The Health Information Technology for Economic and Clinical Health Act (“HITECH”) was part of the recently enacted stimulus legislation. HITECH made significant changes to the HIPAA Privacy and Security rules, including requirements that a HIPAA covered entity or personal health records vendor notify an individual if there has been a security breach involving an individual’s protected health information (“PHI”). HITECH directed the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) to issue regulations mandating that certain entities not covered under HIPAA notify individuals of breaches of their individually identifiable health information. Recently, HHS issued initial guidance on the type of PHI that will be considered “secure” and therefore, exempt from the breach notification requirements. The FTC also issued proposed regulations that would require vendors of personal health records (“PHR”) and their related entities to notify the affected individuals and the FTC upon discovery of a breach of PHI.
Initial HHS Guidance
The HHS guidance provides two methods by which to “secure” PHI and therefore not be subject to the notification rule. HHS indicated that its two methods are intended to be “exhaustive and not merely illustrative,” meaning that these technologies would be the only “safe harbor” methods by which the PHI would be considered secure. The two methods are (1) encryption and (2) destruction. If PHI is not secured by one of these methods (as described in more detail in the guidance), it is considered “unsecured” and therefore the notification requirements would apply if the PHI is breached by an unauthorized acquisition, access, use or disclosure that compromises the privacy or security of that information, excluding certain unintentional or inadvertent disclosures.
This recent guidance also requests comments on the security breach notification requirement by May 21, 2009 since HHS is required to issue regulations on this issue by August 16, 2009. The security breach notification rules will be effective 30 days after these interim final regulations are issued.
Proposed FTC Regulations
Under the FTC’s proposed regulations, vendors of PHR, third-party service providers to PHR vendors and PHR-related entities are required to provide notification to those vendors and entities following the discovery of a breach of PHI. Once the breach is discovered, a PHR vendor or PHR-related entity must notify affected individuals. Third-party service providers must notify the PHR vendor or PHR-related entity. Depending on the number of individuals affected, notification to the FTC and the media also may be required.
The proposed regulations require notification of the breach without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach. The proposed regulations note that the 60-day period is an outer limit for timing purposes and that in some cases, 60 days may be unreasonable. The proposed regulations contain four main notification requirements and provide details regarding the contents of the notice to the individual, the media, and the FTC. The FTC is accepting comments on these proposed regulations through June 1, 2009 and intends for the regulations to be effective for breaches that are discovered on or after September 18, 2009.