HIPAA and HITECH
How it affects plan sponsors
Background
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires HIPAA covered entities to provide notification to affected individuals and to the Secretary of HHS following the discovery of a breach of unsecured protected health information. Sounds straightforward but we all know that the “devil is in the details”. This ErisaALERT will touch on some of the key areas; we recommend reading the preamble to regulations as well as the actual regulations.
What is unsecured protected health information?
The regulations issued August 24, 2009 defines it as protected health information that is that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary.
How do you secure protected health information?
HHS issued guidance in April 2009. Basically, you encrypt or destroy.
What is a breach?
Generally, breach means the acquisition, access, use or disclosure of protected health information which “compromises the security or privacy of the protected health information”.
“Compromises the security or privacy of the protected health information” means poses a significant risk of financial, reputational or other harm to the individual.
Why is it important?
The regulations provide disclosure requirements for a breach of unsecured protected health information. If your protected health insurance is secure as defined by the regulations and you have a breach, you do not have the disclosure requirements otherwise applicable.
What are the disclosure requirements?
Following discovery of a breach of unsecured protected health information or if it is reasonably believed by the covered entity to have been accessed, acquired, used or disclosed as a result of a breach, a covered entity must:
- Notify each individual whose unsecured protected health information has been or is reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach. The breach is considered discovered on the first day the breach is known or would have been known be exercising reasonable diligence.
- The notification must be sent no later than 60 calendar days after discovery of the breach
- The notice should contain
- A brief description of what happened
- The dated of the breach and the date of discovery of the breach
- A description of the types of unsecured protected health information that were involved in the breach
- Steps the individual should take to protect themselves from potential harm resulting from the breach and
- Contacts for the individual to ask questions and learn additional information
How do you notify affected individuals?
Written notice by first class mail at the last known address of the individual or via e-mail if consent to electronic communication has been obtained. The notice may be provided in one or more mailings.
In the case of insufficient or out of date contact information precludes written notice to affected individuals, a substitute form of notice reasonably calculated to reach the individual should be provided. In the case where there is insufficient or out of date information for fewer than 10 individuals, then the substitute notice may be provided by an alternative for of written notice, telephone or other means.
In the case of 10 or more individuals with insufficient or out of date contact information, the substitute notice:
- Must be posted for 90 days on the home page of the website of the covered entity involved or
- A conspicuous notice in major print or broadcast media in geographic areas where the affected individuals are most likely to reside and
- Must include a toll free phone number that remains active for 90 days where the individual can learn whether their information may be included in the breach.
For a breach involving more than 500 residents of a State or jurisdiction, prominent media outlets serving the State or jurisdiction must be notified as well as the HHS Secretary. These notices must be provided at the same time as the individual notices.
For a breach involving less than 500 individuals, the covered entity must document the breach, maintain a log and notify HHS no later than 60 days after the end of the calendar year of the breach.
How do the new rules affect business associates?
The business associate must notify the covered entity following a discovery of the breach. If the business associate is an agent of the covered entity, the breach is imputed to the covered entity. The business associate must provided the covered entity with identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been accessed, acquired, used or disclosed during the breach.
When are the rules effective?
The rules were effective for breaches occurring on or after September 23, 2009. However, recognizing that it might take covered entities and business associates some time to comply, HHS will not impose sanctions for breaches that are discovered before February 22, 2010.
What should Plan Sponsors be doing now?
- Review your existing HIPAA procedures and update for HITECH rules.
- Is your protected health information secure? How is it secured? Do you encrypt?
- Take inventory of all your business associates and ensure that you have appropriate agreements in place.
- How will your business associate notify your organization and affected employees of a breach? How will the business associate mitigate harm? Make sure that your business associate agreement provides detailed steps for handling a breach and addresses who bears the cost of such notification.
- How will your organization react to a breach notification from a business associate? What will be the process for notifying affected individuals? How will you/your business associate handle media if breach affects a large group of individuals? How will you post a breach notification and keep affected employees informed? What media will you use?
- Decide if your HIPAA Privacy Notice needs updating. It may need updating to include sanctions for violating the new breach notification rules.
- Revise internal policies and procedures, prepare new forms and training material for relevant workforce, be ready for contingencies.
- Train relevant workforce.
Disclaimer: This material is for the sole purpose of providing general information and does not under any circumstances constitute legal advice and should not be used as a substitute for legal advice. You should seek the advice of counsel when applying the requirements to your plan. For more information on this ErisaALERT contact us by phone at 773-857-1137 and ask for Leanne Fosbre or 610-524-5351 and ask for Mary Andersen or 973-994-7539 and ask for Theresa Borzelli.
To comply with Circular 230 issued by the IRS, we hereby inform you that any tax advice contained in this communication (including attachments and/or enclosures, if any) is not intended or written to be used for the purpose of (i) avoiding penalties that may be imposed under the Internal Revenue Code, or (ii) promoting, marketing or recommending to one or more taxpayers any transaction or matter addressed herein.