The Security Breach Notification Rule

Laura Gerdes Long

By Laura Gerdes Long

A security breach notification only applies to “unsecured PHI”. PHI that is not encrypted or completely destroyed is considered “unsecured” by HHS. The only way, generally, that HHS has said that PHI would be considered “secured” is if it encrypted or completely destroyed. If that is the case, then the covered entity does not need to develop internal procedures for notification of security breaches. In any event, those practices should review their existing Notice of Privacy Practices to update it with respect to the new notification rule.

WHAT IS A “BREACH” REQUIRING NOTIFICATION UNDER THE RULE?

HHS has defined “breach” to mean a use or disclosure of unsecured PHI in violation of the HIPAA Privacy Rule. As we learned when the Privacy Rule was implemented, PHI generally cannot be used or disclosed without the individual’s prior, written authorization. However, the Privacy Rule also contains a laundry list of exceptions to the general rule. Consequently, covered entities may often have to scrutinize the Privacy Rule to determine whether a breach, indeed, even occurred. Hence, a breach will only occur if the following requirements are met:

  • the information is “unsecure” PHI;
  • the information was used or disclosed in an unauthorized manner (see, HIPAA Privacy Rule); and
  • the use or disclosure poses a “significant risk of financial, reputational, or other harm to the individual”. To determine if such a harm has occurred, the covered entity must review factors such as:

(a) to whom the information was disclosed;
(b) the type of information disclosed;
(c) what steps were taken that mitigate the potential harm to the individual; and
(d) whether the use or disclosure falls under an exception listed in the statute. The exceptions are:

(i) Unintentional access by a covered entity’s or business associate’s employee. Such access must be in good faith, within the employee’s course and scope of employment and not result in further use or disclosure. HHS provided an example of a nurse mistakenly sending an e-mail with PHI to a hospital billing employee, who opened it in the normal course of business; however, the billing employee deletes the e-mail and notifies the nurse.
(ii) Inadvertent disclosure from one covered entity or business associate employee to another similarly situated employee. HHS explains that the information should not be further used and that “similarly situated” means both employees must be authorized to access the information. For example, a doctor and billing employee may be similarly situated, because they are both authorized to view PHI, but a doctor and a receptionist may not be or, for example, when a doctor inadvertently gives a patient chart to a nurse who is not responsible for the doctor’s patients.
(iii)The recipient would not reasonably have been able to retain the information. For example, a nurse gives out incorrect discharge papers, but immediately discovers the error and takes them back.

NOTIFICATION OF BREACHES

If a breach occurs, then the covered entity must notify the individual “without unreasonable delay”, but no later than 60 days after discovery of the breach. HHS notes that, if a business associate is an “agent” of the covered entity, the business associate’s discovery of the breach will be imputed to the covered entity.

If the breach involves 500 or more individuals, the covered entity must notify HHS at the same time it notifies the affected individuals. Breaches involving fewer than 500 individuals must be logged, and a log must be submitted to HHS by March 1st of the following calendar year.

There are also provisions for what needs to be done if a breach involves 500 or more individuals from an entire state or jurisdiction. Since business associates are impacted by the discovery and breach notification, covered entities should address those matters in their business associates agreements or vendor agreements, by rewriting or amending those agreements.

WHAT MUST THE NOTICE SAY?

The Notice must be written in plain language and contain five (5) subject areas:

  1. a brief description of what happened, including the date of the breach and the date the breach was discovered, if known
  2. the types of unsecured PHI involved in the breach (e.g., Social Security number, full name, date of birth, home address, account number, diagnosis)
  3. steps that affected individuals can take to reduce the risk of harm from the breach
  4. a brief description of the covered entity’s investigation, efforts to mitigate harm to affected individuals and steps taken to prevent a recurrence of breaches
  5. contact information for people to ask questions and obtain information, including a toll-free telephone number, e-mail address, website or postal address.

HHS has devised electronic notification forms on its website for submitting notice of breach to the Secretary. These requirements are in accord with the Privacy Rule that requires each covered entity to take reasonable steps to mitigate the harmful effects of an unauthorized use or disclosure of PHI.

There are also provisions for substitute notice under the HHS rules.

THE EFFECT ON STATE SECURITY BREACH NOTIFICATION LAWS

HHS has said that the HIPAA requirements do not pre-empt state notice law and that covered entities will be required to comply with both sets of laws when both are applicable. For example, where a state law requires notification within five days, HHS says notice within this period also would satisfy the new HIPAA requirements, so the two laws do not conflict. Similarly, if a state law requires additional elements be included in a notice, HHS says there would be no conflict because a covered entity could develop a notice that satisfies both laws.

STEPS FOR COVERED ENTITIES

  • Establish notice procedures for a security breach response plan
  • Implement systems for detecting a security breach
  • Maintain a breach log
  • Train workforce members on their role in responding to a security breach
  • Revise business associate agreements to address security breaches
  • Revise HIPAA policies and procedures regarding training, complaints, and sanctions, as applicable
  • Update address lists for patients and/or plan participants to reduce the number of return notices in the event of a breach.

This is only a short review of considerations. Consultation with an attorney is advised to ensure that all matters specific to your practice have been covered. If you have further questions or if you would like to set up an appointment to discuss your practice’s protected health information needs, please contact Laura Gerdes Long, Esq.


Comments are closed.