The economic stimulus bill passed this year included a number of important modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Health Information Technology for Economic and Clinical Health Act (HITECH), which was enacted as part of the American Recovery and Reinvestment Act of 2009, modified HIPAA’s Privacy Rule and Security Rule. One significant modification is a completely new requirement that individuals, and in some cases the media and the U.S. Department of Health and Human Services (HHS), must be notified when an individual’s unsecured protected health information is breached.

Protected Health Information, or PHI, is individually identifiable health information in any form that is created or received by a “covered entity” such as a health plan, a health care clearinghouse or a health care provider who engages in certain electronic transactions. PHI relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or payment for that care.

The new breach notification requirements apply only to “unsecured” PHI. HITECH provides that PHI is secure and not subject to the breach notification rules if the data is encrypted according to specific standards of the National Institute of Standards and Technology (NIST) or destroyed and unable to be read or reconstructed.

Before HITECH, HIPAA did not require a covered entity to notify an individual about a breach of PHI, although some covered entities did so voluntarily. HITECH removes any discretion a covered entity once had with respect to notification about a breach of unsecured PHI. The HITECH breach notification requirements became effective Sept. 23, but enforcement is delayed until Feb. 22, 2010, to enable compliance.

When a breach occurs
HITECH requires that when a breach of unsecured PHI is discovered, the covered entity must notify every individual whose unsecured PHI has been, or is reasonably believed to have been affected. A breach is the acquisition, access, use or disclosure of PHI in a manner that violates HIPAA and that compromises the security or privacy of the PHI.

A breach will occur if four requirements are met:

  • The information is used or disclosed in a manner not authorized under HIPAA.
  • The information is unsecure.
  • The use or disclosure poses a significant risk of financial, reputational or other harm to the individual.
  • The use or disclosure does not meet the requirements of a specific exception.

Risk assessment
If an unauthorized use or disclosure of unsecured PHI occurs, a covered entity (or business associate) must engage in a risk assessment to determine if notification of the breach is required.

The risk assessment will include reviewing the facts surrounding the incident and the nature of the data involved. The covered entity (or business associate) will analyze whether the data was accessible and usable and the likelihood that the breach will actually harm the individual. As part of the assessment, the ability to mitigate harm also might be considered. The HIPAA compliance effort of a covered entity will now include the adoption of policies and procedures for conducting and documenting a risk assessment upon uses or disclosures that compromise the security or privacy of PHI.

There are three specific exceptions to the HITECH breach notification requirements:

  • Unintentional access by a covered entity or business associate’s work force that is in good faith, within the employee’s general employment functions and does not result in further use or disclosure.
  • Inadvertent disclosure from one covered entity or business associate employee to another similarly situated employee.
  • Situations in which the recipient is not able to retain the information.

Individual notice
When a reportable breach of unsecured PHI occurs, the individual whose PHI is affected must be notified within 60 days after the information is, or is reasonably believed to have been, breached. A breach is considered discovered on the first day it is known to a member of a covered entity’s work force (other than the one committing the breach) or should have been known if the covered entity exercised reasonable due diligence. A covered entity’s HIPAA compliance effort will now have to include policies and procedures for detecting and identifying breaches.

Written notice must be given to the individual at the last known address describing what occurred, including the date of the breach and date of discovery. The types of PHI involved must be identified, and steps the individual should take to protect himself from harm must be included. The notice must provide contact information and describe what the covered entity is doing to investigate the breach, mitigate harm and prevent future breaches.

Large breach-media notice/HHS notice
If a breach of PHI involves 500 or more residents of a state, the covered entity must notify prominent media outlets in that state. If the breach involves 500 or more people (regardless of the state), HHS must be notified. HHS will maintain a Web site listing details of large breaches.

Small breach-HHS notice
For breaches affecting fewer than 500 individuals, a covered entity must maintain a log documenting the breach. The breach must be sent to HHS within 60 days of the end of each calendar year.

HITECH requires covered entities and business associates to take careful look at unauthorized uses and disclosures of PHI. Implementing policies and procedures now, before a breach occurs, is essential for addressing future problems.