On August 24, 2009, the U.S. Department of Health and Human Services (DHHS) published in the Federal Register an interim final rule that requires HIPAA covered entities and business associates to notify individuals, DHHS, and, in some circumstances, the media, of breaches of information systems that result in the access, acquisition, use or disclosure of unsecured protected health information. The interim final rule is effective September 23, 2009, and comments to it are due by October 23, 2009.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, which is a part of the American Recovery and Reinvestment Act of 2009 (commonly referred to as the economic stimulus package), requires DHHS to issue regulations requiring HIPAA covered entities and their business associates to provide notification of breaches of unsecured protected health information. The interim final rule sets forth what circumstances constitute a breach, provides guidance as to what comprises unsecured protected health information, and specifies in detail how notice is to be given to individuals, DHHS and the media.
Notification to Individuals
A covered entity must notify affected individuals within 60 days after discovery of a security breach, unless notification would impede a criminal investigation or cause damage to national security according to a law enforcement official. The notification must include: a description of what happened and of the types of unsecured protected health information that were involved in the breach; any steps individuals should take to protect themselves from potential harm; a description of what the covered entity is doing to solve the problem; and procedures by which individuals can contact the covered entity to ask questions about the breach. The notification must be sent by first-class mail, or by another method specified by the rule if notice by mail is not possible.
Breaches Involving More Than 500 Individuals
If the breach involves more than 500 residents of a state or jurisdiction, the covered entity must, within 60 days after discovery of the breach, notify prominent media outlets serving the state or jurisdiction. The required content of the notification to the media is the same as that of notices to individuals. The covered entity must also notify DHHS of such a breach within 60 days. Notification may be delayed if it would impede a criminal investigation or cause damage to national security according to a law enforcement official. If the breach involves fewer than 500 individuals, the covered entity must maintain a log of all breaches occurring in a calendar year and notify DHHS of such breaches within 60 days of the end of the calendar year.
Notification by Business Associates
A business associate must notify the covered entity within 60 days of the discovery of a breach unless notification would impede a criminal investigation or cause damage to national security according to a law enforcement official. The notification must identify each individual whose unsecured protected health information was accessed, acquired, used or disclosed during the breach. It must also contain all the information that the covered entity is required to include in its notices to affected individuals.
Planning for and Responding to Breaches
Covered entities must develop policies and procedures designed to ensure compliance with the new breach notification rules, train their staff members regarding such policies and procedures, and apply appropriate sanctions against staff members who fail to comply with the policies and procedures. They must also develop a process by which individuals may make complaints concerning the breach notification policies and procedures.
Covered entities and business associates are advised to contact legal counsel in the event of a suspected breach of unsecured protected health information, as the duty to notify individuals, DHHS or the media does not apply in all situations. Not every instance of unauthorized access, acquisition, use or disclosure of protection health information constitutes a security breach under the interim final rule. Rather, the disclosure must pose a significant risk of financial, reputational or other harm to the individual. The rule excludes from the definition of “breach” a number of types of disclosures. Additionally, the notification requirements apply only to “unsecured” protected health information, which is protected health information that is not encrypted or destroyed using technologies or methods specified by DHHS in published guidance.
For further information, please contact Michael P. Davidson or your regular Hinshaw attorney.
This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.
Hinshaw & Culbertson LLP is Pleased to Announce its 2009 Health Care Conference
Friday, November 13, 2009
9:00 a.m. to 4:00 p.m.
Hilton Lisle/Naperville
3003 Corporate West Drive
Lisle, Illinois
Now in its fifth year, the conference will offer both plenary and breakout sessions. Join Senior Management, Board Members and In-House Counsel of Hospitals and Health Systems as our presenters examine and analyze current issues and strategies affecting the health care industry.
Plenary Sessions
- Health Care Reform
- Self-Disclosure
Breakout Sessions
- The Impact of Stark on Hospital/Physician Relations
- Managed Care Law
- The Medicare Provider-Based Rules and the Illinois Medicaid Dilemma
- Electronic Medical Record Stimulus Opportunities
- Updating Hospital and Physician Compliance Plans
- Hot Topics
Hinshaw & Culbertson LLP is an accredited CLE provider in Illinois. Illinois attorneys can earn 4.25 general CLE credit hours for attending the conference.
There will be a $95 non-refundable fee to attend this conference.
Register online by clicking on the following link: https://www.regonline.com/hinshawhcconference
The conference brochure will be mailed mid-September.
For more information, contact Katherine McCormack at 312-704-3329. |