This is the fourth in our series of bulletins on the Department of Health and Human Services’ (HHS) HIPAA Omnibus Final Rule. In our bulletins issued on February 28, 2013 and March 18, 2013, available here, we described the major provisions of this rule and explained how the provisions of the rule that strengthen the privacy and security of protected health information (PHI) impact employer sponsored group health plans, which are covered entities under the HIPAA privacy rules. In our bulletin issued on April 4, 2013, available here, we focused on changes that will need to be made to business associate agreements under the Omnibus Final Rule. In this bulletin, we discuss the modifications to the breach notification rules made by the Omnibus Final Rule and provide health plan sponsors with information regarding the actions they must take to meet their breach notification obligations in the event of a breach of unsecured PHI.
Key Considerations for Health Plan Sponsors
- Health plan sponsors must be able to identify when a breach occurs and when breach notification is required.
- Health plan sponsors should review their procedures for evaluating potential breaches and should revise those procedures to incorporate the new “risk assessment” required under the Omnibus Final Rule.
- Health plan sponsors should review their procedures for notifying individuals, HHS, and the media (to the extent required) when a breach of unsecured PHI occurs.
- Health plan sponsors should make training workforce members about the breach notification rules a priority. Workforce members should be prepared to respond to breaches and potential breaches of unsecured PHI. A breach is treated as discovered by the covered entity on the first day a breach is known, or, by exercising reasonable diligence would have been known, to the covered entity. This standard is met if even one workforce member knows of the breach or would know of it by exercising reasonable diligence, and even if the breach is not immediately reported to the privacy officer. Discovery of the breach starts the clock ticking on the notification obligation and deadlines, which are described below.
- Health plan sponsors should review each existing business associate agreement to make sure that responsibility for breach notification is allocated between the business associate and the health plan in a manner that is appropriate based on the business associate’s role with respect to PHI and the plan sponsor’s preferences for communicating with employees.
Health plan sponsors will want to review and revise, as necessary, the following to comply with the new rules described below:
Business Associate Relationships and Agreements
Policies and Procedures
Security Assessment and Breach Notification Plan
Risk Analysis — Security
Plan Document and SPD
Notice of Privacy Practices
Individual Authorization for Use and Disclosure of PHI
What is a Breach?
In general terms, a breach is any improper use or disclosure of PHI. While HIPAA requires mitigation of any harmful effects resulting from an improper use or disclosure of PHI, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 added a notification requirement. HITECH requires covered entities to notify affected individuals, HHS and, in some cases, the media following a breach of unsecured PHI. HITECH defined “breach” as an acquisition, access, use, or disclosure of an individual’s PHI in violation of the HIPAA privacy rules, to the extent that the acquisition, access, use or disclosure compromised the security or privacy of the PHI. The HHS interim final regulations further specified that PHI was compromised if the improper use or disclosure posed a significant risk of financial, reputational, or other harm. The interim final regulations also contained four exceptions to the definition of breach, adding a regulatory exception to the three statutory exceptions.
General Definition of Breach under the Omnibus Final Rule
Under the Omnibus Final Rule, “breach” continues to be defined as an acquisition, access, use, or disclosure of PHI that both violates the HIPAA privacy rules and compromises the security or privacy of the PHI. However, the Omnibus Final Rule modifies the interim final regulations in two important ways:
- The interim final regulatory exception for an unauthorized acquisition, access, use, or disclosure of PHI contained in a limited data set from which birth dates and zip codes have been removed is eliminated.
- The risk of harm standard is eliminated and replaced with a presumption that any acquisition, access, use, or disclosure of PHI in violation of the HIPAA privacy rules constitutes a breach. However, a covered entity (such as a health plan) can overcome this presumption if it concludes following a risk assessment that there was a low risk that PHI was compromised (see “Presumption that a Breach Occurred” below).
Statutory Exceptions to “Breach”
HITECH provided three statutory exceptions to the definition of breach that are also set forth in the Omnibus Final Rule. If an improper acquisition, access, use, or disclosure of PHI falls within one of the following three exceptions, there is no breach of PHI:
- The acquisition, access, or use is unintentional and is made in good faith by a person acting under a covered entity’s (or business associate’s) authority, as long as the person was acting within the scope of his or her authority and the acquisition, access, or use does not result in a further impermissible use or disclosure of the PHI.
- The disclosure of PHI is inadvertent and is made by a person who is authorized to access PHI at a covered entity (or business associate), as long as the disclosure was made to another person within the same covered entity (or business associate) who is also authorized to access PHI, and there is no further impermissible use or disclosure of the PHI.
- The disclosure of PHI is to an unauthorized person, but the covered entity (or business associate) has a good faith belief that the unauthorized person would not reasonably have been able to retain the PHI.
The interim final regulations added a fourth exception for impermissible uses or disclosures of PHI involving only PHI in a limited data set, which is PHI from which certain identifiers are removed, provided birth dates and zip codes are also removed. The Omnibus Final Rule eliminates this exception so an impermissible use or disclosure of PHI in a limited data set will be presumed to be a breach of PHI as described below.
Presumption that a Breach Occurred
Under the Omnibus Final Rule, a breach is presumed to have occurred any time there is an acquisition, access, use, or disclosure of PHI that violates the HIPAA privacy rules (subject to the statutory exceptions outlined above).
However, a covered entity may overcome this presumption by performing a risk assessment to demonstrate that there is a low probability that the PHI has been compromised. If the covered entity chooses to conduct a risk assessment, the assessment must take into account at least the following four factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
- The unauthorized person who used the PHI or to whom the disclosure was made.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk to the PHI has been mitigated.
The covered entity may consider additional factors as appropriate, depending on the facts and circumstances surrounding the improper use or disclosure. After performing its risk assessment, if the covered entity determines that there is a low probability that the PHI has been compromised, there is no breach and notice is not required. If the covered entity cannot reach this conclusion and if no statutory exception applies, then the covered entity must conclude that a breach has occurred.
The Omnibus Final Rule also makes clear that a covered entity may decide not to conduct a risk assessment and may instead treat every impermissible acquisition, access, use, or disclosure of PHI as a breach.
Drinker Biddle Note: Covered entities have the burden of proof to demonstrate either that an impermissible acquisition, access, use, or disclosure of PHI did not constitute a breach, or that all required notifications (as discussed below) were provided. Covered entities should review and update their internal HIPAA privacy and security policies to include procedures for performing risk assessments, as well as procedures for documenting all risk assessments and determinations regarding whether a breach has occurred and whether notification is required.
Providing Breach Notification
Covered entities are required to notify all affected individuals when a breach of unsecured PHI is discovered (unless an exception applies or it is demonstrated through a risk assessment that there is a low probability that the PHI has been or will be compromised). Notification to HHS is also required, but the time limits for providing this notification vary depending on the number of individuals affected by the breach. In addition, covered entities may be required to report the breach to local media outlets. The Omnibus Final Rule describes in detail the specific content that is required to be included in notifications to affected individuals, HHS, and the media.
Drinker Biddle Note: Although the Omnibus Final Rule defines when a “breach” has occurred, notification is required only when the breach involves unsecured PHI. PHI is considered “unsecured” when it has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. HHS has issued extensive guidance on steps that can be taken to render PHI unusable, unreadable, and indecipherable.
Notification to Affected Individuals
Covered entities must notify affected individuals in writing without unreasonable delay, but in no event later than 60 calendar days, after discovery of a breach of unsecured PHI. The notice may be sent by mail or email (if the affected individual has consented to receive notices electronically). The Omnibus Final Rule also provides additional delivery methods that apply when an affected individual is deceased, and when a covered entity does not have up-to-date contact information for an affected individual.
Drinker Biddle Note: Again, a breach is deemed discovered on the first day such breach is known or by exercising reasonable diligence would have been known by any person who is a workforce member or agent of a covered entity or business associate.
Drinker Biddle Note: Please note that 60 days is an outer limit for providing the notice and is not a safe harbor. The operative standard is that the notice must be provided without unreasonable delay. Thus, based on the circumstances, a notice may be unreasonably delayed even though provided within the 60-day period.
Notification to HHS
Covered entities must notify HHS of breaches of unsecured PHI by electronically submitting a breach report form through the HHS website. If a breach of unsecured PHI affects 500 or more individuals, HHS must be notified at the same time that notice is provided to the affected individuals. For breaches of unsecured PHI that affect fewer than 500 individuals, the covered entity may keep a log of all such breaches that occur in a given year and submit a breach report form through the HHS website on annual basis, but not later than 60 days after the end of each calendar year.
Notification to the Media
When there is a breach of unsecured PHI involving more than 500 residents of a state or jurisdiction, a covered entity must notify prominent media outlets serving the state or jurisdiction. This media notification must be provided without unreasonable delay, and in no case later than 60 days after the breach is discovered.
State Law Requirements
Separate breach notification requirements may apply to a covered entity under state law. HIPAA’s breach notification laws preempt “contrary” state laws. “Contrary” in this context generally means that it is impossible to comply with both federal and state laws. As state breach notification laws are not typically contrary to the HIPAA breach notification rules, covered entities may have to comply with both laws.
Drinker Biddle Note: Covered entities should review applicable state breach notification laws and consider to what extent those laws should be incorporated into their HIPAA privacy policies and procedures.
Implications for Business Associate Agreements
If a covered entity’s business associate discovers that a breach of unsecured PHI has occurred, the Omnibus Final Rule requires the business associate to notify the covered entity without unreasonable delay, but in no event later than 60 days following the discovery of the breach. The notice must include, to the extent possible, the identification of each affected individual as well as any other information the covered entity is required to provide in its notice to individuals.
Although a covered entity is ultimately responsible for notifying affected individuals, HHS and the media (as applicable) when a breach of unsecured PHI occurs, the covered entity may want to delegate some or all of the notification responsibilities to its business associate. If a covered entity and its business associate agree that the business associate will be responsible for certain breach notification obligations, the scope of the arrangement should be clearly memorialized in the business associate agreement. In negotiating its business associate agreements, a covered entity should consider provisions such as:
- Which party determines whether a breach occurred?
- Who is responsible for sending required notices, and the related cost?
- Indemnification in the event a business associate incorrectly determines that a breach did not occur, or a business associate otherwise fails to act appropriately.
Drinker Biddle Note: Covered entities that choose to delegate breach notification responsibilities to business associates should pay close attention to how such delegation provisions are drafted to minimize the possibility that the business associate will be considered an “agent” of the covered entity. Under the Omnibus Final Rule, when a business associate acts as an agent of the covered entity, the business associate’s discovery of a breach is imputed to the covered entity, and, therefore, a covered entity could be liable for civil monetary penalties related to the business associate’s act or omission. More information about issues related to drafting business associate agreements can be found in our bulletin issued on April 4, 2013, available here.
Group health plans have until September 23, 2013 to comply with the new requirements of the Omnibus Final Rule. During the period before compliance is required, group health plans are still required to comply with the breach notification requirements of the HITECH Act and the interim final regulations.
Of course, the best course of action is to maintain adequate safeguards to prevent any breach. A recent settlement of HIPAA violations resulting in a $1.7 million payment to HHS is discussed in a separate publication, available here.