HHS and FTC Issue HITECH Breach Notification Rules
By Jennifer Rangel, Partner, and Tammy Ward, Associate,
Locke Lord Bissell & Liddell LLP, Austin, TX
An interim final rule released by the U.S. Department of Health & Human Services (HHS) requires healthcare providers, business associates and other covered entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) to provide notice to individuals, HHS and, potentially, the media when unsecured protected health information is breached. The Federal Trade Commission (FTC) issued a companion breach notification final rule that applies to vendors of personal health records and certain others not covered by HIPAA. These regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009.
The HHS rule applies to any breach on or after September 23, 2009 and the FTC rule applies to any breach on or after September 24, 2009. However, neither the HHS nor the FTC will assess sanctions for failure to provide the required notice for breaches discovered prior to February 22, 2010. Covered entities, business associates and entities regulated by the FTC rule should take prompt action to address the breach notification rules by amending business associate agreements, preparing appropriate policies and procedures and training their workforce.
Under the HHS rule, a breach occurs upon the unauthorized acquisition, access, use or disclosure of unsecured protected health information (PHI) which compromises the security or privacy of such information. A covered entity or business associate under HIPAA must conduct a four prong inquiry to determine if a breach has occurred. First, does the potential breach involve unsecured PHI? PHI that is deidentified or that is rendered unusable, unreadable, or indecipherable to unauthorized individuals through use of a technology or methodology specified in guidance from HHS is exempt from notification. The second prong is whether there has been an impermissible use or disclosure (i.e., does the alleged breach violate the HIPAA Privacy Rule). Violations of the Privacy Rule that do not involve the use or disclosure of PHI do not constitute a breach. Third, is whether the potential breach results in a significant risk of financial, reputational, or other harm to the individual. This prong requires the performance of a fact specific risk assessment. The last prong is a determination of whether the breach falls within one of the three exceptions set forth in the HHS rule. Because covered entities and business associates have the burden to prove why a breach notification is not required, they should carefully document risk assessments and the applicability of any exceptions.
Upon discovery of a breach, covered entities must notify affected individuals without unreasonable delay but no later than 60 calendar days from the discovery. If a breach affects, or is believed to affect, 500 or more residents in a particular state or jurisdiction, additional notice must be provided to prominent media outlets serving such areas. If a breach involves 500 or more individuals, the covered entity must also immediately notify HHS. All other breaches may be logged and reported to HHS annually. Business associates also have an obligation to report breaches to the affected covered entity so that the covered entity can follow proper notification procedures. The HHS rule contains specific requirements regarding the manner and content of a breach notification as well as when a breach is treated as discovered.
The FTC’s companion rules apply to breaches of personal health records (PHR), which generally mean electronic health records that are managed, shared and controlled primarily by or for an individual. Vendors that offer or maintain these online PHRs, PHR related entities (such as those providing web-based applications for customers to manage medical information) and third party service providers to these entities must now notify individuals, the FTC and, potentially, the media when information stored in these systems is breached. The FTC is not limited by any jurisdictional tests in the FTC Act, and, therefore, entities such as non-profit organizations that are traditionally outside the FTC’s jurisdiction must comply with this rule. The rule also applies to foreign entities with U.S. customers.
To determine whether a breach has occurred, three elements should be considered. First, the potential breach must involve unsecured PHR identifiable health information, which would be PHR identifiable information that is not protected through the use of a technology or methodology specified by HHS. Next, the access of the unsecured PHR must result in an unauthorized acquisition. The rule presumes that any access results in unauthorized acquisition unless there is reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of the information. For example, reliable evidence could include forensic analysis revealing that files were never opened. The final element is whether the individual authorized the access. Authorization may result from the entity’s disclosures and individuals’ reasonable expectations of how such information will be used. Unlike the HHS rule, the FTC rule does not account for potential harm to the individual, which, consequently, leads to all instances of breach requiring notification.
Once a breach is discovered, procedures for preparing and sending individual notification closely follow the HHS requirements. Also consistent with HHS requirements, breaches affecting 500 individuals or more in a certain jurisdiction or state should be reported to prominent media outlets serving the affected area. Finally, breaches involving 500 or more individuals should be reported to the FTC within 10 days of discovery. Breaches involving fewer than 500 individuals should be reported to the FTC on an annual basis. Forms and instructions for FTC reporting are available on the agency’s website.
Upon discovery of a breach, third party service providers must also notify a vendor of PHR or a PHR related entity and identify each customer whose PHR identifiable health information has been, or is reasonably believed to have been, acquired so that the vendor of PHR or other PHR related entity can notify the affected customers.
At times, vendors of PHR and other entities regulated by the FTC rule may have roles that overlap with both the FTC and HHS regulations. These entities must be prepared to determine which breach notification requirements to follow and have policies in place to track customer lists of their own as well as those of covered entities that use their services.
With enforcement efforts beginning in February 2010, it is vital that covered entities, business associates and entities regulated by the FTC rule begin implementing policies and procedures to address these breach notification requirements. The HITECH Act not only increased HIPAA penalties but enhanced federal and state enforcement capabilities for HIPAA violations. In addition, the HITECH Act treats violations under the FTC rule as unfair or deceptive act or practices under the Federal Trade Commission Act.
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.