By Jeffrey D. Neuburger and Sara Krauss
Congress has been dithering over the adoption of a federal data security breach notice law for the last several years without coming to an agreement on a national standard for reporting breaches in the security of personal and financial data, but on February 17, data breach notice provisions applicable to health information were signed into law as part of the HITECH Act provisions of the massive economic stimulus legislation, H.R. 1 (111th Cong., 1st Sess. Feb. 17, 2009).
Beginning no later than September 16 of this year, “covered entities” under the Health Insurance Portability and Accountability Act (HIPAA) will be required to give notice of breaches in the security of protected health information, and “business associates” of HIPAA-covered entities will be required to report such breaches to the covered entities. §13402(a) & (b). Currently, California and Arkansas are the only states that require that notification be given in the case of a breach in the security of medical or health insurance information.
The HIPAA Privacy Rule currently does not contain a requirement that individuals be notified in the event of such as breach. However, some covered entities interpret the existing HIPAA Privacy Rule requirement that covered entities mitigate harmful effects of uses or disclosures of health information in violation of either the Privacy Rule or the entity’s policies and procedures as suggesting that such notice be given, and many covered entities currently provide such notification.
Section 13402, “Notification in the Case of Breach,” is just one of a number of privacy-related provisions contained in Subtitle D – Privacy of the HITECH Act. The major provisions of §13402, as well as the temporary breach notification provisions applicable to vendors of personal health records in §13407, are outlined below.
What kind of information is covered?
The notification of breach provisions apply to “protected health information” (PHI) that is “unsecured.” Section 13402(a) provides that a “covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” shall notify each individual whose information has been subject to a breach.” The applicable definition provision, §13400(12), incorporates by reference the definition of “protected health information” that is currently contained in the HIPAA Privacy Rule at 45 C.F.R. § 160.103. Thus, “individually identifiable health information” as defined in the Rule that is “unsecured” is subject to the breach notification provisions.
The term “unsecured” portion of the definition is to be addressed in regulations issued by the Secretary of Health and Human Services within 180 days of the enactment of the legislation (i.e., no later than August 17, 2009 (August 16 being a Sunday)). §13402(h)(1)(A). However, the legislation goes on to define the term in the event that the required regulations are not timely issued. §13402(h)(1)(B).The “backstop” definition of the term provides that it shall mean:
protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.
What is a “breach” – ?
The term “breach” is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” §13400(1)(A).
In addition to the exception language in the above portion of the definition, there is a further exception for certain circumstances involving inadvertent acquisition, access or use of PHI by employees and agents of covered entities or business associates where the information is not further acquired, accessed, used or disclosed. §13400(1)(B)
Timing and nature of notification
Notice of the breach must be given “without unreasonable delay” and in no event later than 60 days after the date of discovery of the breach. §13402(d). Notice must be given to the individual whose PHI was subject to a breach, or to the next of kin in the case of a deceased person, to the last known address of the person or the next of kin. E-mail notice may be given only if the individual specified e-mail notice “as a preference.” §13402(e)(1).
If the contact information of an individual is insufficient or out of date, “a substitute form of notice” must be provided; if the information is insufficient or out of date for 10 or more persons, such substitute notice must be given in the media and on the Web site of the covered entity, as further provided in the Act and under regulations to be adopted by the Secretary of HHS. In a case in which “urgency” is required “because of possible imminent misuse” of unsecured PHI, the covered entity may provide notice “by telephone or other means, as appropriate.” §13402(e)(1)(C).
If the breach involves unsecured PHI of 500 or more individuals, both media notice and notice to the Secretary of HHS must be given. Covered entities must also report to the Secretary of HHS on an annual basis as to any breaches that have occurred, even if reporting to the Secretary was not otherwise required (i.e., the breach involved the unsecured PHI of less than 500 individuals). §13402(e)(3).
Similarly to most, if not all, state data security breach notification statutes, there is an exception to the timing requirement if requested by law enforcement officials. §13402(g).
Application to “business associates”
The notice provisions require a “business associate” (as such term is defined in the administrative simplification regulations promulgated under HIPAA) that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses” unsecured PHI of a covered entity to notify the covered entity in the event of a breach in the security of such information. §13402(b). The notice must include, among other things, “the identification of each individual whose unsecured protected health information” was breached. Id.
Although the HIPAA Privacy Rule and Security Rule currently mandate that covered entities include in their contracts with business associates provisions requiring that the business associate notify the covered entities of: a) uses and disclosures of protected information not provided for by its contract, and b) “security incidents” (as defined in the HIPAA Security Rule), the new law now directly imposes notification obligations on the business associate. Because the obligation on business associates to report such breaches to covered entities will now be statutory, failure to comply will be more than just a breach of contract – now business associates could be subject to civil and criminal penalties. See §13401 and §13404.
Application to “vendors of personal health records”
Section 13407 contains a separate set of “temporary” breach notification provisions that target enterprises that offer services to individuals to store their health information online as well as their service providers. The provisions reflect concerns that such vendors are not subject to the HIPAA Privacy Rule, even as the Medicare program itself is implementing programs to encourage beneficiaries to use such private services to maintain their personal health records.
These provisions are designated as “temporary” because they will lapse in the event that Congress enacts new data security breach legislation applicable to non-HIPAA entities. §13407(g).
A “vendor of personal health records” is defined in §13400(18) as “an entity, other than a covered entity [under HIPAA], that offers or maintains a personal health record.” Such vendors, as well as a list of other entities involved in providing various services related to personal health records (see §13407(a), cross-referencing entities enumerated in §13424(b)(1)(A)(ii), (iii and (iv)) are required to provide notice of a breach in the security of “unsecured PHR [i.e., “personal health record”] identifiable health information that is a personal health record maintained or offered by such vendor” or other such entity. “PHR identifiable health information” is defined as “identifiable health information” that is “provided by or on behalf of the individual” and that “identifies the individual or with respect to which there is a reasonable basis to belief that the information can be used to identify the individual.” The definition of “unsecured” will be established in the regulations to be adopted by the Secretary of HHS with respect to the provisions applicable to covered entities and business associates in §13402. See §13407(f)(3).
The notice must be provided to the individual whose information was “acquired by an unauthorized person,” as a result of a breach, as well as to the Federal Trade Commission. §13407(a)(1) & (2). A “breach of security” is defined broadly as the “acquisition of unsecured PHR identifiable health information … without the authorization of the individual.” §13407(f)(1). Violations of the data security breach provisions are defined as an unfair or deceptive act or practice under the FTC Act, and the FTC is tasked with adopting regulations and enforcing the provisions of this section. §13407(e).
With respect to preemption of state law, the HITECH Act references the provisions in the Social Security Act that set forth the general rule preempting contrary state laws, but excepting from that general rule a state law that “relates to the privacy of individually identifiable health information.” §13421(a). The HITECH Act data breach provisions themselves are contained in Subtitle D – Privacy of the Act and the legislative history is replete with references to the provisions as protective of patient privacy, so it would be difficult to argue that state data security breach laws that apply to health information do not also “relate to the privacy of health information.” Therefore, to the extent that a state security breach law similarly pertains to health information and is more protective of such information than the new federal provisions, it would appear not to be preempted by the security breach provisions in the HITECH Act, and business associates and covered entities, to the extent that they are covered by both federal and state laws, would be required to comply with both laws.
When are these provisions effective?
The effective date of the breach notification provisions depends upon when the Secretary of HHS issues implementing regulations. The legislation directs the Secretary to issue interim final regulations within 180 days of enactment of the legislation, i.e., no later than August 17, 2009. §13402(j). The notification of breach provisions (both those applicable to “covered entities” and “business associates”) as well as the temporary provisions that apply to vendors, become effective 30 days following the issuance of the regulations and apply to breaches discovered on or after that date. Under that scheme the effective date should be no later than September 16, 2009.