The Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted as part of the American Recovery and Reinvestment Act of 2009. HITECH makes many important changes to the HIPAA privacy and security rules. While many of these changes are not effective until later years, there are important changes with immediate effective dates.
Business Associates are Now Directly Subject to the HIPAA Privacy and Security Rules
Under the prior rules, entities that provided services to a group health plan and that had access to protected health information (PHI) (called business associates) were not directly subject to the HIPAA privacy and security requirements. However, they were required to maintain the privacy of such information pursuant to business associate agreements entered into between the plan and the business associate. Under HITECH, business associates are now directly subject to many of the HIPAA privacy and security requirements.
Business associate agreements must be modified this year to include the business associate’s increased responsibilities. Plan sponsors should verify that business associates will satisfy the new HIPAA/HITECH requirements.
Covered Entities are Required to Notify Certain Individuals of a Breach of Unsecured PHI
HITECH requires covered entities to provide notification to affected individuals, the Secretary of HHS, and, in some cases, the media following the discovery of a breach of unsecured PHI.
Information Covered by These Rules
The notification rules apply to unsecured PHI. Unsecured PHI is PHI that is not secured through the use of technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. HHS issued guidance regarding what information it would consider secure for this purpose. Generally, in order to be secure, information must be encrypted under specific standards adopted by the National Institute of Standards and Technology (NSIT) or must be destroyed so it cannot be read or reconstructed. If electronic, the information must be cleared, purged, or destroyed consistent with specific NSIT standards.
Covered entities and business associates that either encrypt or destroy PHI are not required to provide notifications in the event of a breach because the information is not considered “unsecured”. In contrast, if information is not encrypted or destroyed, the information is “unsecured” and is subject to the security breach notification requirements.
Breach
A breach is an unauthorized use or disclosure of PHI that poses a significant risk of financial, reputational, or other harm to the individual. In determining whether there is a significant risk of harm to the individual, covered entities should perform a risk assessment considering a number of factors such as: who impermissibly used or to whom the information was impermissibly disclosed, the type and amount of PHI involved, and whether the risk of identifying a particular individual is so small that the use or disclosure poses no significant risk of harm to any individuals.
The following are not considered breaches:
- The unintentional access to or use of PHI by a covered entity’s or business associate’s employee if the access or use was made in good faith and within the scope of the employee’s authority and does not result in further use or disclosure.
- The inadvertent disclosure by a person who is authorized to access PHI to another person who is also authorized to access PHI at the same covered entity or business associate if the information received is not further used or disclosed in a manner that is not permitted.
- The disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information.
Notification
o To Individuals
Following the discovery of a breach of unsecured PHI, a covered entity must notify the individual of the breach without unreasonable delay and in no case later than 60 calendar days after the date the breach was discovered by the covered entity. Regulations specify information that must be included in the notice and the method of notice.
o To the Media
If the breach of unsecured PHI involves more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving the state or jurisdiction. The notice must include the same information and be within the same timeframe as the notice to the individuals. It may be in the form of a press release.
o To the Secretary
A covered entity must provide notice to the Secretary of HHS in the event of a breach. If the breach involves 500 or more individuals, the covered entity must provide notice contemporaneously with notice to individuals and in the manner specified on the HHS website.
If the breach involves fewer than 500 individuals, the covered entity can wait and report this to HHS no later than 60 days after the end of the calendar year. Each covered entity should maintain a log or other documentation of the breaches occurring during the year and provide notification annually to the Secretary of these breaches in manner specified on the HHS website.
For 2009, the covered entity is only required to submit information to the Secretary for breaches occurring after September 23, 2009.
Administrative Issues
Covered entities should consider conforming all PHI storage and transmission systems so that all data is secured in a way that it is unusable, unreadable, or indecipherable to any individual who gains improper access to avoid the breach notification requirements.
In the event that the breach notification requirements apply, a covered entity must be able to identify, record, investigate, and report any breach occurring after September 23, 2009. This will require covered entities to amend HIPAA policies and procedures to describe how staff or systems will identify and handle breaches of unsecured PHI and what procedures will apply in the event of a business associate breach (e.g., how quickly the business associate will notify the covered entity of the breach), train relevant staff about the new policies and procedures, amend business associate agreements and, if applicable, amend and distribute the plan’s HIPAA privacy notice.
Varnum’s Employee Benefits team is prepared to assist plan sponsors in updating their business associate agreements and HIPAA policies and procedures to comply with these complex rules. Please contact any of our Employee Benefits attorneys for more information.