On August 24, 2009, the U.S. Department of Health and Human Services published new regulations in the Federal Register that detail the obligation of covered entities to notify employees and, in some cases, the media and Secretary of Health, in the event of breaches of unsecured protected health information. These new regulations took effect September 23, 2009, although the Department will withhold enforcement action until February 22, 2010. The notification obligations were enacted as part of the stimulus plan that passed in 2009, and are contained in the Health Information Technology for Economic and Clinical Health Act (HITECH Act). These new requirements supplement existing obligations under HIPAA.
Who Needs to Comply?
These new regulations apply to all entities that qualify as “Covered Entities” under HIPAA, that is, health care providers, health plans or health care clearinghouses, and any “Business Associates” of the Covered Entities that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use or disclose unsecured (i.e., unencrypted) protected health information.
The term “Business Associates” includes, but is not limited to, entities that are involved with or perform claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or services such as legal, actuarial, accounting, consulting, data aggregation, management, administration, accreditation, or financial services on behalf of Covered Entities so long as the services provided by the Business Associates involve the use or disclosure of individually identifiable health information.
What Is Protected Health Information?
The term "protected health information" means individually identifiable health information that is transmitted or maintained through electronic or other media, but the definition specifically excludes employment records that are maintained by a Covered Entity in its capacity as employer. Accordingly, records such as FMLA requests, requests for accommodation, and other employment records containing medical information generally would not be considered protected health information.
What Must Covered Entities and Business Associates Do?
There are two sets of obligations under the new regulations: notification requirements and administrative requirements.
Notification Requirements:
Covered Entities are required to notify employees who are affected by certain breaches of unsecured protected information. Before notification is given, however, the Covered Entity or Business Associate must investigate the breach, determine whether there has been an unauthorized use or disclosure of protected health information, and perform a risk assessment to determine whether the breach poses a significant risk of financial, reputational, or other harm to an employee (or whether exceptions apply that make notification unnecessary).
A "qualifying breach" is one that poses a significant risk of financial, reputational, or other harm to an employee, and does not fall into one of the following narrowly drawn exceptions.
The first exception applies in the event of any unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a Covered Entity or Business Associate, provided that the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in violation of HIPAA.
The second exception applies in the event of any inadvertent disclosure by a person authorized to access protected health information at a Covered Entity or Business Associate (or organized health care arrangement) to another person authorized to access protected health information at the same Covered Entity or Business Associate (or organized health care arrangement) provided that the information received through the disclosure is not further used or disclosed in violation of HIPAA.
The third exception applies in the event of any disclosure of protected health information where the Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information (i.e., the person deleted the information as soon as it was received, or mailed notices were returned as undeliverable).
In the event of a qualifying breach of unsecured protected health information that occurs on or after September 23, 2009, Covered Entities and Business Associates are required to provide written notice without unreasonable delay and no later than 60 days after the breach is discovered and determined to be a qualifying breach. The Covered Entity is required to notify affected employees directly in writing, apprising them of the nature of the breach and of the type of information that has been disclosed. The notice from the Business Associate is to be given to the Covered Entity and must identify each individual affected as well as other available information that the Covered Entity will be required to include in its notice.
Please note that – for both Covered Entities and Business Associates – a breach is deemed to be discovered either upon actual discovery or at the point when it should have been discovered through the exercise of reasonable diligence.
The regulations are very specific about how such a notice should be composed, and provide for alternative notice options if the employee cannot be found or is deceased.
Covered Entities must also record every breach (qualifying or not) in a log to be submitted annually to the Department of Health and Human Services. If there is a qualifying breach affecting 500 or more employees, the Covered Entity must immediately and directly notify the Secretary of Health. Also, if those 500 employees are in a single jurisdiction, the Covered Entity must arrange for notice to be given through local media.
Administrative Requirements:
Covered Entities and Business Associates must be able to identify and investigate breaches, perform a risk assessment, and, if required, report the breach to the individual(s) affected, the Secretary of Health, and the media (in the case of a Covered Entity) or to a Covered Entity (in the case of a Business Associate). To accomplish these requirements, Covered Entities and Business Associates are required to develop and implement policies and procedures for breach identification, assessment, and investigation, and to train their employees accordingly.
The regulations also provide that non-retaliation provisions, complaint procedures, and sanctions for non-compliance must be incorporated into the new policies and procedures. Covered Entities are required to maintain logs and documentation tracking all breaches and memorializing the steps taken in response to each. The logs must be submitted to the Department of Health and Human Services annually and must be maintained for six years.
The burden is on the Covered Entity and/or the Business Associate to prove compliance with all statutory and regulatory requirements; therefore, affected enterprises are encouraged to take the procedural and substantive aspects of these regulations seriously.
In the event that a breach occurs or if you have any questions regarding your obligations under these new regulations, please contact Melissa C. Jones at 410.752.9765 or email.