Interim Final Regulations published in the Federal Register on August 24, 2009 provide a framework for evaluating potential breaches of Protected Health Information (PHI) in order to determine if it is necessary to send a notification letter to the patient. While not all violations of the pre-existing HIPAA privacy regulations will result in a breach requiring notification under the new HITECH regulations, a violation of the privacy rule is a prerequisite to a breach requiring notification. Thus, determining whether or not a violation of the HIPAA regulations has occurred is the first step in evaluating a breach to determine if notification is necessary.
Threshold Finding of Harm Necessary
Under HITECH, a breach requiring notification is one which “compromises the security and privacy” of the PHI. The Department of Health and Human Services (DHHS) clarifies in the regulations that the occurrence of harm is implicit in this provision, and so a use or disclosure “which compromises the security and privacy of the PHI” is defined as one which “poses a significant risk of financial, reputational, or other harm to the individual.”
In the explanatory preamble to the regulations, DHHS identifies a number of factors to be considered in assessing the potential harm of a disclosure, including to whom the disclosure was made. It is suggested that there is less inherent risk of harm when an improper disclosure is made by one covered entity to another covered entity, as the recipient itself is bound by the same privacy obligations as the entity which disclosed the information. It is also noted that steps taken to mitigate against the potentially harmful effects of a disclosure may prevent it from being a “breach” requiring notification. For example, the covered entity may obtain satisfactory assurances that the information will not be further used or disclosed or will be destroyed.
HITECH excepts from the definition of “breach” inadvertent, good faith disclosures between employees acting within the scope of their employment, assuming no further disclosure occurs. The new regulations broaden the term “employees” to include all members of the “workforce,” as that term is defined in the Privacy Rule. This ensures that volunteers, trainees, and others who work at the covered entity but may not be employees, are covered under the exception.
The regulations also confirm that an inadvertent disclosure between or among individuals within the same “organized health care arrangement”1 is not a breach requiring notification so long as the information is not further used or disclosed in a manner not permitted under the privacy rules.
DHHS Stands Firm on 60 Day Timeframe for Notification
HITECH mandates that when notification is required, it must not be “unreasonably delayed,” and must be given no more than sixty calendar days from discovery of the breach. Per the regulations, “discovery” occurs when the covered entity or any member of its workforce (other than the person committing the breach) knows or should know, in the exercise of reasonable diligence, of the breach. The regulations make it clear that the clock starts ticking right away upon such “discovery,” not after the entity has completed its investigation and/or analysis. Indeed, it is suggested that even notice given on the 60th day might be deemed “unreasonably delayed” if the entity knew by day 10 that notification would be required. In light of this provision, covered entities may wish to revise all business associate contracts to require immediate notification of any breaches.
Contents of Notification
The required notification must include, “to the extent possible,” a description of (1) what occurred, including the date of the breach and the date it was discovered, if known; (2) the types of PHI involved; (3) suggested steps the individual should take to protect against potential harm; (4) what the covered entity is doing to investigate the breach, mitigate any potential harm and protect against future breaches; and (5) contact information, including a toll free number, email address, web site or postal address for the sender.
Summary of Analysis
Upon discovery” of a potential breach, a covered entity should promptly determine (1) If the occurrence constitutes an impermissible use or disclosure of PHI under the privacy rules; and if so (2) whether the impermissible use or disclosure presents a “significant risk of financial, reputational or other harm” to the individual; and if so (3) determine whether the incident falls under any of the exceptions to HITECH’s definition of breach and (4) determine whether anything can be done to mitigate against any potentially harmful effects of the use or disclosure, particularly if this will negate the need for notification under the regulations. Whatever the decision, a covered entity must keep documentation justifying its decision for six years.
Training/Policy Development Remain Key
All hospitals and other health care providers that are covered entities under HIPAA are encouraged to promptly review their HIPAA policies and procedures to determine where additions and modifications are needed to address breach notification. This important new regulation must also be rolled out to the workforce in a way that conveys a message of heightened scrutiny and the need for dedicated compliance.
The effective date for these new regulations was September 23, 2009, but DHHS will not impose sanctions until February 20, 2010. Comments on the Interim Final Rule may be submitted through October 23, 2009. For more information, please contact Katherine B. Kravitz at 717-399 1533; firstname.lastname@example.org.
1The full definition of Organized health care arrangement is found at 45 CFR 160.103. Generally, a hospital and its medical staff are part of an organized health care arrangement, as are the different covered entities in a health system.