This week the US Department of Health and Human Services (HHS) issued new regulations requiring entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when a breach of their health information occurs.  As part of the 2009 economic stimulus legislation, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act, requiring HHS to issue breach notification rules.  These new regulations are effective September 23, 2009.  HHS, however, has stated in response to concerned commenters that the government will not enforce the penalties for any failure to provide proper notification for any breaches that occur prior to February 22, 2010.

The new rules require health care providers and any entities covered under HIPAA to notify affected individuals after a breach of unsecured protected health information (PHI).  In addition, a business associate of a covered entity must notify the covered entity when it discovers a breach of such information so that the covered entity may take appropriate steps to notify affected individuals.  According to the rules, a “breach” includes any unauthorized “acquisition, access, use or disclosure” of PHI which compromises the security or privacy of that information.  However, the rules provide several types of disclosure as exceptions to this definition.  For example, it is not considered a breach if the recipient of the information would not have had enough time to retain the information.

After a breach is discovered, the covered entity must notify the affected individuals within a reasonable time, but in no case later than 60 calendar days.  If the breach affects fewer than 500 individuals, the covered entity must maintain a log of the breach and subsequent notification for submission to the Secretary of HHS on an annual basis.  If the breach affects more than 500 individuals, however, the covered entity must notify the Secretary of HHS immediately and inform prominent regional media of the breach. 

Any entity with properly secured PHI does not need to comply with these notification requirements when a breach occurs.  In order for covered entities to determine when information is considered “secured,” HHS is issuing new guidance detailing encryption and destruction to secure PHI properly.  This guidance will specify the technologies and processes covered entities may use to ensure the PHI is unusable, unreadable or indecipherable to unauthorized individuals.  HHS plans to update this guidance annually.

For more information about compliance with the HIPAA breach notification requirements, please contact the author or another Arent Fox attorney.