What is a Breach Under the HITECH Breach Notification Regulations?
By Judith A. Eisen & Stacey L. Gulick, Garfunkel Wild, P.C., Great Neck, NY
Since the Interim Breach Notification Regulations under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (the “Breach Notification Rule”) became effective on September 23, 2009, there have been thousands of breach notifications sent by covered entities and reported to the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”). To date, nearly 450 of those reports have involved incidents that impacted more than 500 individuals, which, under the Breach Notification Rule, triggers more onerous disclosure requirements and heightened scrutiny.1 In March 2012, the first potential consequence of these reports was seen when Blue Cross Blue Shield of Tennessee (“BCBST”) paid $1.5 million to settle claims of potential violations of the Health Insurance Portability and Accountability Act of 1996 and its related regulations (collectively “HIPAA”) that were identified after BCBST appropriately notified the OCR of a breach involving more than 500 people.2
Nevertheless, there continues to be widespread confusion regarding what actually constitutes a breach. Indeed, the OCR acknowledged in its annual report to Congress that covered entities are reporting incidents that do not necessarily rise to the level of breach.3 This problem is further exacerbated by the increased penalties (including penalties for failure to report) required by HITECH.4 The potential penalties could be seen as a significant motivation for covered entities to ensure that any incident that could be a breach is reported, even if it is not entirely clear that incident requires breach notification.5 Alternatively, the penalties imposed on BCBST, after it complied with the Breach Notification Rule, could act as a deterrent for covered entities to report, particularly breaches involving more than 500 individuals (all of which must be investigated by the OCR and are subject to significant financial penalties based upon the OCR’s findings).6 In other words, covered entities could be penalized either for failure to report or for violations that are identified as a result of a report. As these conflicting motivations continue to collide, the outcry for additional guidance from the HHS continues.
Definition of Breach
A breach of protected health information (“PHI”) is defined as the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual.7 Parsing this definition into its components, there must be: (1) an access to, or use or disclosure of unsecured PHI; (2) a use, access or disclosure that violates the “Privacy Rule” ( i.e., Subpart E of 45 C.F.R. 164); (3) a significant risk that such access, use or disclosure will cause financial, reputational, or other harm to the patient; and (4) no exceptions that apply. If any of these four criteria are not met, the incident is not a breach, as defined in the Breach Notification Rule, and notifications do not need to be sent or reports made to the OCR. In that event, however, the covered entity must document, in the form of a risk assessment, the basis for determining that the incident is not a breach.8 For purposes of this article, incidents that meet all of the criteria (numbers 1-4 above) will be referred to as a “Breach” and any potential Breach as an “Incident”.
Requirement for Risk Assessments
HHS advises that the following factors be considered when conducting the risk assessment of an Incident: (1) the individuals involved ( e.g., the disclosers and recipients); (2) the type and amount of PHI involved (including whether acquisition of the type of information involved could harm the patient); (3) any mitigating factors; and (4) any applicable exceptions.9 In addition, HHS advises covered entities to consider the guidance of the Office of Management and Budget (“OMB”) published in its OMB Memorandum M-07-16 in 2007,10 which provides somewhat more detailed advice regarding the factors that should be considered when performing the risk assessment.
Incidents that are NOT a Breach
Although the guidance is still fairly limited, the Breach Notification Rule and the commentary do provide some insights regarding those Incidents that would not be considered a Breach. One can categorize this guidance using the four breach criteria noted above.
Unsecured PHI not involved
First, if “unsecured” PHI is not involved, there is no Breach. PHI is considered to be secured if it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals. HHS has published guidance (the “Security Guidance”)11 regarding the steps that need to be taken to achieve this standard.12 Most notably, HHS has stated that PHI is secure if it has been encrypted or destroyed (e.g ., shredded) in a manner described in the Security Guidance. For example, if a laptop containing PHI is lost by a healthcare professional and the PHI is encrypted in accordance with HHS standards, there is no Breach.
Furthermore, HHS has stated that certain Incidents involving PHI in limited data sets do not constitute a Breach because it is virtually impossible to identify the individuals involved. Specifically, Incidents involving PHI contained in a limited data set13 that does not include zip codes and dates of birth would not constitute a Breach.14
No Violation of the Privacy Rule
If there is no violation of the Privacy Rule, even if there is an unauthorized use or disclosure, there is no Breach. For example, assuming reasonable safeguards have been put into place, an incidental disclosure that results from an otherwise permissible use or disclosure would not be a Breach, because there has been no violation of the Privacy Rule (e.g., if a visitor overhears two nurses speaking softly behind a nurse’s station, it probably is not a breach).15 HHS also specifically states that Incidents involving employment records held by a covered entity in its role as employer do not constitute a Breach because the information is not PHI, and therefore, is not subject to the Privacy Rule.
No Risk of Harm to the Patient
This is the prong of the analysis that is subject to much debate and speculation. This is also where the factors in the risk assessment, discussed above, may play the most significant role, because it is those factors that will dictate whether or not there is a risk of harm. Although HHS has not definitively identified any specific types of Incidents that it believes pose no risk of harm, DHHS has at least provided some scenarios in which it deems the risk of harm less likely. In each of the following scenarios, HHS states that there is reduced risk to the patient:
An Incident in which a covered entity inappropriately discloses information to another covered entity or government agency governed by federal confidentiality laws.16
An incident in which the covered entity takes immediate steps to mitigate an impermissible use or disclosure, such as obtaining a recipient’s satisfactory assurances that the information will be destroyed and/or not further disclosed (e.g., PHI is sent by facsimile to the wrong number and the covered entity immediately receives a confidentiality agreement from the unintended recipient).17
An Incident in which the PHI is returned prior to being accessed for impermissible purposes. The example provided by HHS is a lost or stolen laptop, which is returned or recovered, and forensic analysis can determine that unencrypted information was not accessed.18
An Incident in which the information disclosed presents only a minimal risk of harm to the patient (e.g ., patients name and address in a list of patient’s at a particular facility; assuming the type of facility does not indicate the type of services provided such as a mental health facility).19 This exception poses a particular challenge because it is unclear when disclosure of information beyond name, address, and location of treatment rises to the level of harm to the patient (e.g ., if the inclusion of a patient’s diagnosis automatically creates a risk of harm). It is generally hoped that additional guidance regarding this aspect of the risk of harm analysis will provide more clarity.
An Exception Applies
The Breach Notification Rule includes three exceptions to the definition of Breach. These exceptions are very narrow; however, if the Incident fits within one of them, the Incident is not a Breach. The first exception applies if the unintended recipient of the information would not reasonably have been able to retain the information (e.g ., the information is recovered before it could have been seen).20 The other two exceptions apply to certain unintentional or inadvertent disclosures within a covered entity or business associate (e.g ., an employee accidentally receives and opens an email that was intended for a different employee or a physician sends a nurse the wrong patient’s information) provided that the information is not further used or disclosed in an impermissible manner.21
There are, however, Incidents at the other end of the spectrum that are nearly always going to be considered a Breach. Most notably, if there is an Incident involving PHI that is also protected by other state and federal confidentiality laws, then it is almost certain that a Breach has occurred. This includes cases where the applicable PHI involves information that could be used to steal an individual’s identity (e.g ., social security number or credit card information and password),22 or relates to treatment for HIV/AIDS, sexually transmitted diseases, mental health or substance abuse.23 HHS does, however, caution that even in cases involving PHI that might generally be considered somewhat less sensitive, a Breach may still be found under the right set of facts. So, for example, if the PHI involved could be used for an employer to discriminate against an employee or applicant (e.g ., information that a patient is receiving oncology treatment), the Incident is most likely a Breach.24
HHS has also stated that access to patient information by an employee who is not authorized to access the information and has no job-related reason to do so (e.g ., the employee is checking on the health status of a friend) would be considered a Breach and would not fit within the exceptions described above.25 Finally, HHS has specifically stated that a use or disclosure that involves more than the minimum necessary information would be considered to be a Breach if the other criteria are met.26
The wait for more and better guidance continues. As of the writing of this article, the OMB had received from HHS the text of the final HITECH regulations, which are rumored to provide more guidance regarding the breach notification requirements. Since the OMB review is the last step before publication, it is anticipated that the regulations will be published soon. Hopefully, the new regulations or accompanying commentary will make these determinations easier, but many if not most Incidents will continue to require a level of discretion in evaluating whether they rise to the level of a Breach. When there is a determination that an Incident is not a Breach, covered entities and business associates will need to document a very thorough and defensible risk assessment that takes into account all of the factors identified by HHS. The industry otherwise waits to see what happens in a case where HHS disagrees with an entity’s risk assessment.
Judith Eisen is a partner/director at Garfunkel Wild, P.C. and co-chair of the HIPAA Compliance group. Stacey Gulick is a partner at the firm and a member of the HIPAA Compliance group. Information regarding Garfunkel Wild, P.C. can be found at: www.garfunkelwild.com.
“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2009 and 2010”, P.4. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachrept.pdf.
For example, it is not clear under the available guidance whether the loss of an unencrypted laptop with a database containing names, addresses and the results of routine dental x-rays would cause a risk of harm to the patients that would require patient notification and reporting to the OCR, but a covered entity might treat this incident as a breach in order to avoid the specter of a penalty.
This requirement was announced by the OCR at various conferences and in various media interviews. For example, see http://blogs.hcpro.com/hipaa/2012/03/qa-with-ocr-we-investigate-all-500-plus-hipaa-breaches/.
45 CFR 164.402.
45 CFR 164.414.
74 Fed. Reg. 42740, 42744.
See Executive Office of the President, OMB Memorandum M-07-16 (May 22, 2007). This Memorandum can be found at http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf.
|11 ||74 Fed.Reg. 19006.|
Limited data sets are defined in 45 CFR 164.514 as health information that excludes specific data elements such as name, address, social security numbers, email addresses, full face images, health plan numbers. Limited data sets may, but do not have to, include birth dates and zip codes.
|14 ||74 Fed. Reg. 42740,42746.|
74 Fed. Reg. 42740,42744.
74 CFR 42740,42744.
74 CFR 42740, 42745.
74 CFR 42740, 42760.
|20 ||45 CFR 164.502.|
|22 ||For a list of State Breach Security laws, see http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx.|
|23 ||74 FR 42740, 42745.|
|25 ||74 FR 42740, 42744.|
|26 ||Id. |
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.