Breach Notification Changes – What You Need to Know
On Thursday, January 17, 2013, the Department of Health and Human Services (HHS) released its Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule, making significant modifications to the Act’s Privacy, Security, Enforcement, and Breach Notification Rules. Troutman Sanders has analyzed these changes to HIPAA and is providing a series of summaries to help our clients understand how these changes will affect them and what they need to do to comply. This is our third e-alert in the series, which will address issues related to the Breach Notification rule. For other e-alerts published by Troutman Sanders on the HIPAA Omnibus Rule, visit our webpage.
In 2009, HHS issued an Interim Final Rule on Breach Notification. Since the publication of that Interim Final Rule, covered entities and business associates have implemented policies and procedures to detect breaches of unsecured Protected Health Information (PHI) and evaluate whether the breach posed a significant risk of financial, reputational or other harm to the individual. If it was determined that the breach did pose a significant risk of harm, then the covered entities would notify the individuals involved of the breach and undertake any other reporting required by the Interim Final Rule.
The HIPAA Omnibus Rule makes some important changes to the breach notification process, which put covered entities and business associates at greater risk of liability for breaches. Every breach is presumed to be reportable. This presumption can be rebutted based on information developed in an investigation. Importantly, it is the responsibility of the covered entity to refute this presumption and maintain any documentation that supports the covered entity’s position that the breach is not reportable.
There is also a very different standard to be used in determining that a breach is not reportable. Unlike the Interim Final Rule’s “risk of harm” standard, the HIPAA Omnibus Rule adopts a “low probability of compromise” standard. Under the new standard, all impermissible uses and disclosures of unsecured PHI must be reported to the individual and the Secretary of HHS unless the covered entity can demonstrate a “low probability that PHI was compromised.” The HIPAA Omnibus Rule requires covered entities or business associates to evaluate the following four factors in their risk analysis:
- The nature and extent of the protected health information involved in the breach, including the types of identifiers and the likelihood of re-identification;
- The identity of the person who impermissibly used the protected health information or to whom the impermissible disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk associated with the impermissible use or disclosure of the protected health information has been mitigated.
This risk analysis must be performed on a case-by-case basis for each and every impermissible use and disclosure of PHI, including limited data sets. Importantly, the Omnibus Rule makes a significant change in removing the exception for limited data sets which lack birth dates and zip codes. This means that covered entities that experience a breach of limited data sets without birth dates and zip codes will have to perform the risk analysis described above.
The burden is on the covered entity or the business associate to provide documentation showing that the release of PHI is either: (i) not a breach; or (ii) that a breach is not reportable because there is a “low probability” that PHI was compromised. The HIPAA Omnibus Rule emphasizes that even if there is a low probability the data was compromised, covered entities should maintain all data and information related to that determination. For instance, breaches of secured PHI are not reportable. Nevertheless, covered entities and business associates need to retain documentation about these breaches and the fact that they involved secured PHI.
The HIPAA Omnibus Rule promises that HHS will release further guidance on the evaluation of the factors for assessing the probability of compromise. Until that time, all covered entities should evaluate their established policies and procedures for handling breaches and determine what steps are needed to come into compliance with these new, mandatory requirements.
Required Notifications
The HIPAA Omnibus Rule adopts the notification requirements from the 2009 Interim Final Rule in their entirety, with a few clarifications. For your convenience, we have included a summary of those requirements here.
- Notifying Individuals. For all breaches of unsecured PHI, the covered entity must notify the individual whose PHI was breached “without reasonable delay,” but in no case more than 60 days after the covered
entity knows or should have known about the breach. The notification must include a description of the breach, the breached data, and the covered entity’s plan for remedying and mitigating the breach; recommended actions
for the individual to take to mitigate any potential harm; and contact information should the individual have questions.
Generally, the notice must be sent to the individual through first class mail or email (if the individual has indicated in writing that email is preferred). If the contact information is wrong or out-of-date, the covered entity may use the following substitute notice procedures. If there were fewer than 10 individuals for whom the covered entity did not have the right contact information, the covered entity has flexibility to determine the manner of notice, as long as it is calculated to reach that person. The HIPAA Omnibus Rule mentions telephone, alternative written notice, email (where it was not preferred), and a website posting. If there were more than 10 individuals for whom the covered entity did not have the right contact information, the covered entity must post a notice to its website or provide notice to a newspaper or broadcast network for distribution in that area. In an emergency, the covered entity may telephone the individuals, but must mail or email a written notice as well.
- Media Notification Required. For breaches that affect more than 500 individuals in the same State or jurisdiction, a prominent media outlet must be notified of the breach, and the notice must contain all of the
same information as in the individual notification.
- Notification to the Secretary of HHS. The Secretary has to be notified of all breaches that require reporting, although the timing differs depending on the scope of the breach. For breaches involving fewer than 500 individuals, a covered entity must keep a log of these events and report them annually to the Secretary. This annual report must be filed within 60 days following the end of the year and should include all reportable breaches
that were discovered in the prior year. For any breach affecting more than 500 individuals, the Secretary must be notified immediately, which HHS defines as concurrent with individual notification.
- Business Associates. All of the above notification requirements create duties for the covered entity, but the HIPAA Omnibus Rule also adopted duties for business associates. Although business associates are not required to notify affected individuals where they themselves have created a breach, business associates have a duty to notify the covered entities whose information was breached. The business associate must provide the identity of the individuals, as well as any information the covered entity would be required to include in a notification itself. If the covered entity and the business associate so choose, they may contract in their business associate agreement for a delegation of the notification responsibilities to the business associate. The HIPAA Omnibus Rule urges the parties to evaluate their particular circumstances and determine which of the two would have better access to the information needed for a notification.
Importantly, if the business associate is acting as an agent of the covered entity, the covered entity is deemed to have knowledge of the breach as soon as the business associate discovers it and not when it is notified by the business associate. As a result, it is critically important that covered entities evaluate the timeframe that is included in their Business Associate Agreements for their business associates to notify them of a breach to make sure that it will give the covered entity time to respond within the 60 day notification period.
Enforcement and Penalties
The HIPAA Omnibus Rule enhances the penalties that covered entities and business associates face for both breaches and failure to comply with the Breach Notification Rule. The Office of Civil Rights (OCR) can assess a monetary penalty for failures to comply with the Breach Notification Rule. In addition, OCR has the authority to assess penalties for the impermissible uses or disclosures that are reported to the Secretary in accordance with the Breach Notification Rule. Look for a future Troutman Sanders e-alert on the new enforcement provisions in the HIPAA Omnibus Rule.
The enhanced penalties are consistent with HHS’ overall position that it will require stricter compliance with HIPAA and levy greater penalties on those who fail to comply. As a result, it is crucial that covered entities and business associates ensure that their internal policies and procedures incorporate the requirements of the new risk analysis, that they document each and every potential breach they review, and that they undertake all required notifications in a timely manner.
If you have any questions, please do not hesitate to contact any member of our Health Care Practice Group.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result.