Final Regs Implement HIPAA's Security Breach Rules 

(Published September 10, 2009)

 

Interim final regulations establish the rules with which covered entities (e.g., group health plans and health care providers) and business associates (e.g., third-party administrators of health flexible spending accounts) must comply if there is a breach of the privacy rules under the Health Insurance Portability and Accountability Act (HIPAA). The regs, which become effective September 23, 2009, also provide a 180-day grace period, so only violations that occur on or after February 22, 2010, may result in enforcement action.

 

Security Breaches Covered

The security breach rules apply when the security or privacy of individuals' protected health information (PHI) is breached due to an impermissible acquisition, use, or disclosure. PHI is individually identifiable health information that's transmitted or maintained in any form or medium (i.e., paper or electronic records). PHI includes employees' Social Security numbers, dates of birth, and e-mail addresses. However, not every instance of impermissible use or disclosure is a breach of HIPAA's privacy rules that would trigger the security breach rules.

• Impermissible use or disclosure of information that's not PHI isn't a breach of HIPAA's privacy rules.
  
  
• There's no breach if PHI is de-identified according to existing HIPAA guidelines — that is, it's encrypted or properly destroyed.
  
  
• Breaches that are unintentional, inadvertent, or made in good faith aren't privacy/security breaches.

Privacy breaches that don't fall into the three bulleted categories still don't trigger the security breach rules if they don't compromise the PHI's security or privacy. A breach compromises security or privacy if it poses a significant risk of financial, reputational, or other harm to the individual. To make this determination, covered entities and business associates must perform a risk analysis. The key to this risk analysis is the type and amount of PHI that's involved in the impermissible use or disclosure. If, at the end of the risk assessment, covered entities or business associates conclude that the breach was insignificant, then no breach would be considered to have occurred, and the privacy rule would not have been violated. Covered entities and business associates should document these efforts.

 

Notification Duties

Once a significant breach occurs, covered entities must notify the affected individuals without unreasonable delay and, in any case, no later than 60 calendar days after the breach. Business associates who experience breaches must notify covered entities, so the covered entities can notify the individuals. Covered entities and business associates are treated as having discovered the breach as of the first day on which the breach is actually known, or by exercising reasonable diligence, would have been known to any person, other than the person committing the breach, who is an employee, volunteer, trainee, or other person who is under the covered entities' direct control. Important: These rules don't override more restrictive state laws.

 

If a breach involves 500 or more residents of a state, covered entities must also notify prominent media outlets serving the state, and the Department of Health and Human Services (HHS). If breaches involve fewer than 500 individuals, covered entities must keep a log of the breaches and notify the HHS within 60 days after the end of each calendar year. Law enforcement agencies may make a written request to delay notification indefinitely; oral requests for delays may be honored for up to 30 days.

 

Individuals' notification must be written in plain language and sent by first-class mail. Alternatively, individuals may choose to receive notification electronically. If notification is returned as undeliverable, covered entities must send substitute notices that are reasonably designed to reach the individuals. If fewer than 10 notices are returned as undeliverable, covered entities must provide an alternative to written notice, such as notification by phone. If 10 or more notices are returned, covered entities must post a conspicuous notice on their home pages for 90 days, or take out conspicuous notices in major newspapers or notify broadcast outlets in the geographic area where the individuals are likely to reside.

 

Notification must include a brief description of what happened; a description of the types of unsecured PHI that was breached; the steps individuals should take to protect themselves; a brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches; and contact procedures for individuals to ask questions or learn additional information.

 

What To Do Now

Covered entities and business associates should use the grace period to take the following steps.

• Train employees and others to determine and document whether there has been an impermissible use or disclosure of PHI.
  
  
• Establish risk assessment procedures.
  
  
• Ensure that they have individuals' current addresses, phone numbers, and e-mail addresses.
  
  
• Review and update service contracts, as necessary, to account for the obligations these regs impose.