Featured Publications

Education: Alert - May 17, 2012

Every university, college or educational institution that operates a broadcast station must renew its federal broadcasting license. Failure to file a license renewal application on time may cause significant regulatory problems, including possible loss of license.

More

Labor, Employment and Benefits: Alert - May 16, 2012

A federal district court in Washington, D.C., ruled on May 14, 2012, that the National Labor Relations Board's revised union representation election rule that went into effect on April 30 is invalid because the NLRB lacked a quorum for the final vote that approved the rule.

More

Search Our Library

Search

  • Print Article
  • Email this page to a friend
  • Print Newsletter / Alert
Healthcare & Life Sciences
HHS Issues Common-Sense Guidance on Data Breaches Alert - September 1, 2009
 
HHS Issues Common-Sense Guidance on Data Breaches
 
 September 1, 2009
 
Shannon Hartsfield Salimone- Tallahassee

On August 19, 2009, the Department of Health and Human Services (HHS) issued an interim final rule requiring notification of patients under certain circumstances when their health information is compromised. The rule implements portions of the Health Information Technology for Economic and Clinical Health Act, commonly referred to as the HITECH Act, which was part of the stimulus bill passed earlier this year.

Not All Breaches Will Trigger Notification Requirements

The new breach rule contains a pleasant surprise. Members of the healthcare industry may be relieved to learn that not all breaches will trigger the requirement to notify patients. The rule’s drafters observed that the HITECH Act requires that patients receive notice of any unauthorized acquisition, access, use or disclosure of protected health information when the breach “compromises the security or privacy” of the information. The rule interprets that phrase to allow a “harm threshold” such that individuals need to receive notice only if the breach may result in harm to them. In other words, patients must be notified only when the breach “poses a significant risk of financial, reputational, or other harm to the individual.”

Under the privacy rule, covered entities were required to mitigate potential harm that may result from a breach. This requirement was interpreted by some to mandate that the covered entity consider the potential risks to individuals and notify those patients if there was a reasonable belief that a) the breach could result in harm to them, and b) notification could mitigate that harm. The interim final rule makes it clear that a similar risk assessment is still appropriate.

If the unauthorized disclosure is to an entity that is also subject to HIPAA, the risk of harm to the individual whose information was compromised may be smaller. The nature of the information may also be considered when determining whether to notify patients. In the preamble to the rule, HHS observed that the unauthorized disclosure of an individual’s name and the fact that he or she received services from a hospital “would constitute a violation of the Privacy Rule, but it may not constitute a significant risk of financial or reputational harm to the individual.” On the other hand, disclosing information indicating that an individual received cancer treatment or substance abuse services likely would require notice to the patient.

No Disclosure Needed Where Recipients Are Unlikely To Retain the Information

HHS also gives numerous common-sense examples of situations where individuals need not be notified because the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information. One example HHS discusses is a fairly common situation where an explanation of benefits (EOB) is sent to the wrong individual. If the EOB is returned by the post office as undeliverable and has not been opened, no notice to the patient is necessary.

Similarly, if a nurse hands a patient discharge papers belonging to someone else, but then quickly recovers them, it would not constitute a breach if the nurse reasonably could conclude that the patient did not read or otherwise could not retain the information. The covered entity or business associate will bear the burden of proof for showing why the breach notification was not required, and must document that reasoning.

Drafting Breach Notices

The rule requires breach notices to contain the information set forth in the statute. Another common-sense requirement is that this notice should not include a listing of sensitive information that was breached. Additionally, the notice should be in plain, non-technical language so the individual can understand the information.

Individuals must begin receiving notice of breaches 30 days after the rule is published in the Federal Register. HHS has indicated, however, that in order to give covered entities and business associates time to put reasonable systems in place to detect breaches, and to secure their protected health information through encryption or other methods, HHS will use its “enforcement discretion not to impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from publication of this rule.”

The interim final rule can be found at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf.

Related Practices