As part of the American Recovery and Reinvestment Act of 2009 (P.L. 111-5), Congress implemented a number of provisions that will extensively impact the manner in which health care providers and certain of their business partners do business. Among the most significant of these is the Health Information Technology for Economic and Clinical Health (HITECH) Act, which contains sweeping new requirements for notifying and reporting about security breaches involving certain kinds of protected health information ("PHI").
On August 24, 2009, the Department of Health and Human Services ("HHS") published an Interim Final Rule regarding breach notification for unsecured PHI. HITECH defines a "breach" as the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of the PHI. Because it is an "interim" final rule, HHS is accepting comments on the rule through October 23, 2009, but the effective date of the rule is September 23, 2009.
HHS will not impose sanctions against providers who fail to provide the required notifications for breaches that are discovered before February 22, 2010, but it has stated that failure to give required notifications for breaches that occur beginning on February 22, 2010 may result in sanctions. HHS indicated that it expects providers to use this grace period to develop systems to detect breaches in order to achieve compliance with the rule.
The key points of the Interim Final Rule are as follows:
- The new breach notification provisions apply to a breach of unsecured PHI, which is PHI that is not secured through use of an HHS-approved technology or methodology and therefore can be read, used, or deciphered by an unauthorized user. To date, HHS has approved only two "technologies and methodologies" for rendering PHI secure: encryption and destruction. Specific guidelines apply to each, and redaction of confidential information is not sufficient to meet the requirements of the rule.
- Exceptions to the breach notification requirement exist for the use of a limited data set that also does not include the patient's date of birth and zip code; certain unintentional or inadvertent accesses or disclosures by workforce personnel and business associates; and disclosures where the recipient would not have reasonably been able to retain the information. Also, absent a significant risk of harm to the individual resulting from the impermissible use or disclosure, the impermissible use or disclosure does not constitute a breach.
- Business associates now must provide the covered entity with written notice of any breach.
- Providers now must provide written notice to patients and the Secretary of HHS for any breaches that occur, and, if more than 500 patients' data was involved, notification must also be made to the media.
- The time frame within which the provider must give notice of the breach is triggered by the date on which the provider discovered the breach or should have discovered the breach had it acted with reasonable diligence. A covered entity will have sixty (60) days from the date of discovery of the breach in which to notify affected patients. A notification may be delayed only upon the documented request of a law enforcement official who indicates that the notification would impede a criminal investigation or cause damage to national security.
- Providers must amend existing policies and procedures and/or implement new policies and procedures and provide training to their workforces regarding the new law.
Covered entities should implement an investigation and risk assessment process to determine whether the alleged breach is the type that must be reported; whether any exception applies; and whether the acquisition, access, use, or disclosure of the PHI in question poses a "significant risk" of financial, reputational, or other harm to the patient as a result of the impermissible use or disclosure. The investigation and any required notification all must take place within the sixty (60) day period. Covered entities should also be sure to document their analyses and their investigative process.
The most straightforward solution for avoiding breaches and the subsequent duty to notify patients, the Secretary, and the media is to encrypt all electronic protected health information. This is likely not the easiest or most cost-efficient approach, however, especially in a day and age when any number of people have access to or own devices—from cell phones and PDAs to thumb drives and servers—that contain copies of electronic PHI. Clinicians, administrators, and IT personnel will need to work together with legal counsel to craft a solution that allows appropriate access to information needed to effectively provide treatment and bill for services, while at the same time acknowledging the heightened security standards imposed by HITECH. Finally, it is important to note that the Interim Final Rule addresses only a fraction of the new or amended provisions contained in HITECH. We will continue to update our readers as additional rules are promulgated to implement this legislation.