Just as medical practices nationwide may have adjusted to the requirements imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules, Congress changed the reporting duties of covered entities in the case of a breach of certain patient information. As part of the American Recovery and Reinvestment Act of 2009 (ARRA), Congress include Title XII referred to as the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH substantially altered the reporting requirements of the HIPAA Privacy and Security Rules by requiring notification of certain breaches of unsecured protected health information (PHI) to the affected individuals, the Department of Health and Human Services (HHS) and even the media should the covered entity determine that the breach meets a certain harm threshold. A covered entity includes a healthcare provider, a health plan or a healthcare clearinghouse although breaches may be a result of actions taken by business associates of a covered entity.

Our firm makes it a priority in counseling its clients to enable them to avoid HIPAA violations by keeping them up to date in the developments under HIPAA and HITECH. Our attorneys counsel clients in training their personnel to comply with HIPAA. We also have the ability to help implement a pro-active methodology to prevent HIPAA breaches in advance of any HIPAA incidents, and provide analysis when an incident occurs.

HHS issued Interim Final Rules in August 2009 implementing the HITECH Act but the Office of Civil Rights withdrew the draft rules in July 2010 to allow for further consideration and are to announce new rules at a later date. The obligation to report breaches of unsecured PHI still remains in effect despite the withdrawal of the Rules. Several members of Congress have publicly expressed opposition to the significant risk of harm standard As a result, covered entities should have in place a breach notification policy with appropriate procedures to investigate, report and mitigate breaches of PHI. There is, however, a chance that the harm threshold could end up being removed by HHS in the future.

In order to determine how to investigate a PHI breach that triggers a notification requirement, one must first understand the relevant terms. "PHI" means individually identifiable health information created, transmitted or maintained by a covered entity or business associate, that identifies individual health information as provided under 45 CFR §164.503. "Individually identifiable health information" is any PHI that can possibly be used to identify an individual and connect that person to the health information that is created or received by a healthcare provider, payor, employer or data clearinghouse. A "business associate" generally includes any individual or entity, that is retained to perform or assist in the performance of a function or activity, involving the use or disclosure of PHI or that provides services for the covered entity where the provision of the services involves the disclosure of PHI.

A covered entity incurs notification requirements of a breach where the unauthorized acquisition, access, use or disclosure of PHI compromises its security or privacy, except when the unauthorized recipient could not reasonably have been able to retain the information. Pursuant to HHS regulations, notification is required only where the violation or breach poses “significant risk of financial, reputational or other harm to the individual.” Notification may not be necessary if a covered entity determines, after conducting a risk assessment, that the individual whose PHI had been disclosed, may not be harmed. When unauthorized acquisition, access, use or disclosure of PHI occurs, the burden of proof is on the provider to demonstrate an ensuing appropriate notice analysis.

A risk assessment is only triggered where “unsecured PHI” is disclosed. This refers to PHI that remains unusable to unauthorized individuals.

There are exceptions and safe harbors for the unauthorized release of PHI. In certain circumstances breach notification is not required. The exceptions are: 1) where unauthorized access or use of PHI is unintentional, is made by a workforce member of a covered entity or a business associate within the scope of their job, if such acquisition, access or use was made in good faith and does not result in further unauthorized use or disclosure; and, 2) inadvertent disclosure by a person with authorized access to PHI, to another individual at another healthcare facility who is also authorized to access, acquire or use PHI at their facility, and the information is not further used in an impermissible manner and the individual agrees to return or destroy the PHI. These safe harbors exist when the data is encrypted (as required by HHS) and/or destroyed or rendered unretrievable or where the PHI is rendered unidentifiable. Also excluded are “limited data sets”, a form of partially de-identified PHI that excludes direct identifiers such as names and addresses, which ordinarily are subject to the breach notification requirement unless they exclude ZIP codes and dates of birth.

In the event of a suspected violation or breach, a covered entity must first determine whether any safe harbor or exception applies. If not, a risk assessment must be performed by the covered entity. The investigation must be documented, even if a decision is reached that notification is not necessary, and such documentation must be kept for six years. To conduct the investigation, the organization should assign an individual who will manage the breach investigation, complete the risk assessment and coordinate with others as required. This includes retention of legal counsel if believed necessary.

The investigator must first determine whether there has been an impermissible use or disclosure of PHI. Even if not, the incident should be documented by the organization. If there is an impermissible use or disclosure, then a risk assessment to determine whether there is significant risk of harm must occur. The risk assessment is fact specific and should consider such factors as the individual who impermissibly used or to whom the information was impermissibly disclosed; the nature and content of the PHI disclosed; whether the information was intentionally or accidentally obtained; the reason that the PHI was obtained; whether the PHI was retrieved prior to improper use; whether the information was destroyed; the likelihood the information could be misused; anything done to mitigate potential harm; and the relationship of the recipient and the patient. When analyzing the content of the PHI in particular, an investigation should consider whether personal identifiers were present; whether the social security number was disclosed; whether detailed content was disclosed or content typically considered “sensitive”; and, the age of the PHI.

The organization may also wish to contact the affected individual when it cannot decide its harm determination to see if that person is disturbed by the disclosure and so that the organization may apologize for the occurrence.

As part of the risk assessment, a covered entity should also prepare an investigation report. The information in the report should include the incident/name; date of event; number of individuals affected, point of contact for the covered entity; brief summary of events and findings; final decision by the covered entity; and the individual and/or organization responsible for the impermissible access, use or disclosure.

In addition to the investigation report, a covered entity shall maintain a process to record or log all breaches of unsecured PHI. The log should include a description of what happened; date of breach; date of discovery; patient name(s) and number of number of patients affected if known; description of the type of PHI involved in the breach; the individual or organization that caused the breach; any action taken to mitigate the consequences and avoid future reoccurrence; the action taken by the covered entity with regard to notification of patients; and the HHS reporting date if applicable. An organization must provide an annual report to HSS of any breach of unsecured PHI by maintaining a log of each breach involving less than 500 individuals and providing such log to HHS on an annual basis within 60 days after the end of the calendar year.

An organization should follow a consistent approach in conducting risk assessments backed up by evidence and formal metrics with an objective description of the incident. There are harm threshold assessments that have been developed such as the North Carolina Healthcare Information and Communications Alliance HITECH Act Breach Notification Risk Assessment Tool that an organization may consult in trying to determine whether notification is necessary. None of these tools is dispositive of the issue but may help a covered entity in its determination.

A breach shall be considered discovered on the date that the organization knows or should have known of the breach. Notice of a breach must be made without “unreasonable delay” and in any event no later than 60 days from the date of discovery. Each of the individuals that may be affected by the HIPAA breach, i.e. the patients, are to be notified by first class mail at their last known address or by electronic mail if they have given consent to electronic notice. If the covered entity lacks current information for fewer than 10 individuals than substitute notice may be provided.

If more than 10 individuals lack up to date contact information then notice shall be in the form of either posting conspicuous notice on the organization’s web site for 90 days, or by placing conspicuous notice in a major print or broadcast media. If a reportable breach involves 500 or more individuals, the covered entity must give notice to media outlets in the area in the form of a press release. If a reportable breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a reportable breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.

© 2024 Peter Birzon & Associates
400 Jericho Turnpike, Suite 100, Jericho, NY 11753
| Phone: (516) 942-9100

About PBA | Practice Areas | Our Attorneys | Work With Us