| Interim final rules (the "Rules") governing the new security breach notification requirement of the Health Insurance Portability and Accountability Act ("HIPAA") issued by the Department of Health and Human Services ("HHS") became effective September 23, 2009. These rules are intended to implement provisions of the Health Information Technology for Economic and Clinical Health Act ("HITECH ACT"), enacted in early 2009, requiring that covered entities (health plans and health care providers) notify individuals in certain instances in which the security of their protected health information ("PHI") has been breached. Recognizing that some time would be needed to comply with the Rules, HHS indicated it would not impose sanctions for failure to provide notification before February 22, 2010. Covered entities that have not already done so should update their privacy procedures to conform to the Rules. Covered entities and their business associates should consider amending their business associate agreements to address the requirements of the Rules with respect to the allocation of responsibilities, the manner in which they will determine when a breach has occurred, and additional training and notification procedures. Some key concepts relating to compliance with the Rules are set forth below: Generally all PHI that is "unsecured" (i.e., has not been encrypted under standards approved by HHS or completely destroyed) is subject to the Rules. A breach is deemed to have occurred if (1) PHI which is unsecured was used or disclosed in an unauthorized manner which poses a significant risk of financial, reputational or other harm to the individual and (2) no exception applies. Exceptions that would prevent an incident from being considered a HIPAA breach are (1) unintentional access by a covered entity or business associate employee acting in good faith and in the course and scope of employment which does not result in any further use or disclosure, (2) inadvertent disclosure from one covered entity or business associate employee to another similarly situated employee which does not result in any further use or disclosure, and (3) the access is so limited that the recipient of the PHI would not reasonably have been able to retain the information. Under the Rules the time limit for giving individuals notice of an incident that could involve a breach may vary. If the incident is discovered by the covered entity or a business associate that is treated as an "agent" of the covered entity, the notice must be given within 60 days following its discovery. If the incident is discovered by a business associate that is not treated as an "agent" of the covered entity, the business associate must notify the covered entity of the incident within 60 days following its discovery. The covered entity would then have up to an additional 60 days within which to notify the individual. Such an incident notice to be sent to an individual (at a last known address or by email if the individual agrees) must be written in "plain language" and must include (1) a brief description of what happened, including the date of the incident and the date of discovery of the incident, (2) the types of PHI that were the subject of the incident, (3) steps the individual should take to protect against potential harm as a result of the incident, (4) a brief description of the steps the covered entity is taking to investigate, mitigate losses and avoid future incidents, and (5) contact information (including a toll-free telephone number, email address, website or postal address). If it is not possible to directly notify an individual of such an incident, the Rules provide that the covered entity must provide a substitute notice. If fewer than 10 individuals are involved, such a substitute notice is acceptable if it is reasonably calculated to reach the individuals (such as by telephone, email or prominent posting on the covered entity's website). If 10 or more individuals are involved, the covered entity must maintain a toll-free contact number for 90 days and the substitute notice must either (1) be posted on the covered entity's website homepage for 90 days or (2) be provided in major print or broadcast media where affected individuals are likely to reside. Apart from these substitute notice requirements, an additional notice requirement is imposed whenever such an incident involves more than 500 residents in any one state. In such a situation, the notice (which may be in the form of a press release) must be given to "prominent media outlets" serving the state. The Rules also require covered entities to notify HHS of breaches. If a breach involves more than 500 people (regardless of how many are in any one state) the Rules require that HHS be notified (following instructions to be posted on the HHS website) by the same 60-days deadline that applies to individual notices. In all other situations, a covered entity will comply with its notification obligation to HHS by maintaining a log of security breaches to be submitted to HHS within 60 days after the end of the calendar year (following instructions to be posted on the HHS website).
Employers are reminded that under 45 CFR Section 160.103, the term "protected health information" excludes individually identifiable health information which is in "employment records held by a covered entity in its role as an employer." The exclusion would emcompass medical information which an individual gives to the employer in its capacity as an "employer." Examples might include a doctor's statement to document sick leave, information (including the Certification of a Health Care Provider) in support of a request for an FMLA leave of absence, information in support of a request for a "reasonable accommodation" under the ADA, or records of medical examinations required under IOSHA or OSHA. While this information is not considered "protected health information" under HIPAA, it does become part of an "employment record" and is therefore subject to other privacy and confidentiality obligations. If you have questions regarding HIPAA or the interim final rules governing its new security breach notification requirement, please contact Janet Huston at 515-246-4510 or jhuston@dickinsonlaw.com, Arthur Owens at 515-246-4515 or aowens@dickinsonlaw.com, or the Dickinson attorney with whom you normally work. |
| | This alert is designed and intended for general informational purposes only, and is not intended, not should it be construed or relied upon, as legal advice. Please consult with your attorney is specific legal information is desired. |
|
| |
|