The department of Health and Human Services (HHS) and the FTC have issued a new interim final rule governing health information breach notification requirements. I blogged on this issue back in March 2009, just after the stimulus package, American Recovery and Reinvestment Act of 2009 (ARRA), passed.
This rule, issued in response to ARRA, goes into effect on Wednesday. At that point, all HIPAA-covered entities and their business associates must notify individuals and HHS when personal health information has been breached. HIPAA-covered entities include health plans, health care clearinghouses, or health care providers. The rule also covers “business associates” which include billing companies, transaction companies, lawyers, accountants, managers, administrators, or anyone who handles health information on behalf of a HIPAA-covered entity.
A breach is when individually identifiable health information is acquired, used, accessed, or disclosed to an unauthorized party, in a way that compromises its security or privacy. A “breach” does not include inadvertent disclosures among employees who are normally authorized to view protected health information. A breach also does not include exposure of encrypted personal health information, for example.
When a breach occurs, the covered entity must notify victims and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach. The covered entity must notify the individual directly if possible (ie, by mail), and must also post a notice on its website if the breach involves 10 or more victims who are not directly reachable. If the breach involves more than 500 residents of a single state, the covered entity must also notify statewide media.
In certain limited circumstances a vendor might be subject to HHS and FTC notification rules. In this case, a vendor which serves the public and HIPAA-covered entities may comply with both rules by providing notice to individuals and the HIPAA-covered entity. In many instances, entities covered by this rule must also comply with applicable State notification laws. The test for pre-emption is whether the State law is “contrary,” to the federal law or whether “a covered entity could find it impossible to comply with both the State and federal requirements.”
Of course, the best way to comply with the law is to avoiding breaches altogether. The most straightforward way to avoid having a breach is to encrypt personal health information. But if a breach does occur, complying with the law is straightforward. In addition to the requirements above, the notification must include a brief description of the incident, including the following information:
- Date of the breach;
- Date of discovery;
- Description of the types of protected health information breached;
- Steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of the investigation, efforts to minimize losses and prevent future breaches;
- Contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.
Beyond that, you’ll have to minimize your losses by repairing your company’s public image, regaining your customers’ trust, and mitigating civil liability.
References: 45 CFR parts 160, 162, and 164.
Note: This article was originally published on the J.C. Neu & Associates Blog.