Schwartz Hannum PC
Bookmark and Share
 
 

E-Alerts

HIPAA Privacy Rule Reminder

February 2010 by Sara Goldsmith Schwartz

Grace Period For HITECH Act Expires February 22, 2010,

Potentially Exposing Employers To Significant Monetary Sanctions 

As many employers know, the federal stimulus program introduced last year included the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, a law that imposes new obligations under the HIPAA Privacy Rule on HIPAA-covered entities such as health care providers, health plans, and health care clearinghouses—as well as their business associates.  These new obligations include stricter notice requirements in the event of a breach of unsecured protected health information (“PHI”) and mandate notification of individuals, the government, and, in some cases, the media.

In an effort to clarify these new requirements, the U.S. Department of Health and Human Services (“HHS”) released an Interim Final Rule on August 19, 2009 regarding Breach Notification for Unsecured Protected Health Information.  Although these regulations went into effect on September 23, 2009, HHS provided a compliance grace period until February 22, 2010, after which time HHS will impose sanctions for failure to provide the mandated breach notifications.

The sanctions for noncompliance can be severe.  Presently, civil monetary penalties for violations of HIPAA are not more than $100 per violation, with a maximum penalty of $25,000 for all violations of an identical requirement or prohibition during a calendar year.  However, under the Interim Final Rule, penalties range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million for all violations of an identical requirement or prohibition during a calendar year.  The specific penalty imposed will depend on such factors as the violator’s knowledge of the breach, willfulness in committing the breach, and remedial efforts upon discovering the breach.

The compliance grace period has nearly expired.  Accordingly, to the extent that covered entities and business associates have not already done so, they must review their agreements, policies and procedures to ensure compliance with the new notice requirements by February 22, 2010. 

To assist covered entities and business associates with their compliance efforts, we have provided the following brief summary of the Interim Final Rule’s requirements.  (For additional information, please see our E-alert published in September 2009).

What Constitutes A HIPAA Breach? 

“Breach” is defined as “the acquisition, access, use, or disclosure of protected health information … which compromises the security or privacy of the protected health information.”  Only breaches of unsecured PHI will trigger the notice requirements (discussed further below).  As there are several statutory exceptions to the definition of breach, covered entities and business associates must establish well-defined procedures for determining if a breach has occurred.  

What Types Of HIPAA Breaches Require Notification?

Notification is required when there has been a breach of “unsecured” PHI, meaning PHI that has not been rendered “unusable, unreadable, or indecipherable” to unauthorized individuals through the use of encryption, destruction, or both.  Entities subject to the HITECH Act that secure PHI through encryption or destruction are not obligated to comply with the breach notice requirements, since such information is not considered “unsecured.”

Encryption is defined as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key,” where the confidential process or key that would enable decryption has not been breached.

Destruction of PHI will have occurred when:  (a) paper, film or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise reconstructed (note, redaction is not sufficient), or (b) electronic media have been cleared, purged, or destroyed consistent with the National Institute of Standards and Technology’s Guidelines for Media Sanitization such that the PHI cannot be retrieved.

Who Must Be Notified Of A HIPAA Breach?

Depending on the number of individuals affected by a breach of unsecured PHI, covered entities are required to notify:  (1) the individuals affected, (2) media outlets, and/or (3) the HHS Secretary.  In the case of a breach of unsecured PHI by a business associate of a covered entity, it is the business associate’s duty to notify the covered entity of the breach. 

When Must Notification Of A HIPAA Breach Be Given? 

Covered entities must provide notification “without unreasonable delay” following the discovery of a breach of unsecured PHI, and in no case later than sixty (60) days after discovery of the breach.  A breach will be treated as “discovered” as of the first day on which the breach (a) is known to the covered entity, or (b) would have been known through the exercise of reasonable diligence to any person who is a workforce member or agent of the covered entity (other than the person committing the breach).  If a business associate discovers a breach, the business associate must notify the covered entity without unreasonable delay and in no case later than sixty (60) days after discovery.

What Must Be Included In The Notification? 

When notifying affected individuals of a breach, the notification must include, to the extent possible:

  • A brief description of the breach, including the fact that the breach occurred and how, the date of the breach and the date it was discovered;
  • A description of the types of unsecured PHI involved in the breach (such as the individual’s name, social security number, date of birth, etc.);
  • Steps that affected individuals should take to protect themselves from potential harm that might arise from the breach;
  • A brief description of what the covered entity is doing to:  (1) investigate the breach, (2) mitigate the harm to affected individuals, and (3) improve security to prevent similar future breaches; and
  • Contact information, which must include a toll-free telephone number, e-mail address, web site, or postal address, for affected individuals who wish to make inquiries or obtain additional information.

Notification must be in writing by first-class mail (or by e-mail if the individual authorizes notification by electronic means).  If the circumstances are urgent, the covered entity may provide notification to individuals by telephone, in addition to written notification.  If a business associate provides notice of a breach to a covered entity, the notice must include, to the extent possible, the identification of each individual whose unsecured PHI has been breached, and any other available information that the covered entity is required to provide to affected individuals.  Business associates must provide this information either at the time of notification or promptly thereafter as information becomes available.

Act Now

Time is quickly running out for covered entities and business associates to achieve compliance with the HHS Interim Final Rule.  Because the new regulations went into effect on September 23, 2009 and have been followed by a lengthy compliance grace period, HHS will not hesitate to impose its new range of monetary sanctions for failure to provide the mandated breach notifications as of February 22, 2010.

Compliance efforts should include, at a minimum, establishing notification procedures in the event of a breach, training all employees who may come into contact with unsecured PHI so that they can determine if a breach has occurred, and updating business associate agreements.

*  *  *

If you have any questions about compliance with the Interim Final Rule, the HITECH Act or HIPAA issues generally, please do not hesitate to contact us.