HIPAA Breach Notice Rules Take Effect Sept. 23

Group health plans and other HIPAA-covered entities must notify individuals of privacy or security breaches “discovered” on or after Sept. 23, now that the U.S. Department of Health and Human Services (HHS) issued interim final breach notification rules Aug. 24 (74 Fed. Reg. 42740).

The rules implement the elaborate new requirements February’s stimulus law added to HIPAA for notifying individuals when their “unsecured” protected health information (PHI) is compromised. The rules do provide a six-month grace period: HHS will not impose penalties for breaches discovered before Feb. 22, 2010.

“These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information,” said Robinsue Frohboese, acting director of HHS’ Office for Civil Rights.

Thompson's Employer's Guide to HIPAA Privacy Requirements will provide detailed analysis of the breach notification rules and their implications for plan sponsors.

HHS developed the rules in consultation with the Federal Trade Commission (FTC), which issued similar rules Aug. 25 (74 Fed. Reg. 42962) that apply to vendors of personal health records (PHRs) and certain others not covered by HIPAA. Both the FTC and HHS rules require prompt notice — within 60 days, and sometimes sooner — to affected individuals, as well as notice to the media and respective agency in severe cases.

HHS also issued an updated version of its April guidance specifying encryption and destruction as the required methods of “securing” PHI so as to exempt it from the notification requirement in the event of a breach. The HIPAA breach notification provisions in the American Recovery and Reinvestment Act (ARRA) directed HHS to issue such guidance on the approved methods of rendering PHI “unusable, unreadable, or undecipherable to authorized individuals."

Exceptions

To determine what constitutes a breach, HIPAA-covered entities and business associates must perform and document a risk assessment of the level of harm that can be caused by the impermissible use or disclosure of PHI accessed without proper authorization. In the preamble to the final rules, HHS offers several considerations for what constitutes a lesser risk of harm:

• if the PHI is improperly disclosed to another HIPAA-covered entity or an entity covered by the Privacy Act of 1974 or the Federal Information Security Management Act of 2002;
• if the covered entity or business associate immediately takes steps to mitigate the impermissible use or disclosure; or
• if the PHI is returned before it can be improperly accessed.

If the type and amount of PHI in question do not pose "a substantial risk of financial, reputational, or other harm, an unauthorized PHI disclosure is not a breach. For example, if the PHI includes only a person’s name and an indication the individual received hospital services, it would constitute a privacy rule violation but not a breach. Nor is it a breach if PHI is:

• unintentionally accessed by an employee or individual acting under the authority of a covered entity or business associate;
• inadvertently disclosed from a person authorized to access PHI at a covered entity or business associate to another person with similar clearance; or
• improperly disclosed to an unauthorized person who would not reasonably have been able to retain the information.

• Email this page