Breaches of Unsecured PHI
In late August, the Department of Health and Human Services published its interim final rule governing breach notifications required under the Health Information Technology for Economic and Clinical Health Act (HITECH), a component of the American Recovery and Reinvestment Act of 2009 (ARRA). The new breach notification rule implements the HITECH requirement that hospitals and other HIPAA-covered entities and their business associates must promptly notify individuals if and when the privacy of their unsecured personal health information (PHI) is breached. Unsecured PHI is any PHI that is not secured through a technology or methodology specified by HHS. The rule clarifies that the privacy and security of PHI is compromised and the notification requirement is triggered only if the acquisition, access, use, or disclosure of the information poses a significant risk of financial, reputational, or other harm to the individual. In this era of heightened privacy concerns, hospitals and other covered entities would be wise to consider adopting a conservative approach to this risk assessment.

Consistent with HITECH, the final rule includes the following exceptions where the breach notification requirement is not triggered: (1) unintentional acquisition, access, or use of PHI by an employee or individual acting on behalf of a covered entity or business associate, if the PHI was acquired, accessed, or used in good faith and within the scope of employment or other professional relationship and was not further accessed, used, or disclosed in a manner not permitted under the HIPAA Privacy Rule; (2) an inadvertent disclosure occurs by an individual authorized to access PHI at a covered entity or business associate to another individual authorized to access PHI at the same covered entity or business associate, provided the PHI is not further accessed, used, or disclosed in a manner not permitted under the HIPAA Privacy Rule; or (3) a good-faith belief by a covered entity or business associate that the unauthorized person to whom the disclosure of PHI was made would not reasonably have been able to retain the information.

When a breach occurs, the final rule requires notifications to be made without unreasonable delay, but in any event within 60 calendar days after discovery of the breach. If the breach involves 500 or more individuals, the covered entity must also inform HHS and prominent media outlets serving the area in question. For breaches involving fewer than 500 individuals, a covered entity may maintain a log of such breaches and provide an annual report of such breaches to HHS.

Under the final rule, the requirements for providing notice include: 

• Notification written in plain language; 
• A brief description of what happened, including the date of the breach and the date of the discovery of the breach if known; 
• A description of the types of unsecured PHI involved in the breach;
• Steps individuals should take to protect themselves from potential harm resulting from the breach;
• A brief description of the action the covered entity or business associate is taking to investigate and mitigate harm; and 
• Contact procedures for affected individuals with questions or concerns. Contact information must include a toll-free number, e-mail address, website URL, or postal address.

In addition to clarifying the parameters of the breach notification requirement, the final rule updates HHS guidance specifying technologies and methodologies for securing PHI that would provide a safe harbor from HITECH’s breach notice obligations for HIPAA-covered entities and business associates that adopt them. The rule affirms that the only method to render electronic PHI unusable, unreadable, or undecipherable to unauthorized persons is through encryption. With regard to information in nonelectronic formats, those records must be destroyed in order to meet the safe harbor requirements for avoiding the breach notification.

The HHS breach notification rule goes into effect September 23, 2009. While HHS is urging covered entities and business associates to promptly comply, the department also recognizes that doing so may take some time. Accordingly, HHS has indicated it will not enforce the rule for breaches that are discovered before February 2010.

Breaches of Other Personal Electronic Health Information
Also in mid-August, the Federal Trade Commission issued a companion final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached. The FTC breach notification rule, which was required by Congress under ARRA, applies to both vendors of personal health records that provide online repositories that people can use to keep track of their health information and entities that offer third-party applications of personal health records. It is intended to help protect the privacy and security of individuals’ electronic health information that is in the hands of entities that are not subject to the privacy and security requirements of HIPAA. As discussed above, HIPAA-covered entities and business associates are subject to the HHS breach notification rule.

Under the FTC’s final rule, personal health record vendors and related entities must notify consumers as well as the FTC of a breach involving consumers’ unsecured electronic health information. In the case of breaches involving 500 or more people, affected entities must also notify the media. Similar to the HHS breach notification rule, the FTC rule does not apply to health information that is secured through technologies specified by HHS. The FTC is set to begin enforcement of its breach notification rule in February 2010.

Who is your regional privacy advisor?
Hospitals and other health care providers now have a regional privacy advisor within the Office of Civil Rights. In mid-August, HHS appointed the managers of each regional OCR office to also serve as the regional privacy advisors. Now that we know who these regional privacy advisors are, the real question is what will they be doing? These regional advisors, required by HITECH, are supposed to provide education and guidance to hospitals and other covered entities and their business associates aimed at helping them comply with HIPAA privacy and security requirements. Because these are new positions, it is not yet clear whether the guidance offered by these regional privacy advisors will come in the form of informal FAQs, written advisory opinions similar to those provided by the OIG, or some other format. Time will tell.