On August 24, 2009, the Department of Health and Human Services (“HHS”) issued interim final regulations mandating that covered entities under HIPAA (including group health plans) and their business associates notify affected individuals, the Secretary of HHS and in some cases, the media following a breach of unsecured protected health information (“PHI”).  The new regulations were issued to implement new requirements under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and are effective for breaches occurring on or after September 23, 2009.  Covered entities should take action now to make sure they are in compliance by this deadline, although there is a transition period during which HHS will not impose sanctions for violations of the new regulations until late February 2010.

The breach notification guidance clarifies the proposed regulations issued earlier this summer, and introduces some additional requirements for covered entities.  The regulations include, among other things:

• reiteration that the only acceptable methods to “secure” PHI are encryption and destruction.  If PHI is secured, then an impermissible use or disclosure does not trigger the breach notification requirements. (Note that an impermissible use or disclosure still may be problematic under other HIPAA rules, but the breach notification requirements are avoided if the PHI is secured.)  While many commentators wanted the inclusion of other acceptable mechanisms (like firewalls) to secure PHI, the guidance specifically notes that encryption and destruction remain the sole technologies and methodologies that meet the “safe harbor” to render PHI unusable, unreadable, or indecipherable to unauthorized individuals.

• clarification on the meaning of “breach.”  The guidance makes clear that a breach of unsecured PHI occurs upon the “unauthorized acquisition, access, use, or disclosure of” PHI in a manner that is not permitted under HIPAA’s privacy rules and that compromises the security or privacy of the PHI.  Further, a violation of HIPAA’s security rules does not itself constitute a potential breach under this guidance, though such a violation could lead to an impermissible disclosure in violation of HIPAA’s privacy rules.

• addition of a fact-specific “risk assessment” to determine if a breach has occurred.  PHI is compromised only if the impermissible use or disclosure “poses a significant risk of financial, reputational, or other harm to the individual.”  Therefore, in determining whether a breach has occurred, covered entities and business associates will need to perform a risk assessment that includes a number of factors, including who impermissibly used or to whom the information was impermissibly disclosed, and the type and amount of PHI involved.  Covered entities and business associates must document all risk assessments so that they can demonstrate, if necessary, that no breach notification was required following an impermissible use or disclosure of PHI.

• requirements regarding the timing, content and method for providing notice that a breach has occurred.  The regulations make clear that the covered entity, and not the business associate, has the responsibility for notifying individuals of a breach of PHI.  However, covered entities and business associates will need to negotiate logistics in this regard, including the timeframe in which the business associate must notify the covered entity about a breach.  The covered entity must notify affected individuals without “unreasonable delay” no later than 60 calendar days after the discovery of the breach.  The guidance indicates that in some cases waiting 60 days to issue the notice could be considered unreasonable.

• requirement that a covered entity’s workforce be trained on the new breach notification requirements and that appropriate policies and procedures be updated to reflect the new breach notification requirements. The necessary updates include the addition of a specific process for individuals to submit complaints about the covered entity’s policies and procedures regarding the breach notification process. 

Immediate action is needed for compliance with these new breach notification requirements by September 23, 2009.  Employer-sponsored group health plans should first  examine if they currently have or can implement methodologies to “secure” PHI.  Such plans also will need to develop breach notices, and establish a procedure for notifications to individuals, the Secretary of HHS, and when required, the media.  In addition, employer-sponsored group health plans must revise HIPAA compliance materials and processes, including HIPAA policies and procedures, business associate agreements and training materials in order to reflect the new breach notification requirements and associated plan procedures.