HHS Publishes HITCH Breach Notification Interim Final Rule

HHSOn August 24th, 2009 we finally saw the publication of interim final regulations implementing the security breach notification provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).

While the regulations appear to parallel the statutory provisions of HITECH, the process covered entities must follow before notifying a patient of certain breaches of their protected health information (PHI) is not as strict as initially feared.

For instance, under the new regulations, covered entities will still engage in a very subjective and fact specific risk assessment before determining when to notify a patient of a breach. The regulations also provide guidance to covered entities and their business associates (BAs) relative to their mutual obligations under the new rules.

Summarized below are some key points and issues we perceive to be relevant to covered entities and business associates under the new regulations.

The Breach Rules Only Apply To “Unsecured” PHI.

Unsecured PHI is defined as PHI that has not been secured through the use of a technology or methodology specified by HHS. According to HHS guidance released in April 2009, encryption and destruction are the only two ways to secure PHI and avoid breach notification under the Act.

Click here for a link to HHS’ April 2009 “Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements”.

Fact Specific Risk Assessment.

The Regulations define a “breach” as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that “compromises the security or privacy” of the PHI.” A use or disclosure compromises privacy or security only if it creates “a significant risk harm to the individual as a result of the impermissible use or disclosure.” The regulations identify a number of factors covered entities or business associates may consider during this assessment, including:

who impermissibly used or to whom the information was impermissibly disclosed;
steps taken to mitigate an impermissible use or disclosure (i.e. lost or stolen laptop is returned and forensic analysis reveals that its information was not opened, altered, transferred or otherwise compromised);
The Type And Amount Of PHI Involved.

In the event a notification is deemed necessary based on the facts all notification to individuals and HHS and must be given without “unreasonable delay,” but no later than 60 days after discovery.”

Exceptions to Breach Rule.

There are also key exceptions relative to the breach rule in situations where there is:

an unintentional acquisition, access or use of PHI;
inadvertent disclosure; or
disclosure of PHI to person not reasonably able to retain such information.

Business Associates.

Under the new regulations, BAs must comply with the privacy and security regulations, just like covered entities. BAs must have policies and procedures documenting compliance with the privacy rule’s use and disclosure provisions and the security rule’s administrative, physical and technical safeguards requirements.

An interesting issue is raised relative to when BAs acting as “agents” of a covered entity versus BAs acting as “independent contractors” and the breach notification time frames requirements under both scenarios. If a business associate is acting as an agent of a covered entity then the business associate’s discovery of the breach will be imputed to the covered entity. Accordingly, the covered entity will have to provide notifications to the patient and HHS based on the time the business associate discovers the breach, not from the time the business associate notifies the covered entity. Conversely, if the business associate is an independent contractor of the covered entity (i.e., not an agent), then the covered entity must provide notification based on the time the business associate notifies the covered entity of the breach.

Among Other Issues, BA Agreements May Need To Be Amended To:

clearly address the agent versus independent contractor status of the BA; and
the timing of BA notification to a covered entity following a breach.

Grace Period, Enforcement And Penalties.

Finally, the regulations account for a grace period allowance before HHS expects to begin enforcement. The regulations took effect on September 23, 2009, but HHS has delayed seeking sanctions until February 22, 2010.

The caveat to this allowance period, however, is that the regulations significantly broaden the enforcement and penalties associated with a violation. Under the new system, HHS will employ a tiered penalty system based on the mental state of the offender.

Additionally, HHS has also delegated some of the enforcement mechanisms to state Attorney General offices. Effective February 18, 2009, the Michigan Attorney General can bring actions under HIPAA independently of HHS. Finally, the regulations allow for penalties to be shared with those harmed by the disclosure (though, we have not seen regulations or guidance from HHS on the definition of the “harm” necessary to share in penalties).