 |
|
|||||||||||||||
HHS Issues Interim Final Breach Notification Regulations
|
On Aug. 24, the “Breach Notification for Unsecured Protected Health Information” regulations were published in the Federal Register. The new regulations require HIPAA covered entities, such as ambulance service providers, to notify individuals when their unsecured health information has been breached. It also requires business associates, such as billing companies, to notify covered entities of any breach that they become aware of. The notification requirement applies to breaches discovered 30 days after publication of the interim final regulations in the Federal Register. Fortunately, HHS stated in the interim final rule that it will not impose sanctions for noncompliance for 180 days, to give covered entities and business associates time to establish procedures and systems and implement protected health information (PHI) safeguards.
These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). They are the first wave of regulations from HHS under ARRA. The regulations, developed by the HHS Office for Civil Rights (OCR), require covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals can be reported to HHS on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches without reasonable delay.
Click here to read the text of the Breach Notification for Unsecured Protected Health Information, Interim Rule published in the Federal Register on August 24, 2009.
Summary of Interim Final Breach Notification Rule
The general rule under the new regulations is that a covered entity must, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of such breach. With respect to business associates, the regulations state that a business associate must, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach and provide other information to the covered entity.
Note, however, that the breach notification requirements only kick in when there is an actual breach (defined below) and when the incident involved “unsecured PHI” (defined below).
Breach
Under the new regulations, breach is defined as:
[T]he acquisition, access, use, or disclosure of protected health information in a manner not permitted under [HIPAA] which compromises the security or privacy of the protected health information.
“Compromises the security or privacy of the protected health information” means that the breach poses a significant risk of financial, reputational, or other harm to the individual. A use or disclosure of protected health information that does not include identifiers such as date of birth, and zip code does not compromise the security or privacy of the protected health information (and is not considered to be a breach).
The definition of breach excludes, i.e., a breach is not:
· Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under HIPAA.
· Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.
· A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Unsecured PHI
Breach notification only has to occur when there is a breach of “unsecured PHI.” Under §13402(h) of ARRA, unsecured PHI is defined as protected health information that is not secured through the use of a technology or methodology specified by the Secretary of HHS in guidance. As required by ARRA, the Secretary published guidance on April 27, 2009, listing encryption and destruction as the two technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals, i.e. secure. The interim final breach notification regulations incorporate the April 27, 2009 guidance by defining the term “unsecured PHI” as “protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under [the ARRA].” If covered entities and business associates follow this guidance in securing their PHI, they can avoid breach notification requirements.
Click the following link to go to PWW’s discussion on HHS’s April 27, 2009 guidance: http://www.pwwemslaw.com/content.aspx?id=412
Breach Notification Requirements for Covered Entities
If a breach occurs, a covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed.
Timeliness of Notice
A covered entity must provide the notification to affected parties “without unreasonable delay” and in no case later than 60 calendar days after discovery of a breach. A breach is treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. Furthermore, a covered entity is deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency).
Content of Notice
Notice to affected parties must contain:
· A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
· A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
· Any steps individuals should take to protect themselves from potential harm resulting from the breach;
· A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
· Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Website, or postal address.
Methods of Notice
Written notice must be:
· By first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available.
· To the address of the next of kin or personal representative of the individual if the covered entity knows the individual is deceased.
· By a substitute form of notice reasonably calculated to reach the individual if there is insufficient or out-of-date contact information that precludes written notification to the individual.
· In urgent situations where there is possible imminent misuse of unsecured protected health information, the covered entity may provide information to affected individuals by telephone or other means, as appropriate, in addition to written notice.
Media Notice
For a breach of unsecured protected health information involving more than 500 residents of a U.S. State or jurisdiction, a covered entity must notify prominent media outlets serving the State or jurisdiction without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
Notice to HHS
Covered entities must notify the Secretary of HHS of all breaches of unsecured PHI. If the breach involves more than 500 individuals a covered entity must provide HHS notice without unreasonable, and in no case later than 60 days, after discover of the breach in the manner specified on the HHS web site. For breaches involving less than 500 individuals, a covered entity must maintain a log or other documentation of such breaches and must submit that list to HHS no later than 60 days after the end of each calendar year.
Breach Notification Requirements for Business Associates
A business associate must notify the covered entity of a breach after discovery. Like the definition of discovery for covered entities, a breach is treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. The same workforce rules with respect to knowledge of the breach also apply to business associates. Notification to the covered entity must occur without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. The notification to the covered entity must include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. Business associates must also provide covered entities with any other available information that the covered entity is required to include its notice to affected individuals.
Law Enforcement Delay
If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting under the new breach notification regulations would impede a criminal investigation or cause damage to national security, a covered entity or business associate must:
· If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or
· If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time.
Administrative Requirements
Covered entities must also comply with the administrative requirements of HIPAA with respect to the new breach notification regulations.
|
HIPAA Breach Notification Audio Seminar Recording The age of mandatory breach notification is imminent and the ambulance industry has little time to brace itself for the first wave of new HIPAA regulations. To help your organization get ready to comply with the mandatory breach notification regulations, PWW recently conducted a comprehensive webinar to discuss the background behind these new regulations, how to comply with them, and how you can actually lessen your breach notification requirements by properly securing your data.ABC3 is a national billing, coding and compliance conference produced exclusively for ambulance services, EMS organizations, ambulance billing companies and others with an interest in ambulance reimbursement and compliance issues. ABC3 has become the premiere ambulance reimbursement event in the United States, attended by several thousand ambulance billing professionals from around the country. |
