CLIENT ALERT, August 2009
On August 19, 2009, the U.S. Department of Health and Human Services (HHS) issued new regulations requiring covered entities under the Health Insurance Portability and Accountability Act (HIPAA) and their business associates to notify individuals when their unsecured protected health information (PHI) is breached. See Breach Notification for Unsecured Protected Health Information, Interim Final Rule (Aug. 19, 2009), available at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf. The regulations, developed by the HHS Office of Civil Rights, also provide additional guidance regarding the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals for purposes of determining whether PHI is “unsecured.” These breach notification rules implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). HHS developed the interim final rules in consultation with the Federal Trade Commission, which has issued companion breach notification regulations that apply to vendors of personal health records and other entities not covered by HIPAA.
The regulations require covered entities (health care providers, health plans and clearing houses) to notify affected individuals of a breach of “unsecured” PHI within 60 days of discovery of the breach. Where a breach affects more than 500 individuals, the covered entity must also notify the HHS Secretary and the media within 60 days of discovery of the breach. Covered entities must report breaches affecting fewer than 500 individuals to the HHS Secretary on an annual basis. A business associate of a covered entity must notify the covered entity when it discovers a breach of unsecured PHI within 60 days of discovery of the breach, so that the covered entity can notify affected individuals.
To determine whether disclosed PHI is “unsecured,” HHS also issued an update to its guidance, first issued on April 17, 2009, specifying encryption and destruction as the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. Covered entities that secure PHI through encryption or destruction are not required to comply with the notification requirements in the event of a breach of such information. HHS will update guidance related to encryption and destruction technologies and methodologies on an annual basis.
The interim final rule and solicitation of comments will be printed in the Federal Register on August 24, 2009. The breach notification rules are effective 30 days after publication federal register and include a 60-day public comment period. Comments can be sent electronically at http://www.regulations.gov (enter file code RIN 0991-AB56), or via regular mail to U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HITECH Breach Notification, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, S.W., Washington, D.C. 20201.
If you have any questions regarding this Client Alert or would like assistance with the submission of comments to CMS, please contact Anne M. Redman, Theresa J. Rambosek or Megan Grembowski at 206-622-5511.
|
