Illinois Supreme Court Upholds Revocation of Hospital's State Property Tax Exemption
ABA Health eSource
April 2010 Volume 6 Number 8

The Lowdown on HITECH Breach Notification Requirements

By Denise Webb Glass, Fulbright & Jaworski L.L.P., Dallas, TX 1

AuthorThe passage of the American Recovery and Reinvestment Act of 2009 2 (ARRA) and, in particular, the Health Information Technology for Economic and Clinical Health Act 3 (HITECH), suddenly created a topsy-turvy environment for HIPAA compliance. While the health care industry continues to await further guidance and clarification on many aspects of the HITECH provisions, compliance with the breach notification requirements is now well under way—well, at least six month underway. 4 In this short period of time, covered entities and business associates alike have begun to develop new language for business associate agreements, processes and forms for conducting risk assessments, and template notices for informing affected individuals. Some unfortunate covered entities have even already had to go through the exercise of notifying the federal Department of Health and Human Services (DHHS) of the breach.

Whether business associate agreements even require revision to achieve compliance with the HITCH provisions is a matter of some debate. For those covered entities which elect to modify their business associate agreements, it might be tempting to simply incorporate by reference the breach notification rules into the business associate agreement or add a generic provision such as “the parties agree to comply with the breach notification requirements set forth in HITECH and the accompanying regulations.” However, the breach notification rules contain a number of provisions which merit careful consideration and negotiation by the parties as to the most appropriate way of implementing the requirements.

HITECH Breach Notification Requirements

The HITECH breach notification rules, which apply to covered entities and their business associates, require covered entities to provide notification to affected individuals and the Secretary of DHHS (and in certain circumstances, the media) following the discovery of a breach of unsecured protected health information (PHI). 5 A breach occurs when there is an impermissible acquisition, access, use or disclosure of PHI which compromises the security or privacy of the PHI by posing a significant risk of financial, reputational, or other harm to the individual. 6 The rules further require that business associates notify covered entities in the event of a breach of unsecured PHI.

When is Notice Due

The rules require that notice of a breach be provided to affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” 7 When the breach occurs at the business associate level, the rules similarly require that the business associate provide notice to the covered entity “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” 8 While it might seem reasonable then to assume that if the business associate has up to 60 days to notify the covered entity, the clock for the covered entity’s time period to notify the affected individuals should start to run when it receives notice from the business associate. However, such is not always the case. The commentary from DHHS makes clear that if the business associate is acting as the agent of the covered entity, the business associate’s discovery of breach is imputed to the covered entity so that the covered entity’s obligation to provide notification begins upon the business associate’s discovery. Whether a person is an agent will be determined in accordance with the federal common laws of agency. 9 Rather than run the risk that a business associate otherwise thought to be an independent contractor will be deemed an agent, it is advisable to clearly specify a time period for the business associate’s notification to the covered entity in the business associate agreement which will enable the covered entity to timely notify affected individuals.

Responsibility for Notification

So long as the notification requirements are ultimately met, the covered entity and the business associate have some flexibility in deciding which party will actually provide the notification of breach of unsecured PHI to the affected individuals. The covered entity may wish to delegate the notification obligations to the business associate as a way to shift the cost and burden to the party responsible for the breach. The business associate may likewise, additional cost notwithstanding, want to take on this obligation as a way to control the message being sent to the affected individuals about the breach. As a practical matter, the business associate may be better positioned to provide the notifications due to the functions being performed by the business associate or the nature of the relationship with the affected individual. 10 Even if the responsibility for notifying affected individuals is passed to the business associate, the covered entity retains responsibility for directly notifying DHHS. The parties should carefully consider these issues when entering into or amending their business associate agreements. Unless the business associate agrees to assume responsibility for notifying affected individuals, the covered entity must comply with this obligation.

Cost of Notification

In addition to the costs of notifying affected individuals, compliance with the breach notification rules may trigger other expenses, such as expenses associated with implementing measures necessary to mitigate harm to the affected individuals and protect against future breaches. Mitigating harm to individuals could involve, for example, paying for a credit monitoring service for each affected individual for a certain period of time. Absent explicit provisions in the business associate agreement, the covered entity and the business associate may find themselves at odds with one another as to the extent to which steps to mitigate harm are appropriate and who bears the liability for such expenses.

Assuring Timely Notification

The breach notification rules do not require that business associates notify particular persons at the covered entity. To ensure that notice of a breach is received by the person(s) best in a position to ensure that timely notifications are made to affected individuals, the business associate agreement should clearly specify to whom reports of a breach should be directed. While it is not necessary that the notice of breach be reported to the covered entity’s privacy officer or similar person, it would be prudent to name someone at the covered entity with the responsibility to carry out the notification requirements or the authority to determine whether the business associate has complied with its delegated notification duties.

Establishing Processes to Timely "Discover" Breaches

A covered entity or business associate is treated as having discovered a breach on the first day on which the breach is known or, by exercising reasonable diligence would have been known to the covered entity or business associate. The covered entity is deemed to have that knowledge if any person, other than the person committing the breach, who is a member of the workforce or agent of the covered entity has such knowledge. 11 By comparison, the business associate is only deemed to have that knowledge if the breach is known to any person, other than the person committing the breach, who is an employee, officer or other agent of the business associate. 12 Both covered entities and business associates should implement policies and procedures which detail the internal reporting mechanisms and appropriately train workforce members on the breach notification requirements.

Probably Not If, But When

Unfortunately, no matter how careful an organization is, it may be a question of when, rather than if, a breach occurs triggering the breach notification requirements will occur. If the breach happens at the business associate level, having clear provisions in the business associate agreement defining who must provide the notification, pertinent time frames for notification, liability for expenses incurred and what approvals may be necessary of the contents of such notifications will make the process of compliance with the breach notification requirements much smoother.

1 Denise Webb Glass is a partner in the Health Law section of the Dallas office of Fulbright & Jaworski L.L.P.
2 Pub. L. 111-5.
3 Title XII of Division A and Title IV of Division B of ARRA.
4 Subtitle D of Division A of HITECH requires the Department of Health and Human Services to issue interim final regulations for breach notification by covered entities subject to HIPAA and their business associates. The interim final rules for Breach Notification for Unsecured Protected Health Information were published on August 24, 2009 at 74 Fed. Reg. 42740. The rules went into effect on September 23, 2009.
5 “Unsecured protected health information” is defined in 45 C.F.R. §164.402 as “protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5 on the HHS Web site.”
6 45 C.F.R. §164.402.
7 45 C.F.R. §164.404(b).
8 45 C.F.R. §164.410(b).
9 45 C.F.R. §164.404(a)(2), 164.410(a)(2).
10 For example, the administrative services organization or third party administrator of a self-funded health benefit plan may be better suited to inform an affected individual of a loss of claims data on a stolen laptop containing the individual’s PHI than the plan sponsor.
11 45 C.F.R. §164.404(a)(2).
12 45 C.F.R. §164.410(a)(2).

The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.