Health Insurance Portability & Accountability Act (HIPAA)
Revisions to the HITECT Breach Notification Rule Effective September 23, 2013 – Stricter Reporting Standard Adopted
Section 13042 of the HITECH Act requires HIPAA covered entities to provide notification to affected individuals and to the Secretary of HHS following the discovery of a breach of unsecured protected health information (PHI). In some cases, the Act requires covered entities to provide notification to the media of breaches.
In the case of a breach of unsecured PHI by a business associate of a covered entity, the Act requires the business associate to notify the covered entity of the breach. Finally, the Act requires the Secretary of HHS to post on the HHS website a list of covered entities that experienced breaches of unsecured PHI involving more than 500 individuals.
The HITECH Act defines “breach” to mean, generally, the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of the information. The Act includes three exceptions to the definition of “breach”.
1) Unintentional acquisition, access, or use of PHI by an employee or other person acting under the authority of the covered entity or business associate of such acquisition, access or use was made in good faith and within the course and scope of employment or other professional relationship of such person with the covered entity or business associate and such information is not further acquired, accessed, used, or disclosed by any person;
2) Inadvertent disclosure of PHI from one person authorized to access PHI a facility operated by a covered entity or business associate to another person similarly situated at the same facility and the information received is not further acquired, accessed, used, or disclosed without authorization by any person;
3) Unauthorized disclosure under circumstances in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information.
The term “unsecured PHI” is defined as PHI that is not secured through the use of technology or methodology specified by the Secretary of HHS by guidance. If PHI is encrypted in accordance with recognized standards, the PHI is no longer considered to be unsecured. It is, accordingly, strongly recommended that a medical practice that maintains or stores PHI in electronic form should consider encryption. The Breach Notification requirements may be very onerous, and encryption may enable a medical practice to avoid Breach Notification requirements.
The term “compromises the security or privacy of PHI” means poses a significant risk of financial, reputational, or other harm to the individual. To determine whether an impermissible use or disclosure of PHI constitutes a breach under the standard, covered entities and business associates are required to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. In conducting the risk assessment, covered entities are required to consider a number or combination of factors, including who impermissibly used the information or to whom the information was impermissibly disclosed; whether the covered entity or business associate had taken steps to mitigate or eliminate the risk of harm; whether the PHI was actually accessed; and what type or amount of PHI was impermissibly used or disclosed.
The Breach Notification Revision – Language has been added to the regulations 45 CFR 164.402 to clarify that an impermissible use or disclosure of PHI is PRESUMED to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. In other words, HHS has clarified its position that a breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised (or one of the other exceptions to the definition of breach applies).
In conducting a risk assessment, at least the following factors should be considered to determine that there is a low probability that the PHI has been compromised:
(i) The nature and the extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the PHI or to whom the disclosure was made;
(iii) Whether the PHI was actually acquired or viewed; and
(iv) The extent to which the risk to the PHI has been mitigated.
HHS stated concerns that some covered entities may have incorrectly believed that the requirement to report a breach of PHI was subject to a higher standard. HHS stated that in clarifying that the impermissible use or disclosure of PHI is presumed to be a breach, covered entities and business associates are informed of the requirement to report breaches, and a breach notification will not be necessary only if the presumption is set aside by a demonstration by the covered entity or business associate that there is a low probability that the PHI has been compromised.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which became law on August 21, 1996 protecting the privacy of health information given the rapid evolution of health information systems
HIPAA's Administrative Simplification provisions, sections 261 through 264 of the statute, were designed to improve the efficiency and effectiveness of the health care system by facilitating the electronic exchange of information with respect to certain financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit information electronically in connection with such transactions. To implement these provisions, the statute directed HHS to adopt a suite of uniform, national standards for transactions, unique health identifiers, code sets for the data elements of the transactions, security of health information, and electronic signature.
The following links provide details of the genesis and progress of the HIPAA Regulations.
•HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information
•CMS Guidance Document on Electronic Protected Health Information
•National Provider Identifier (NPI)
The full text of the final regulations are available online at the Department of Health and Human Services at http://www.hhs.gov/ocr/hipaa/.
MSSNY wishes to thank the law firm Jenner & Block for the summary and regulatory update regarding the HIPAA Privacy Rule