Lawyers USA Your Business Partner

The Health and Human Services Department issued regulations last week concerning the HIPAA breach notifications requirements enacted as part of the stimulus bill earlier this year.

The American Recovery and Reinvestment Act of 2009 included changes to the Health Information Portability and Accountability Act, or HIPAA.

The changes require covered entities to notify affected individuals when a privacy breach occurs. Previously, an entity only needed to try to limit the negative effects of a breach.

Under the Act, if a breach affects more than 500 people, the covered entity must report the incident to HHS and the media; any breaches that affect less than 500 individuals must be reported to the Department on an annual basis.

Notification must be given no later than 60 days after discovery of the breach, and if the breach includes 10 or more individuals with insufficient contact information, the covered entity must make a conspicuous posting on its website or provide notice in print and broadcast media.

But questions remained for practitioners, who were waiting for the promised guidance from the HHS, said Laurie S. DuChateau, counsel at Reed Smith in Pittsburgh who practices in the tax, benefits and wealth planning group.

The HHS regulations “do two things: they clarify what the definition of a ‘breach’ is and they also go into some detail about the notification requirements when a breach occurs,” she explained.

Here is a look at some of the clarifications.

• Definition of ‘breach’

The new Act defines a breach as the “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of the protected health information.”

The regulations clarify that definition, DuChateau noted, by stating that a breach occurs only if the protected health information is used or disclosed in a manner not permitted under current HIPAA regs. If the access, use or disclosure of the information is unauthorized, but not inconsistent with current HIPAA regs, no reportable breach occurs.

• Notice requirements

The regulations make clear that the notice requirements are triggered when a breach impacts 500 individuals in a single state of a single covered entity.

“That was really important,” DuChateau said.

So “if a breach occurs and affects in excess of 500 individuals in different states – like 300 people in one state and 200 in another – then the covered entity doesn’t have to go to the media,” she said.

And “if a breach occurs by a third party administrator and impacts more than 500 people but only 200 individuals of a single covered entity, for example, then the media doesn’t have to be notified.”

The new regulations do not define what constitutes a local media outlet but suggest that depending on the circumstances of the breach, a covered entity could use a press release sent to a major state newspaper or a local paper.

• Preemption

The new regulations preempt contrary state data breach notification laws, although HHS noted that state law is only contrary if a covered entity would find it “impossible” to comply with both the federal HIPAA requirements and state law.

• ‘Harm threshold’

The regulations also establish a “harm threshold,” DuChateau said, where a covered entity determines whether the notification requirements are triggered because the acquisition, access, use or disclosure of protected health information poses a significant risk of financial, reputational or other harm to an individual.

When performing a risk assessment, the entity should consider who used or obtained the information, the type of information obtained and whether immediate steps were taken to eliminate or reduce the risk of harm.

“This was significant, because there are often breaches that pose no threat to an individual,” DuChateau explained.

The regs use the example of a breach where a patient’s name is released along with the name of a doctor he or she received services from.

If the doctor is a general practitioner and not an abortion clinic or a rehab facility, for example, “what is the harm to the individual?” DuChateau asked. The release of the information “may be a HIPAA violation but at the end of the day, the individual probably did not suffer financial harm or a harmed reputation.”

• Data security

The notification requirements apply only to “unsecured” information – defined as personal health information that is not secured by an accredited “technology standard.” In May, the HHS issued guidance on how to protect personal health information using encryption or destruction.

The regulations reinforce that guidance, DuChateau noted.

The regulations are effective 30 days after publication in the Federal Register, which will occur on Sept. 23.

This was the last of the guidance promised by the new Act, but DuChateau predicted that “as we start to apply these new rules, there will be lots of questions and issues that start to come up.”

– Correy E. Stephenson

Close this Window Bookmark and Share This Page

Save to Browser Favorites / Bookmarks

Print RSS Feed Ask backflip blinklist BlogBookmark Bloglines BlogMarks Blogsvine BuddyMarks BUMPzee! CiteULike co.mments

Connotea del.icio.us Digg diigo DotNetKicks DropJack dzone Facebook Fark Faves Feed Me Links Friendsite folkd.com

Furl Google Hugg Jeqq Kaboodle kirtsy linkaGoGo linkedin LinksMarker Ma.gnolia Mister Wong Mixx MySpace

MyWeb Netvouz Newsvine oneview OnlyWire PlugIM Propeller Reddit Rojo Segnalo Shoutwire Simpy Slashdot

Sphere Sphinn Spurl Squidoo StumbleUpon Technorati ThisNext Tumblr Twitter Webride Windows Live Yahoo!

Email This to a Friend

Copy HTML: 

 If you like this then please subscribe to the RSS Feed.

More »