HHS Issues Common-Sense Guidance on Data Breaches
On August 19, 2009, the Department of Health and Human Services (HHS) issued an interim final rule requiring notification of patients under certain circumstances when their health information is compromised. The rule implements portions of the Health Information Technology for Economic and Clinical Health Act, commonly referred to as the HITECH Act, which was part of the stimulus bill passed earlier this year.
Not All Breaches Will Trigger Notification Requirements
The new breach rule contains a pleasant surprise. Members of the healthcare industry may be relieved to learn that not all breaches will trigger the requirement to notify patients. The rule’s drafters observed that the HITECH Act requires that patients receive notice of any unauthorized acquisition, access, use or disclosure of protected health information when the breach “compromises the security or privacy” of the information. The rule interprets that phrase to allow a “harm threshold” such that individuals need to receive notice only if the breach may result in harm to them. In other words, patients must be notified only when the breach “poses a significant risk of financial, reputational, or other harm to the individual.”
Under the privacy rule, covered entities were required to mitigate potential harm that may result from a breach. This requirement was interpreted by some to mandate that the covered entity consider the potential risks to individuals and notify those patients if there was a reasonable belief that a) the breach could result in harm to them, and b) notification could mitigate that harm. The interim final rule makes it clear that a similar risk assessment is still appropriate.
If the unauthorized disclosure is to an entity that is also subject to HIPAA, the risk of harm to the individual whose information was compromised may be smaller. The nature of the information may also be considered when determining whether to notify patients. In the preamble to the rule, HHS observed that the unauthorized disclosure of an individual’s name and the fact that he or she received services from a hospital “would constitute a violation of the Privacy Rule, but it may not constitute a significant risk of financial or reputational harm to the individual.” On the other hand, disclosing information indicating that an individual received cancer treatment or substance abuse services likely would require notice to the patient.
No Disclosure Needed Where Recipients Are Unlikely To Retain the Information
HHS also gives numerous common-sense examples of situations where individuals need not be notified because the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information. One example HHS discusses is a fairly common situation where an explanation of benefits (EOB) is sent to the wrong individual. If the EOB is returned by the post office as undeliverable and has not been opened, no notice to the patient is necessary.
Similarly, if a nurse hands a patient discharge papers belonging to someone else, but then quickly recovers them, it would not constitute a breach if the nurse reasonably could conclude that the patient did not read or otherwise could not retain the information. The covered entity or business associate will bear the burden of proof for showing why the breach notification was not required, and must document that reasoning.
Drafting Breach Notices
The rule requires breach notices to contain the information set forth in the statute. Another common-sense requirement is that this notice should not include a listing of sensitive information that was breached. Additionally, the notice should be in plain, non-technical language so the individual can understand the information.
Individuals must begin receiving notice of breaches 30 days after the rule is published in the Federal Register. HHS has indicated, however, that in order to give covered entities and business associates time to put reasonable systems in place to detect breaches, and to secure their protected health information through encryption or other methods, HHS will use its “enforcement discretion not to impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from publication of this rule.”
The interim final rule can be found at https://www.gpo.gov/fdsys/pkg/FR-2009-08-24/pdf/E9-20169.pdf.