HIPAA / HITECH
HIPAA has added some new requirements for employers, plan service
providers and anyone who touches protected health information (PHI). As part of
the American Recovery and Reinvestment Act of 2009 (ARRA), the Health
Information Technology for Economic and Clinical Health Act (HITECH) outlines
new breach notification requirements. These new notification guidelines are
briefly outlined below:
It seems apparent that the best course of action is to have
protections in place for PHI so that it is not considered unsecure. These
protections must be within the quidelines provided.
EBC believes that to insure that your Business Associates are in
compliance with the HITECH requirements, a new Business Associate Agreement
should be signed. This process will prompt both the Plan and their Business
Associates to review their policies & procedures to incorporate the
security breach requirements into these policies & procedures.
In the following pages, further explanation is given of the terms
used and the requirements of HITECH.
For additional information, go to:http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/
Steps to be taken
If a security breach involving unsecured PHI occurs, specific notifications are
To qualify as a breach that requires notification, there must be significant
risk of harm to the individual. Facts and circumstances of the breach will
determine the risk.
If a breach of unsecured PHI occurs, covered entities must provide notification
of the breach to affected individuals, the Secretary of HHS and, in certain
circumstances, to the media.
Business Associates must notify the covered entities of any security breach of
Covered entities and Business Associates must have in place written policies
and procedures regarding breach detection ¬ification, must train
employees on these policies and procedures, and must develop and apply
appropriate sanctions against workforce members who do not comply with these
policies and procedures.
Explanation of Terms
A breach is, generally, an impermissible use or disclosure under the
Privacy Rule that compromises the security or privacy of the protected health
information such that the use or disclosure poses a significant risk of
financial, reputational, or other harm to the affected individual.
There are three exceptions to the definition of “breach”:
Do a risk-based assessment: The first step should be to conduct a
thorough, risk-based assessment of practices related to your PHI assets and
their lifecycle. This includes creating an accurate inventory of the PII/PHI
data you hold and all internal and external workflows where the information is
used. It should identify PHI-specific risks in your IT systems but also in your
organizational policies and processes. Finally, it should identify all business
associates that have access to PHI for which you are responsible.
Secure PHI, per guidelines: With your risk-based assessment and PHI
inventory in hand, you must ensure that this information is "secured" through a
technology or methodology specified by the Secretary of Health and Human
Services (HHS) pursuant to the HITECH Act.
Address Contracts and Processes: The HITECH Act requires contracts with
your business associates to authorize and define their use of the PHI that is
shared with them
Plan for Breach Detection: Under the HITECH Act, you must provide
notification when PHI in any form is breached, not just electronic records.
Under the new rules, a breach is officially discovered on "the first day it is
known & or should reasonably have been known." Failure to detect a breach
can trigger penalties up to $1.5M. To ensure early breach detection,
aggressive, ongoing monitoring programs should be in place.
Plan for Breach Response: Under HITECH, notification requirements are
more specific, and notification is required even for small-scale data breaches.
You must also maintain meticulous records of all breach incidents. To meet
HITECH requirements, a detailed breach response plan should be in place.
Unsecured Protected Health Information (PHI)
Unsecured protected health information is protected health
information that has not been rendered unusable, unreadable, or indecipherable
to unauthorized individuals through the use of a technology or methodology
specified by the Secretary in guidance (See 'Guidance to Render Unsecured
Protected Health Information Unusable, Unreadable, or Indecipherable to
Covered entities and business associates, as well as entities
regulated by the FTC regulations, that secure information as specified by the
guidance are relieved from providing notifications following the breach of such
Breach Notification Requirements
Following a breach of unsecured protected health information covered
entities must provide notification of the breach to affected individuals, the
Secretary, and, in certain circumstances, to the media. In addition, business
associates must notify covered entities that a breach has occurred.
The first exception applies to the unintentional acquisition, access, or use of
protected health information by a workforce member acting under the authority
of a covered entity or business associate. The information cannot be further
used or disclosed in a manner not permitted by the Privacy Rule.
The second exception applies to the inadvertent disclosure of protected health
information from a person authorized to access protected health information at
a covered entity or business associate to another person authorized to access
protected health information at the covered entity or business associate. The
information cannot be further used or disclosed in a manner not permitted by
the Privacy Rule.
The final exception to breach applies if the covered entity or business
associate has a good faith belief that the unauthorized individual, to whom the
impermissible disclosure was made, would not have been able to retain the
These individual notifications must be provided without unreasonable
delay and in no case later than 60 days following the discovery of a breach and
Individual Notice Covered entities must notify affected individuals
following the discovery of a breach of unsecured protected health information.
Covered entities must provide this individual notice in written form by
first-class mail, or alternatively, by e-mail if the affected individual has
agreed to receive such notices electronically. If the covered entity has
insufficient or out-of-date contact information for 10 or more individuals, the
covered entity must provide substitute individual notice by either posting the
notice on the home page of its web site or by providing the notice in major
print or broadcast media where the affected individuals likely reside. If the
covered entity has insufficient or out-of-date contact information for fewer
than 10 individuals, the covered entity may provide substitute notice by an
alternative form of written, telephone, or other means.
Covered entities that experience a breach affecting more than 500
residents of a State or jurisdiction are, in addition to notifying the affected
individuals, required to provide notice to prominent media outlets serving the
State or jurisdiction. Covered entities will likely provide this notification
in the form of a press release to appropriate media outlets serving the
affected area. Like individual notice, this media notification must be provided
without unreasonable delay and in no case later than 60 days following the
discovery of a breach and must include the same information required for the
In addition to notifying affected individuals and the media (where
appropriate), covered entities must notify the Secretary of breaches of
unsecured protected health information. Covered entities will notify the
Secretary by visiting the HHS web site and filling out and electronically
submitting a breach report form. If a breach affects 500 or more individuals,
covered entities must notify the Secretary without unreasonable delay and in no
case later than 60 days following a breach. If, however, a breach affects fewer
than 500 individuals, the covered entity may notify the Secretary of such
breaches on an annual basis. Reports of breaches affecting fewer than 500
individuals are due to the Secretary no later than 60 days after the end of the
calendar year in which the breaches occurred.
To the extent possible, a description of the breach;
A description of the types of information that were involved in the breach;
The steps affected individuals should take to protect themselves from potential
A brief description of what the covered entity is doing to investigate the
breach, mitigate the harm, and prevent further breaches, as well as contact
information for the covered entity; and
For substitute notice provided via web posting or major print or broadcast
media, the notification must include a toll-free number for individuals to
contact the covered entity to determine if their protected health information
was involved in the breach.
If a breach of unsecured protected health information occurs at or by
a business associate, the business associate must notify the covered entity
following the discovery of the breach. A business associate must provide notice
to the covered entity without unreasonable delay and no later than 60 days from
the discovery of the breach. To the extent possible, the business associate
should provide the covered entity with the identification of each individual
affected by the breach as well as any information required to be provided by
the covered entity in its notification to affected individuals.
Covered entities and business associates have the burden of proof to
demonstrate that all required notifications have been provided or that a use or
disclosure of unsecured protected health information did not constitute a
breach. This section also requires covered entities to comply with several
other provisions of the Privacy Rule with respect to breach notification. For
example, covered entities must have in place written policies and procedures
regarding breach notification, must train employees on these policies and
procedures, and must develop and apply appropriate sanctions against workforce
members who do not comply with these policies and procedures.
Guidance to Render Unsecured Protected Health Information Unusable,
Unreadable, or Indecipherable to Unauthorized Individuals
Protected health information (PHI) is rendered unusable, unreadable,
or indecipherable to unauthorized individuals if one or more of the following
Notification by a Business Associate
1. Electronic PHI has been encrypted as specified in the HIPAA Security Rule by
“the use of an algorithmic process to transform data into a form in which there
is a low probability of assigning meaning without use of a confidential process
or key” (45 CFR 164.304 definition of encryption) and such confidential process
or key that might enable decryption has not been breached. To avoid a breach of
the confidential process or key, these decryption tools should be stored on a
device or at a location separate from the data they are used to encrypt or
decrypt. The encryption processes identified below have been tested by the
National Institute of Standards and Technology (NIST) and judged to meet this
Valid encryption processes for data at rest are consistent with NIST Special
Publication 800-111,Guide to Storage Encryption
Technologies for End User Devices.
Paper, film, or other hard copy media have been shredded or destroyed such that
the PHI cannot be read or otherwise cannot be reconstructed. Redaction is
specifically excluded as a means of data destruction.
Electronic media have been cleared, purged, or destroyed consistent with NIST
Special Publication 800-88, Guidelines for
Media Sanitization such that the PHI cannot be retrieved.
2.The media on which the PHI is stored or recorded has been destroyed in one of
the following ways: