HIPAA was amended in 2009 to require notification by
covered entities and their business associates of breaches of unsecured
protected health information (UPHI) (42 USC 17932). If a covered entity discovers
that UPHI that the entity accesses, maintains, retains, modifies,
records, stores, destroys, or otherwise holds, uses, or discloses
has been breached, the entity must notify each individual whose UPHI
has been, or is reasonably believed by the entity to have been, accessed,
acquired, or disclosed as a result of the breach. A business associate
of a covered entity that accesses, maintains, retains, modifies, records,
stores, destroys, or otherwise holds, uses, or discloses UPHI must
notify the covered entity if the business associate discovers such
a breach of the privacy of the UPHI. The notice must identify each
individual whose UPHI has been, or is reasonably believed by the business
associate to have been, accessed, acquired, or disclosed during such
breach.
“Breach” defined. The term “breach”
means the unauthorized acquisition, access, use, or disclosure of
PHI that compromises the security or privacy of such information (45 CFR 164.402).
Exceptions. A breach does not include
the following:
• Any unintentional acquisition, access, or use of PHI
by a workforce member or person acting under the authority of a covered
entity or a business associate, if such acquisition, access, or use
was made in good faith and within the scope of authority and does
not result in further impermissible use or disclosure;
• Any inadvertent disclosure by a person who is authorized
to access PHI at a covered entity or business associate to another
person authorized to access PHI at the same covered entity or business
associate, or organized healthcare arrangement in which the covered
entity participates, and the information received as a result of such
disclosure is not further impermissibly used or disclosed; or
• A disclosure of PHI where a covered entity or business
associate has a good-faith belief that an unauthorized person to whom
the disclosure was made would not reasonably have been able to retain
such information (45 CFR 164.402).
An acquisition, access, use, or disclosure of PHI in
an impermissible manner is presumed to be a breach unless the covered
entity or business associate, as applicable, demonstrates that there
is a low probability that the PHI has been compromised based on a
risk assessment of at least the following factors:
• The nature and extent of the PHI involved, including
the types of identifiers and the likelihood of reidentification;
• The unauthorized person who used the PHI or to whom the
disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.
The regulations also note that UPHI means PHI that is
not rendered unusable, unreadable, or indecipherable to unauthorized
persons through the use of a technology or methodology specified by
HHS guidance.
Securing PHI. The HITECH Act requires
the HHS to issue (and annually update) guidance specifying the technologies
and methodologies that render PHI unusable, unreadable, or indecipherable
to unauthorized individuals. While covered entities and business associates
are not required to follow the guidance, the specified technologies
and methodologies, if used, create the functional equivalent of a
safe harbor and, thus, result in covered entities and business associates
not being required to provide the notification otherwise required
in the event of a breach. However, while adherence to this guidance
may result in covered entities and business associates not being required
to provide the notifications in the event of a breach, covered entities
and business associates still must comply with all other federal and
state statutory and regulatory obligations that may apply following
a breach of PHI, such as state breach notification requirements, if
applicable, as well as the obligation of covered entities to mitigate,
to the extent practicable, any harmful effect that is known to the
covered entity as a result of a breach of PHI by the covered entity
or business associate.
Technologies and methodologies that make PHI
unusable, unreadable, or indecipherable. HHS guidance
provides that PHI is rendered unusable, unreadable, or indecipherable
to unauthorized individuals only if one or more of the following applies:
• Electronic PHI has been encrypted as specified in the
HIPAA Security Rule by “the use of an algorithmic process to transform
data into a form in which there is a low probability of assigning
meaning without use of a confidential process or key,” and such confidential
process or key that might enable decryption has not been breached.
If encryption is used, the encryption keys must be stored on a separate
device from the information being encrypted or decrypted.
• Paper, film, or other hard-copy media on which the PHI
is stored or recorded have been shredded or destroyed so that the
PHI cannot be read or otherwise reconstructed. (Redaction, in lieu
of destruction, is not acceptable.)
• Electronic media have been cleared, purged, or destroyed
consistent with National Institute of Standards and Technology (NIST)
Special Publication 800-88, Guidelines for Media Sanitization, so
that the PHI cannot be retrieved.
Notice requirements. A breach is
to be treated as discovered by a covered entity or by a business associate
as of the first day on which the breach is known by any person, other
than the individual committing the breach, who is an employee, officer,
or other agent of the entity or associate, or should reasonably have
been known to such entity or associate to have occurred (42 USC 17932 and 45 CFR
164.404). Notifications must be made without unreasonable delay
and in no case later than 60 calendar days after the discovery of
a breach by the covered entity or business associate involved.
The covered entity or business associate involved will
have to prove that all notifications were made as required, including
evidence demonstrating the necessity of any delay.
How to provide notice. Notices to
be provided to an individual, with respect to a breach, must be provided
promptly and in writing by first-class mail to the individual at the
last known address of the individual or, if specified as a preference
by the individual, by e-mail. If the covered entity knows the individual
is deceased and has the address of the next of kin or personal representative
of the individual, written notification must be sent by first-class
mail to either the next of kin or personal representative. The notification
may be provided in one or more mailings as information becomes available.
Substitute notice. If the contact
information for an individual is insufficient or out of date, substitute
notice may be provided.
If there is insufficient or out-of-date contact information
for fewer than 10 individuals, a substitute notice may be provided
by an alternative form of written notice, telephone, or other means
(45 CFR 164.404).
If there is insufficient or out-of-date contact information
for 10 or more individuals, the substitute notice must be made by
a conspicuous posting for a period of 90 days on the home page of
the website of the covered entity or a conspicuous notice in major
print or broadcast media in geographic areas where the individuals
affected by the breach likely reside. This notice must include a toll-free
phone number that remains active for at least 90 days with which an
individual can learn whether the individual’s unsecured PHI may be
included in the breach.
Urgent notice. If the covered entity
involved expects the possible imminent misuse of the UPHI, the entity,
in addition to the written notice, may provide information to individuals
by telephone or other appropriate means.
Media notice. Notice must be provided
to prominent media outlets serving a state or jurisdiction without
unreasonable delay and in no case later than 60 days after the discovery
of a breach involving UPHI of more than 500 residents of the same
state or jurisdiction (45 CFR Sec. 164.406). Media notification
supplements, but does not replace, individual notification.
Notice to HHS. Notice must be provided
to the HHS by covered entities when UPHI has been acquired or disclosed
because of a privacy breach. If the breach involved 500 or more individuals,
the notice must be provided immediately. If the breach involved less
than 500 individuals, the covered entity may maintain a log of breaches
discovered during the preceding calender year and annually submit
the log to the HHS (45 CFR Sec. 164.408).
Notice content. Regardless of how
the notice of a breach is provided to individuals, the notice must
include, to the extent possible, the following:
• A brief description of what happened, including the date
of the breach and the date of the discovery of the breach, if known;
• A description of the types of UPHI that were involved
(such as whether full names, Social Security numbers, dates of birth,
home addresses, account numbers, or disability codes were involved);
• The steps individuals should take to protect themselves
from potential harm resulting from the breach;
• A brief description of what the covered entity is doing
to investigate the breach, to mitigate losses, and to protect against
any further breaches; and
• Contact procedures for individuals to ask questions or
learn additional information, including a toll-free telephone number,
an e-mail address, a website, or a postal address (42 USC 17932 and 45 CFR Sec. 164.404).
Note: If a law enforcement official
determines that a notification, notice, or posting required would
impede a criminal investigation or cause damage to national security,
the notification, notice, or posting may be delayed.
Business associates. A business
associate that discovers a breach of UPHI must notify the covered
entity of such breach (45 CFR 164.410). A breach is treated as discovered
by a business associate as of the first day on which it is known to
the business associate or, by exercising reasonable diligence, would
have been known to the business associate. A business associate will
be deemed to have knowledge of a breach if the breach is known, or
by exercising reasonable diligence would have been known, to any person,
other than the person committing the breach, who is an employee, officer,
or other agent of the business associate.
A business associate must provide the notification required
without unreasonable delay and in no case later than 60 calendar days
after discovery of a breach. The notification is to include, to the
extent possible, the identification of each individual whose UPHI
has been, or is reasonably believed by the business associate to have
been, accessed, acquired, used, or disclosed during the breach. A
business associate must also provide the covered entity with any other
available information that the covered entity is required to include
in notification to the individual at the time of the notification
or promptly thereafter as the information becomes available.