. ARRA imposes new requirements for Covered Entities, Business Associates, and certain other organizations such as personal health record vendors to report breach events to consumers and the Secretary of Health and Human Services. Virtually everyone who handles, maintains, or forwards protected health information will need to be very familiar with the new breach notification law. The Department of Health and Human Services published an Interim Final Rule (IFR) with request for comments August 24, 2009 in the Federal Register. The next few posts of this blog will address the key sections of the newly released regulations.

The breach notification provisions apply to "HIPAA covered entities and their business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information." The Office of Civil Rights will be responsible for enforcing the regulations except for portions that apply to Personal Health Records (PHRs, see below.)The definitions of the terms used here conform to those provided in the original HIPAA regulations. The key words here are "covered entities," "business associates," and "unsecured protected health information." After a breach of unsecured protected health information has been discovered by a covered entity, notice must be provided to all affected individuals and to the Secretary of Health and Human Services (HHS.) If a data breach occurs at a business associate of a covered entity, then the business associate must notify the covered entity. Furthermore, the Secretary of HHS must post a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals on an HHS Web site. Similar breach notification requirements will be imposed by the Federal Trade Commission (FTC) on vendors of PHRs and their third party service providers. This is an important additional protection to consumers that was not provided by the original version of HIPAA.

The definition of an information breach as defined by the regulations is critical. A breach is "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information." Several exceptions are called out by the regulations such as instances where the information is retrieved before it can be viewed and unintentional acquisition of information that has no potential harmful effect and appropriate mitigation actions are implemented.

The IFR defines unsecured protected health information as "protected health information that is not secured through the use of a technology or methodology specified by the Secretary, in guidance, that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals." The guidance was published in the Federal Register on April 27, 2009 (74 FR 19006). This is an important notice that must be considered hand-in-hand with the IFR. It lists encryption and destruction as the two technologies and methodologies approved by the Secretary. Covered entities and business associates that implement encryption or destruction with respect to protected health information are not required to report a breach, if one occurs, because the information will not be considered "unsecured." This section will certainly have a major impact on how information is managed by health care organizations, providers, and insurance plans. The Act introduces strong incentives for investment in data security improvements to minimize the possibility of reportable data breaches. Consider how an organization would choose to mitigate the risk of the most common cause of data breaches- a lost or stolen laptop computer.

The IFR does not modify the HIPAA Security Rule. For example, it does not mandate encryption of protected health information. However if a data breach occurs, and even if an organization is in compliance with the Security Rule, if an encryption algorithm that is not specified in the guidance was not used to safeguard protected health information, then the breach notification requirement would apply. To ensure that encryption keys are not breached, the guidance advises covered entities and business associates to keep encryption keys on a separate device from that used to encrypt or decrypt data. Also, access controls do not meet the statutory requirement of rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. For paper-based health information redaction is not an acceptable method to secure protected health information either. Only destructive methods fulfill the standards mentioned in the guidance. See for further information on these topics:
Data at rest encryption: NIST Special Publication 800-111
Data in motion encryption: NIST Special Publication 800-52, 800-77, 800-113, and others which are Federal Information Processing Standards (FIPS) 140-2 validated
Destruction of electronic media: NIST Special Publication 800-88

The publications are easily accessible on the Web.
Coming up next: How to detect data breaches. What to do when a breach occurs.