HIPAA Breach Notification – Part I (Overview)

The privacy provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) are designed to close a gap in the health information privacy and security framework first established under HIPAA back in 2003. The original statute and the resulting U.S. Department of Health and Human Services (HHS) rules and regulations (45 C.F.R. Parts 160 to 164) required “covered entities” (including employer-sponsored group health plans) to ensure the privacy of an individual’s “protected health information” (PHI). But neither the original statute nor the HHS regulations expressly required a covered entity to notify an affected individual about a breach of his or her privacy. The HITECH Act and subsequent HHS regulations close that gap by instituting affirmative privacy breach notification requirements. The breach notification requirements became effective September 24, 2009, but enforcement activity was officially postponed until February 22, 2010. This post will offer some general thoughts about the HIPAA breach notification rules as they relate to employer-sponsored group health plans. Future posts will consider selected elements of the rules.

The HIPAA breach notification rules require a group health plan to: (1) determine whether a “breach” of “unsecured PHI” has occurred with respect to any individual covered by the plan; (2) notify the affected individual regarding the breach; (3) notify HHS regarding the breach; and (4) if required, provide notice to news media with respect to the breach. The plan’s privacy official must apply a combination of objective analysis and subjective judgment in order to determine whether a breach occurred and whether any of the available exceptions could apply to effectively mitigate the breach. If a breach has occurred, the plan must notify the affected individual(s) “without unreasonable delay” and in no case later than 60 calendar days following the discovery of a breach.

The term “breach” means the unauthorized acquisition, access, use or disclosure of unsecured PHI thatcompromises the security or privacy of such information and does not qualify for an exception. “Unsecured PHI” essentially means PHI that has not been encrypted or otherwise rendered indecipherable to unauthorized individuals using standards set by the Secretary of HHS. In our experience, very few employers will have both the capacity and the willingness to meet these standards.

Importantly, the standard for the discovery of a breach is essentially a “knew or should have known” type of standard. Specifically, a breach is deemed to have become known to the plan as of the first day on which, by exercising reasonable diligence, the breach would have become known to the plan. Therefore, in order to comply with these requirements, an employer must adopt procedures that will facilitate the prompt identification of privacy breaches and allow for a fairly rapid response. Fortunately, the HHS regulations provide a very good road map for the preparation and administration of such procedures.

One critical step in the analysis, and the one we find the most interesting, is the “risk assessment.” Under the HHS regulations, if a plan finds that a privacy breach did occur and that none of the available exceptions can apply, the plan must determine whether the disclosure of the PHI poses a significant risk of harm to the individual that is the subject of the breach. In making this determination the plan may take into account: (1) the type of PHI involved; (2) the actions taken to mitigate the potential harm resulting from the breach, and the timeliness of such actions; and (3) the likelihood of financial, reputational or other harm to the individual as a result of the breach. If the plan can reasonably determine that no significant risk of harm to the individual could result from the access, use or disclosure of unsecured PHI, the plan may appropriately determine that a breach has not occurred. It’s that last step in the analysis that is of most interest and calls for a very subjective judgment on the part of the plan. The clear suggestion is that not all PHI – even though it is worthy of protection – is created equal. Most would agree that a misdirected EOB (sent and delivered to the next door neighbor’s address) informing an individual that the costs of his expensive drug rehabilitation program will be paid for would pose a risk of significant “reputational harm.” But perhaps a misdirected EOB denying a claim for fancy orthotics (like the kind I use in my running shoes) wouldn’t be so bad. We may need to await enforcement activity or further guidance to know for sure.