We have all seen the headlines – a hospital employee leafs through a celebrity's medical record … a laptop containing patient records is unaccounted for … or patient John O. Smith's EOB is mailed to John Q. Smith. While these privacy breaches make the front page, many more incidents go unnoticed or unreported, leaving individuals affected by the breach unaware of the risk.

 

Earlier this year, as part of the American Recovery and Reinvestment Act, better known as the "Economic Stimulus Bill," the HIPAA privacy and security rules were expanded by the Health Information Technology for Economic and Clinical Health (or "HITECH") Act. The Act requires that individuals be notified in the event of a breach of their personal health information (PHI). The Department of Health and Human Services is periodically releasing regulations and guidance to assist HIPAA-covered entities and their business associates in complying with the Act. The most recent regulations, released August 24, 2009, further clarify the breach notification rules and are applicable to breaches occurring on or after September 23, 2009.

 

With the new guidance in hand, healthcare providers and other covered entities should begin to develop policies and procedures to ask certain threshold questions in order to identify and appropriately respond to a breach.

 

First, is there a breach at all? A "breach" is defined as "unauthorized acquisition, access, use, or disclosure of PHI." There are a few exceptions to this broad definition, including certain unintentional access by employees, some instances in which the recipient would not have been able to retain the information, or inadvertent disclosures among persons similarly authorized to access the PHI.

 

So what rises to the level of a breach that would require patient notification? There is no bright-line rule to follow, since there are any number of possible scenarios that could lead to a breach of PHI. The commentary to the new regulations advises covered entities to ask the following question: Does the breach pose a significant risk of financial, reputational, or other harm to the individual? As you walk through this analysis, the regulations advise you to consider all aspects of the breach. What was the nature of the information that was accessed? For example, was it only information that Ms. Jones was admitted to Hospital X for an unknown condition, or that Ms. Jones was admitted to Substance Abuse Treatment Facility Y and is receiving treatment? Have you attempted to mitigate the harm caused by the breach, such as obtaining satisfactory assurance from the recipient of the information that the information will not be further used or disclosed? Was the information accessed by or disclosed to another HIPAA-covered entity that would itself be subject to the same or similar privacy standards?

 

If you determine that a breach has occurred, what do you do? Providers must promptly notify the individual(s) whose PHI is involved, in no case later than 60 days following the discovery of the breach, the moment when you or your business associate knows or should have known of the breach. HHS cautions that while you are permitted a reasonable time to investigate, do not wait until Day 60 to send out notices. Written notices must be sent by first class mail or e-mail (if authorized) and, if the primary notice was ineffective, by a secondary "substitute notice" via phone, e-mail, your Web site, or a local or regional newspaper.

 

If your investigation reveals a major breach involving more than 500 individuals, you must issue a press release to "prominent" media outlets regarding the breach, in addition to the individual notices. You must also immediately report the breach to HHS, which will post information pertaining to the breach on its Web site. All other breaches may be logged and reported to HHS annually. It is not clear what HHS intends to do with this data, but it is not implausible to suspect that sanctions could be imposed or investigations launched against frequent offenders.

 

The August 24th breach notification regulations mark the second set of regulations released in connection with the HITECH Act. As the provisions of the Act continue to roll out with various effective dates, we expect to see more guidance from HHS on how to navigate the Act.