Home > HITECH Act

HITECH Act

What the HITECH Act means for you Data breach rules require new procedures

Publish date: Mar 19, 2010
By:  Denise L. Sanders, JDSteven I. Kern, JD

 Key Points

  • Be aware of the exceptions when deciding whether a qualifying data breach has occurred.
  • Review all your security procedures in light of HITECH and adjust accordingly.
  • A data breach involving more than 500 people must be reported to HHS and media outlets.

The Health Information Technology for Economic and Clinical Health (HITECH) Act was swept into law as part of the American Recovery and Reinvestment Act of 2009. HITECH affects many aspects of your practice’s Health Insurance Portability and Accountability Act (HIPAA) compliance and brings with it increased enforcement and more severe penalties for HIPAA violations.1

HITECH requires practices to immediately review and modify their existing HIPAA policies and procedures to incorporate the data breach rule’s requirements, and to train staff. In addition, several states have even more stringent requirements that are not pre-empted by HITECH. Your approach to compliance should include both federal and state requirements.

HITECH mandates that practices take certain actions when protected health information (PHI) has been or may have been accessed, used, or disclosed improperly, whether by negligence, accident, theft, or otherwise. PHI is individually identifiable health information that is maintained or transmitted by a practice in any form or medium, whether orally, electronically, or in writing. Practices also must maintain documentation, such as logs of qualifying breaches, for reporting to the U.S. Department of Health and Human Services (HHS). Covered entities and business associates also have the burden of proof to establish that, where they determined that a qualifying breach occurred, all required notifications were made, as well to defend their decision in a case in which they determined that a potential breach incident did not result in a qualifying breach and, thus, no notifications were required.

 

THE DATA BREACH RULE


Prevention Pays

The data breach rule requires notification to affected individuals, the HHS, and, in some cases, the media when a breach of PHI meets certain criteria. Deciding whether a qualified data breach has occurred requires significant and, to some degree, subjective analysis of the type of data breached, the risk of harm, and number of individuals affected. The rule applies to all covered entities under HIPAA, as well as to entities that qualify as business associates of a covered entity. The rule became effective September 23, 2009, but the enforcement agency, the U.S. Office for Civil Rights, exercised its discretion to not impose sanctions for violations discovered before February 22, 2010.

A qualified data breach is an impermissible acquisition, access, use, or disclosure of “unsecured” PHI that compromises the security or privacy of the PHI and that poses a significant risk of financial, reputational, or other harm to an individual. Disclosure of date of birth, ZIP code, or certain other personal identifiers of patients alone does not constitute a breach.

If the PHI is secured, then notification is not required. Secured data are unusable, unreadable, or indecipherable to unauthorized individuals. Whether that standard has been met is determined by guidance from the HHS on technologies and methodologies. Basically, this “safe harbor” applies to two categories of secured PHI: 1) electronic PHI that meets specified standards of encryption, and 2) PHI stored or recorded on media that have been destroyed. The adoption of this safe harbor provides significant incentive to encrypt PHI. Other security methods, such as firewalls, stringent access controls, and redaction of identifying information, without encryption, do not provide a safe harbor.

THE HARM THRESHOLD

If a breach has occurred and your PHI does not meet the safe harbor guidance, then you still need to provide notification only if the breach poses a significant risk of financial, reputational, or other harm to the individual. This is called the “harm threshold.” This threshold was established, in large part, to avoid notifying — and unnecessarily alarming — individuals that their PHI had been breached when no real damage resulted from the breach. If the unauthorized disclosure will not likely harm the affected individuals, then no notification is required.

Notification only is required if there is reason to believe that the information breached was improperly disclosed in a way that would present a significant risk of identity theft. For example, an accidental disclosure to a trustworthy individual who is unlikely to use the information for improper purposes would be a far lesser risk than a disclosure resulting from someone hacking into a computer system. Similarly, the unauthorized disclosure to an unknown individual of names attached to Social Security numbers, driver’s license numbers, or financial account numbers likely would require notification, whereas disclosure of a simple list of names with no further data linked to those names generally would not require notification.

Even if the disclosed information includes only names, if that list, through other methods, can be linked to other information that could result in embarrassment, discrimination, or other harm, then notification still may be required. For example, if a list of patient names is disclosed, and through other means that list can be identified as a list of patients in a mental health or infectious disease treatment center, then the disclosure may well have the potential to result in substantial harm.

Whether or not notification is required, it is important that the covered entities take immediate steps to mitigate harm, including taking all reasonable measures to retrieve data that have been stolen, lost, or improperly disposed of, or to shut down a computer system after hacker intrusion. But these mitigation efforts alone will not avoid the data breach rule’s notice requirements.

THREE EXCEPTIONS

In determining whether a qualifying data breach has occurred, it is important to note three exceptions exist:

1) A breach has not occurred if a workforce member unintentionally acquires, accesses, or uses PHI but does so in good faith and within the scope of his or her authority.

 

2) Similarly, no breach has occurred if an authorized person inadvertently discloses PHI to another authorized person within the same entity.

In both cases (1 and 2), the information cannot be further used or disclosed in a manner that violates the privacy rule.

3) A breach has not occurred if a covered entity discloses PHI to an unauthorized recipient but the covered entity has a good-faith belief that the recipient would not have been able to retain the information.

WHEN NOTIFICATION IS REQUIRED

If a breach of unsecured PHI meets the harm threshold and is not subject to any exception, then the data breach rule’s notification requirements kick in.

Once a qualified data breach is discovered, the practice must notify all individuals whose information has been, or is reasonably believed by the practice to have been, accessed, acquired, used, or disclosed as a result of the breach. Notice must be made promptly and without unreasonable delay, but not later than 60 days after the breach is discovered.

If it is determined that misuse of the data may be imminent, then immediate notification may be warranted. Notice must be made to the individual. If the individual is deceased, then notice is made to the next of kin. Notice is made to the parent or guardian of a minor and to the personal representative of an incompetent person.

If more than 500 individuals are affected, then notice also must be made to the HHS and to prominent media outlets serving the state or jurisdiction, as appropriate to the affected area, such as providing a press release to a print or broadcast media outlet that serves the entire state when individuals across the state are affected. This notification must be done without unreasonable delay but no later than 60 days after the breach was discovered. Breaches involving fewer than 500 individuals must be included in an annual report submitted electronically to the HHS.

A breach is deemed to have been discovered on the first day on which the breach becomes known to the covered entity or, by exercising reasonable diligence, would have been known by the covered entity. A covered entity is in violation of the rule if it fails to discover a breach when reasonable diligence would have lead to discovery of the breach. The rule attributes knowledge of a breach by a workforce member or other agent of the covered entity to the covered entity itself, so staff should be trained to recognize and report a data breach immediately, and business associates should not be characterized as the practice’s agent. Similar rules apply to business associates of the covered entity, with the associate providing notice directly to the covered entity.

Notwithstanding notification requirements, if a law enforcement official tells a covered entity or business associate that a notification would impede a criminal investigation or cause damage to national security, then the covered entity or business associate must delay the notification for a specified period of time.

NOTIFICATION SPECIFICS

The notice must be in plain language and include:

  • dates of the breach and discovery;
  • a brief description of what happened (but not detail that would allow the breach to be replicated);
  • a description (but not exact detail) of the information involved, such as birth dates, Social Security account numbers, and diagnosis codes;
  • steps the affected individuals should take to protect themselves;
  • a brief description of the covered entity’s remedial actions (such as investigation, mitigation, protection against further breaches); and
  • contact information (such as telephone, e-mail or postal address, Web site address) for individuals to gain additional information.

Notification by the covered entity must be made by first-class mail to the last known address of the affected person, or by e-mail if the individual has consented to e-mail communications with the covered entity. If you do not have sufficient or up-to-date contact information for some of the affected individuals (except when trying to notify next of kin or personal representatives), then you must provide some form of “substitute” notice — for instance, by telephone — reasonably calculated to reach the individual. In cases in which that involves 10 or more individuals, however, you must post a general notice on the covered entity’s Web site for 90 days or publish a general notice in major print or broadcast media, in either case accompanied by a toll-free number (active for 90 days) that individuals may call for more information.

 

1 This article details one aspect of HITECH, that dealing with data breaches. At press time, regulations that will require practices to change existing HIPAA policies are anticipated. Those regulations will address these new HITECH requirements:

  • For practices maintaining electronic health records (EHRs), the right of patients to receive an accounting of disclosures that includes disclosures for treatment, payment, or healthcare operations.
  • For practices maintaining EHRs, the right of patients to obtain a copy of the medical record in electronic format and to direct the practice to transmit a copy directly to a third party.
  • Expanded rights of patients to restrict disclosures of PHI related to treatment, payment, and healthcare operations.
  • Expanded restrictions on marketing, fundraising, and sale of PHI.
  • New preferences for use of limited data sets and de-identified information.
  • New emphasis on what constitutes the “minimum necessary” PHI.

Download Article

[Post to Twitter] Tweet This Post 

© 2008-2012 Julie Ryan All Rights Reserved -- Copyright notice by Blog Copyright

Tweet This Post links powered by Tweet This v1.3.9, a WordPress plugin for Twitter.

wordpress visitor