As we reported in our March 2009 article, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act created a new notification requirement in the event of a breach involving protected health information (“PHI”). The Department of Health and Human Services (“HHS”) recently published interim final regulations clarifying when and how such breach notices must be provided.
Perhaps the most interesting aspect of this new guidance is its clarification of the term “breach.” The regulations define a breach as the acquisition, use, or disclosure of PHI which compromises the security or privacy of PHI. The security or privacy of PHI is compromised only if the breach “poses a significant risk of financial, reputational, or other harm to the individual.”
This standard will require a covered entity to conduct a risk assessment and document its analysis with respect to whether a breach has occurred. For example, the inadvertent disclosure of an individual’s admission to the hospital may not be considered a breach for purposes of requiring notification, but the inadvertent disclosure of an individual’s admission to the hospital for substance abuse treatment might be considered a breach.
According to the regulations, this notice requirement applies only to “unsecured” PHI. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Department of Health and Human Services in published guidance.” HHS issued such guidance in April of this year, indicating that the only two approved methods of securing PHI are encryption (for both electronic data “at rest” and data “in motion”) and destruction (by shredding or purging). From a practical perspective, this appears to mean that any PHI that is maintained in a paper format would be considered unsecured for purposes of the breach notification rule, since it cannot be rendered secured until it has been destroyed.
As noted in our earlier article, the HITECH Act also extended this breach notification requirement to business associates of covered entities. Once they become subject to this requirement (by no later than February 17, 2010), business associates whose actions result in a breach of unsecured PHI will be required to notify the covered entity of that breach without unreasonable delay, but in any event within 60 days of the discovery of the breach. They will also have to provide the names of the individuals whose PHI was the subject of the breach.
The new breach notification rules became effective as to covered entities on September 23, 2009, but HHS has stated that it will use its enforcement discretion not to impose sanctions for failure to provide the required notifications for breaches discovered before February 22, 2010. Nonetheless, given the complexities inherent in this area, covered entities (and their business associates) should not rely on this non-enforcement policy as an excuse to delay implementing the breach notification rules.