Mh and addiction services for service members and veterans
E9 20169
1. Monday,
August 24, 2009
Part II
Department of
Health and Human
Services
45 CFR Parts 160 and 164
Breach Notification for Unsecured
Protected Health Information; Interim
Final Rule
erowe on DSK5CLS3C1PROD with RULES_2
VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:FRFM24AUR2.SGM 24AUR2
2. 42740 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations
DEPARTMENT OF HEALTH AND 509F, 200 Independence Avenue, SW., Administrative Simplification
HUMAN SERVICES Washington, DC 20201. Please submit provisions of the Health Insurance
one original and two copies. Portability and Accountability Act of
Office of the Secretary • Hand Delivery or Courier: Office for 1996 (HIPAA) (Pub. L. 104–191) and
Civil Rights, Attention: HITECH Breach their business associates.
45 CFR Parts 160 and 164 Notification, Hubert H. Humphrey These breach notification provisions
Building, Room 509F, 200 are found in section 13402 of the Act
RIN 0991–AB56 and apply to HIPAA covered entities
Independence Avenue, SW.,
Breach Notification for Unsecured Washington, DC 20201. Please submit and their business associates that
Protected Health Information one original and two copies. (Because access, maintain, retain, modify, record,
access to the interior of the Hubert H. store, destroy, or otherwise hold, use, or
AGENCY: Office for Civil Rights, Humphrey Building is not readily disclose unsecured protected health
Department of Health and Human available to persons without federal information. The Act incorporates the
Services. government identification, commenters definitions of ‘‘covered entity,’’
ACTION: Interim final rule with request are encouraged to leave their comments ‘‘business associate,’’ and ‘‘protected
for comments. in the mail drop slots located in the health information’’ used in the HIPAA
main lobby of the building.) Administrative Simplification
SUMMARY: The Department of Health and Inspection of Public Comments: All regulations (45 CFR parts 160, 162, and
Human Services (HHS) is issuing this comments received before the close of 164) (HIPAA Rules) at § 160.103. Under
interim final rule with a request for the comment period will be available for the HIPAA Rules, a covered entity is a
comments to require notification of public inspection, including any health plan, health care clearinghouse,
breaches of unsecured protected health personally identifiable or confidential or health care provider that transmits
information. Section 13402 of the business information that is included in any health information electronically in
Health Information Technology for a comment. We will post all comments connection with a covered transaction,
Economic and Clinical Health (HITECH) received before the close of the such as submitting health care claims to
Act, part of the American Recovery and comment period at http:// a health plan. Business associate, as
Reinvestment Act of 2009 (ARRA) that www.regulations.gov. Because defined in the HIPAA Rules, means a
was enacted on February 17, 2009, comments will be made public, they person who performs functions or
requires HHS to issue interim final should not include any sensitive activities on behalf of, or certain
regulations within 180 days to require personal information, such as a person’s services for, a covered entity that
covered entities under the Health social security number; date of birth; involve the use or disclosure of
Insurance Portability and driver’s license number, state individually identifiable health
Accountability Act of 1996 (HIPAA) and identification number or foreign country information. Examples of business
their business associates to provide equivalent; passport number; financial associates include third party
notification in the case of breaches of account number; or credit or debit card administrators or pharmacy benefit
unsecured protected health information. number. Comments also should not managers for health plans, claims
For purposes of determining what include any sensitive health processing or billing companies,
information is ‘‘unsecured protected information, such as medical records or transcription companies, and persons
health information,’’ in this document other individually identifiable health who perform legal, actuarial,
HHS is also issuing an update to its information. accounting, management, or
guidance specifying the technologies Docket: For access to the docket to administrative services for covered
and methodologies that render protected read background documents or entities and who require access to
health information unusable, comments received, go to http:// protected health information. The
unreadable, or indecipherable to www.regulations.gov or U.S. Department HIPAA Rules define ‘‘protected health
unauthorized individuals. of Health and Human Services, Office information’’ as the individually
identifiable health information held or
DATES: Effective Date: This interim final for Civil Rights, 200 Independence
transmitted in any form or medium by
rule is effective September 23, 2009. Avenue, SW., Washington, DC 20201
these HIPAA covered entities and
Comment Date: Comments on the (call ahead to the contact listed below
business associates, subject to certain
provisions of this interim final rule are to arrange for inspection).
limited exceptions.
due on or before October 23, 2009. FOR FURTHER INFORMATION CONTACT: The Act requires HIPAA covered
Comments on the information collection Andra Wicks, 202–205–2292. entities to provide notification to
requirements associated with this rule SUPPLEMENTARY INFORMATION: affected individuals and to the Secretary
are due on or before September 8, 2009. of HHS following the discovery of a
ADDRESSES: You may submit comments,
I. Background
breach of unsecured protected health
identified by RIN 0991–AB56, by any of The Health Information Technology information. In addition, in some cases,
the following methods (please do not for Economic and Clinical Health the Act requires covered entities to
submit duplicate comments): (HITECH) Act, Title XIII of Division A provide notification to the media of
• Federal eRulemaking Portal: http:// and Title IV of Division B of the breaches. In the case of a breach of
www.regulations.gov. Follow the American Recovery and Reinvestment unsecured protected health information
instructions for submitting comments. Act of 2009 (ARRA) (Pub. L. 111–5), was at or by a business associate of a covered
Attachments should be in Microsoft enacted on February 17, 2009. Subtitle entity, the Act requires the business
erowe on DSK5CLS3C1PROD with RULES_2
Word, WordPerfect, or Excel; however, D of Division A of the HITECH Act (the associate to notify the covered entity of
we prefer Microsoft Word. Act), entitled ‘‘Privacy,’’ among other the breach. Finally, the Act requires the
• Regular, Express, or Overnight Mail: provisions, requires the Department of Secretary to post on an HHS Web site
U.S. Department of Health and Human Health and Human Services (HHS or the a list of covered entities that experience
Services, Office for Civil Rights, Department) to issue interim final breaches of unsecured protected health
Attention: HITECH Breach Notification, regulations for breach notification by information involving more than 500
Hubert H. Humphrey Building, Room covered entities subject to the individuals.
VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
3. Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations 42741
Section 13400(1) of the Act defines discovery of a breach of security of ‘‘unsecured protected health
‘‘breach’’ to mean, generally, the unsecured PHR identifiable health information’’ as ‘‘protected health
unauthorized acquisition, access, use, or information.1 As with the definition of information that is not secured through
disclosure of protected health ‘‘unsecured protected health the use of a technology or methodology
information which compromises the information,’’ the provisions at section specified by the Secretary in guidance’’
security or privacy of such information. 13407(f)(3) define ‘‘unsecured PHR and requires the Secretary to specify in
The Act provides exceptions to this identifiable health information’’ as PHR the guidance the technologies and
definition to encompass disclosures identifiable health information that is methodologies that render protected
where the recipient of the information not protected through the use of a health information unusable,
would not reasonably have been able to technology or methodology specified by unreadable, or indecipherable to
retain the information, certain the Secretary of HHS in guidance. Thus, unauthorized individuals. As required
unintentional acquisition, access, or use entities subject to the FTC breach by the Act, this guidance was issued on
of information by employees or persons notification rules must also use the April 17, 2009, and later published in
acting under the authority of a covered Secretary’s guidance to determine the Federal Register on April 27, 2009
entity or business associate, as well as whether the information subject to a (74 FR 19006). The guidance specified
certain inadvertent disclosures among breach was ‘‘unsecured’’ and, therefore, encryption and destruction as the
persons similarly authorized to access whether breach notification is required. technologies and methodologies for
protected health information at a When HHS issued the guidance, HHS rendering protected health information,
business associate or covered entity. also published in the same document a as well as PHR identifiable health
Further, section 13402(h) of the Act request for information (RFI), inviting information under section 13407 of the
defines ‘‘unsecured protected health public comment both on the guidance Act and the FTC’s implementing
information’’ as ‘‘protected health itself, as well as on the breach regulation, unusable, unreadable, or
information that is not secured through provisions of section 13402 of the Act indecipherable to unauthorized
the use of a technology or methodology generally. After considering the public individuals such that breach
specified by the Secretary in guidance’’ comment, we are issuing an updated notification is not required. The RFI
and provides that the guidance specify version of the guidance in Section II asked for general comment on this
the technologies and methodologies that below. In addition, we discuss public guidance as well as for specific
render protected health information comment received on the Act’s breach comment on the technologies and
unusable, unreadable, or indecipherable notification provisions where relevant methodologies to render protected
to unauthorized individuals. Covered below in the section-by-section health information unusable,
entities and business associates that description of the interim final rule. unreadable, or indecipherable to
implement the specified technologies We have concluded that we have good unauthorized individuals.
and methodologies with respect to cause, under 5 U.S.C. 553(b)(B), to Many commenters expressed concern
protected health information are not waive the notice-and-comment and confusion regarding the purpose of
required to provide notifications in the requirements of the Administrative the guidance and its impact on a
event of a breach of such information— Procedure Act and to proceed with this covered entity’s responsibilities under
that is, the information is not interim final rule. Section 13402(j) the HIPAA Security Rule (45 CFR part
considered ‘‘unsecured’’ in such cases. explicitly required us to issue these 164, subparts A and C). We emphasize
As required by the Act, the Secretary regulations as ‘‘interim final that this guidance does nothing to
initially issued this guidance on April regulations’’ and to do so within 180 modify a covered entity’s
17, 2009 (it was subsequently published days. Based on this statutory directive responsibilities with respect to the
in the Federal Register at 74 FR 19006 and limited time frame, we concluded Security Rule nor does it impose any
on April 27, 2009). The guidance listed that notice-and-comment rulemaking new requirements upon covered entities
and described encryption and was impracticable and contrary to to encrypt all protected health
destruction as the two technologies and public policy. Nevertheless, we sought information. The Security Rule requires
methodologies for rendering protected comments in the RFI referenced above covered entities to safeguard electronic
health information unusable, and considered those comments when protected health information and
unreadable, or indecipherable to drafting this rule. In addition, we permits covered entities to use any
unauthorized individuals. provide the public with a 60-day period security measures that allow them to
In cases in which notification is following publication of this document reasonably and appropriately
required, the Act at section 13402 to submit comments on the interim final implement all safeguard requirements.
prescribes the timeliness, content, and rule. Under 45 CFR 164.312(a)(2)(iv) and
methods of providing the breach (e)(2)(ii), a covered entity must consider
II. Guidance Specifying the
notifications. We discuss these and the implementing encryption as a method
Technologies and Methodologies That
above statutory provisions in more for safeguarding electronic protected
Render Protected Health Information
detail below where we describe section- health information; however, because
Unusable, Unreadable, or
by-section how these new regulations these are addressable implementation
implement the breach notification Indecipherable to Unauthorized
specifications, a covered entity may be
provisions at section 13402 of the Act. Individuals
in compliance with the Security Rule
In addition to the breach notification A. Background even if it reasonably decides not to
provisions for HIPAA covered entities As discussed above, section 13402 of encrypt electronic protected health
and business associates at section the Act requires breach notification information and instead uses a
erowe on DSK5CLS3C1PROD with RULES_2
13402, section 13407 of the Act, which following the discovery of a breach of comparable method to safeguard the
is to be implemented and enforced by unsecured protected health information. information.
the Federal Trade Commission (FTC), Section 13402(h) of the Act defines Therefore, if a covered entity chooses
imposes similar breach notification to encrypt protected health information
requirements upon vendors of personal 1 The FTC issued a notice of proposed rulemaking to comply with the Security Rule, does
health records (PHRs) and their third to implement section 13407 of the Act on April 20, so pursuant to this guidance, and
party service providers following the 2009 (74 FR 17914). subsequently discovers a breach of that
VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
4. 42742 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations
encrypted information, the covered inaccessible to unauthorized of the NIST pertaining to data storage on
entity will not be required to provide individuals, we do not believe that enterprise-level storage devices, such as
breach notification because the access controls meet the statutory RAID (redundant array of inexpensive
information is not considered standard of rendering protected health disks), or SAN (storage-attached
‘‘unsecured protected health information unusable, unreadable, or network) systems.
information’’ as it has been rendered indecipherable to unauthorized For ease of reference, we have
unusable, unreadable, or indecipherable individuals. If access controls are published this updated guidance in this
to unauthorized individuals. On the compromised, the underlying document below; however, it will also
other hand, if a covered entity has information may still be usable, be available on the HHS Web site at
decided to use a method other than readable, or decipherable to an http://www.hhs.gov/ocr/privacy/. Any
encryption or an encryption algorithm unauthorized individual, and thus, further comments regarding this
that is not specified in this guidance to constitute unsecured protected health guidance received in response to the
safeguard protected health information, information for which breach interim final rule will be addressed in
then although that covered entity may notification is required. Therefore, we the first annual update to the guidance,
be in compliance with the Security have not included access controls in the to be issued in April 2010.
Rule, following a breach of this guidance; however, we do emphasize
information, the covered entity would the benefit of strong access controls, B. Guidance Specifying the
have to provide breach notification to which may function to prevent breaches Technologies and Methodologies that
affected individuals. For example, a of unsecured protected health Render Protected Health Information
covered entity that has a large database information from occurring in the first Unusable, Unreadable, or
of protected health information may place. Indecipherable to Unauthorized
choose, based on their risk assessment Other commenters suggested that the Individuals
under the Security Rule, to rely on guidance include redaction of paper
firewalls and other access controls to records as an alternative to destruction. Protected health information (PHI) is
make the information inaccessible, as Because redaction is not a standardized rendered unusable, unreadable, or
opposed to encrypting the information. methodology with proven capabilities to indecipherable to unauthorized
While the Security Rule permits the use destroy or render the underlying individuals if one or more of the
of firewalls and access controls as information unusable, unreadable or following applies:
reasonable and appropriate safeguards, a indecipherable, we do not believe that (a) Electronic PHI has been encrypted
covered entity that seeks to ensure redaction is an accepted alternative as specified in the HIPAA Security Rule
breach notification is not required in the method to secure paper-based protected by ‘‘the use of an algorithmic process to
event of a breach of the information in health information. Therefore, we have transform data into a form in which
the database would need to encrypt the clarified in this guidance that only there is a low probability of assigning
information pursuant to the guidance. destruction of paper protected health meaning without use of a confidential
We also received several comments information, and not redaction, will process or key’’ 2 and such confidential
asking for clarification and additional satisfy the requirements to relieve a process or key that might enable
detail regarding the forms of covered entity or business associate decryption has not been breached. To
information and the specific devices from breach notification. We note, avoid a breach of the confidential
and protocols described in the guidance. however, that covered entities and process or key, these decryption tools
As a result, we provide clarification business associates may continue to should be stored on a device or at a
regarding the forms of information create limited data sets or de-identify location separate from the data they are
addressed in the National Institute of protected health information through used to encrypt or decrypt. The
Standards and Technology (NIST) redaction if the removal of identifiers encryption processes identified below
publications referenced in the guidance. results in the information satisfying the have been tested by the National
We clarify that ‘‘data in motion’’ criteria of 45 CFR 164.514(e)(2) or Institute of Standards and Technology
includes data that is moving through a 164.514(b), respectively. Further, a loss (NIST) and judged to meet this standard.
network, including wireless or theft of information that has been (i) Valid encryption processes for data
transmission, whether by e-mail or redacted appropriately may not require at rest are consistent with NIST Special
structured electronic interchange, while notification under these rules either Publication 800–111, Guide to Storage
‘‘data at rest’’ includes data that resides because the information is not protected Encryption Technologies for End User
in databases, file systems, flash drives, health information (as in the case of de- Devices.3 4
memory, and any other structured identified information) or because the
storage method. ‘‘Data in use’’ includes unredacted information does not (ii) Valid encryption processes for
data in the process of being created, compromise the security or privacy of data in motion are those which comply,
retrieved, updated, or deleted, and ‘‘data the information and thus, does not as appropriate, with NIST Special
disposed’’ includes discarded paper constitute a breach as described in Publications 800–52, Guidelines for the
records or recycled electronic media. Section IV below. Selection and Use of Transport Layer
Additionally, many commenters In response to comments received, we Security (TLS) Implementations; 800–
suggested that access controls be also make two additional clarifications 77, Guide to IPsec VPNs; or 800–113,
included in the guidance as a method in the guidance. First, for purposes of Guide to SSL VPNs, or others which are
for rendering protected health the guidance below and ensuring Federal Information Processing
information unusable, unreadable, or encryption keys are not breached, we Standards (FIPS) 140–2 validated.5
erowe on DSK5CLS3C1PROD with RULES_2
indecipherable to unauthorized clarify that covered entities and
individuals. We recognize that access business associates should keep 2 45 CFR 164.304, definition of ‘‘encryption.’’
3 NIST Roadmap plans include the development
controls, as well as other security encryption keys on a separate device
of security guidelines for enterprise-level storage
methods such as firewalls, are important from the data that they encrypt or devices, and such guidelines will be considered in
tools for safeguarding protected health decrypt. Second, we also include in the updates to this guidance, when available.
information. While we believe access guidance below a note regarding 4 Available at http://www.csrc.nist.gov/.
controls may render information roadmap guidance activities on the part 5 Available at http://www.csrc.nist.gov/.
VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
5. Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations 42743
(b) The media on which the PHI is detailed discussion and an example of Protected Health Information
stored or recorded have been destroyed our harmonization efforts. We note that the definition of
in one of the following ways: ‘‘breach’’ is limited to protected health
(i) Paper, film, or other hard copy IV. Section-by-Section Description of
Interim Final Rule information. With respect to a covered
media have been shredded or destroyed
entity or business associate of a covered
such that the PHI cannot be read or
The following discussion describes entity, protected health information is
otherwise cannot be reconstructed.
the provisions of the interim final rule individually identifiable health
Redaction is specifically excluded as a
section by section. Those interested in information that is transmitted or
means of data destruction.
(ii) Electronic media have been commenting on the interim final rule maintained in any form or medium,
cleared, purged, or destroyed consistent can assist the Department by preceding including electronic information. 45
with NIST Special Publication 800–88, discussion of any particular provision or CFR 160.103. If information is de-
Guidelines for Media Sanitization,6 such topic with a citation to the section of the identified in accordance with 45 CFR
that the PHI cannot be retrieved. interim final rule being discussed. 164.514(b), it is not protected health
information, and thus, any inadvertent
III. Overview of Interim Final Rule A. Applicability—Section 164.400 or unauthorized use or disclosure of
We are adding a new subpart D to part Section 164.400 of the interim final such information will not be considered
164 of title 45 of the Code of Federal a breach for purposes of this subpart.
rule provides that this breach
Regulations (CFR) to implement the Additionally, § 160.103 excludes certain
notification rule is applicable to
breach notification provisions in section types of individually identifiable health
breaches occurring on or after 30 days
13402 of the Act. These provisions information from the definition of
from the date of publication of this
apply to HIPAA covered entities and ‘‘protected health information,’’ such as
interim final rule. See Section IV.K.
their business associates and set forth employment records held by a covered
Effective/Compliance Date of this rule entity in its role as employer. If
the requirements for notification to
for further discussion. individually identifiable health
affected individuals, the media, and the
Secretary of HHS following a breach of B. Definitions—Section 164.402 information that is not protected health
unsecured protected health information. information is used or disclosed in an
In drafting this interim final regulation, Section 164.402 of the interim final unauthorized manner, it would not
we considered the public comments rule adopts definitions for the terms qualify as a breach for purposes of this
received in response to the RFI ‘‘breach’’ and ‘‘unsecured protected subpart—although the covered entity
described above. health information.’’ should consider whether it has
In addition, we consulted closely with notification requirements under other
the FTC in the development of these 1. Breach
laws. Further, we note that although the
regulations. Commenters in response to Section 13402 of the Act and this definition of ‘‘breach’’ applies to
both the RFI as well as the FTC’s notice interim final rule require covered protected health information generally,
of proposed rulemaking urged HHS and entities and business associates to covered entities and business associates
the FTC to work together to ensure that provide notification following a breach are required to provide the breach
the regulated entities know with which of unsecured protected health notifications required by the Act and
rule they must comply and that those information. Section 13400(1)(A) of the this interim final rule (discussed below)
entities that are subject to both rules Act defines ‘‘breach’’ as the only upon a breach of unsecured
because they may operate in different protected health information. See also
‘‘unauthorized acquisition, access, use,
roles are not subject to two completely Section II of this document for a list of
or disclosure of protected health
different and inconsistent regulatory the technologies and methodologies that
information which compromises the
schemes. In addition, commenters were render protected health information
security or privacy of the protected
concerned that individuals could secure such that notification is not
health information, except where an
receive multiple notices of the same required in the event of a breach.
breach if the HHS and the FTC unauthorized person to whom such
regulations overlapped. Thus, HHS information is disclosed would not Unauthorized Acquisition, Access, Use,
coordinated with the FTC to ensure reasonably have been able to retain such or Disclosure
these issues were addressed in the information.’’ Section 13400(1)(B) of the The statute defines a ‘‘breach’’ as the
respective rulemakings. First, the rules Act provides several exceptions to the ‘‘unauthorized’’ acquisition, access, use,
make clear that entities operating as definition of ‘‘breach.’’ Based on section or disclosure of protected health
HIPAA covered entities and business 13400(1)(A), we have defined ‘‘breach’’ information. Several commenters asked
associates are subject to HHS’, and not at § 164.402 of the interim final rule as that we define ‘‘unauthorized’’ or that
the FTC’s, breach notification rule. ‘‘the acquisition, access, use, or we clarify its meaning. We clarify that
Second, in those limited cases where an disclosure of protected health ‘‘unauthorized’’ is an impermissible use
entity may be subject to both HHS’ and information in a manner not permitted or disclosure of protected health
the FTC’s rules, such as a vendor that under subpart E of this part which information under the HIPAA Privacy
offers PHRs to customers of a HIPAA compromises the security or privacy of Rule (subpart E of 45 CFR part 164).
covered entity as a business associate the protected health information.’’ We Accordingly, the definition of ‘‘breach’’
and also offers PHRs directly to the have added paragraph (1) to the at § 160.402 of the interim final rule
public, we worked with the FTC to definition to clarify when the security or interprets the ‘‘unauthorized
privacy of information is considered to
erowe on DSK5CLS3C1PROD with RULES_2
ensure both sets of regulations were acquisition, access, use, or disclosure of
harmonized by including the same or be compromised. Paragraph (2) of the protected health information’’ as ‘‘the
similar requirements, within the definition then includes the statutory acquisition, access, use, or disclosure of
constraints of the statutory language. exceptions, including the exception protected health information in a
See Section IV.F. below for a more within section 13400(1)(A) that refers to manner not permitted under subpart E
whether the recipient would reasonably of this part.’’ We emphasize that not all
6 Available at http://www.csrc.nist.gov/. have been able to retain the information. violations of the Privacy Rule will be
VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
6. 42744 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations
breaches under this subpart, and 45 CFR 164.502(a)(1)(iii) and, therefore, existing obligations on Federal agencies
therefore, covered entities and business would not qualify as a potential breach. (some of which also must comply with
associates need not provide breach Finally, violations of administrative these rules as HIPAA covered entities)
notification in all cases of impermissible requirements, such as a lack of pursuant to OMB Memorandum M–07–
uses and disclosures. We also note that reasonable safeguards or a lack of 16 to have in place breach notification
the HIPAA Security Rule provides for training, do not themselves qualify as policies for personally identifiable
administrative, physical, and technical potential breaches under this subpart information that take into account the
safeguards and organizational (although such violations certainly may likely risk of harm caused by a breach
requirements for electronic protected lead to impermissible uses or in determining whether breach
health information, but does not govern disclosures that qualify as breaches). notification is required. Thus, to
uses and disclosures of protected health determine if an impermissible use or
Compromises the Security or Privacy of
information. Accordingly, a violation of disclosure of protected health
Protected Health Information
the Security Rule does not itself information constitutes a breach,
constitute a potential breach under this The Act and regulation next limit the covered entities and business associates
subpart, although such a violation may definition of ‘‘breach’’ to a use or will need to perform a risk assessment
lead to a use or disclosure of protected disclosure that ‘‘compromises the to determine if there is a significant risk
health information that is not permitted security or privacy’’ of the protected of harm to the individual as a result of
under the Privacy Rule and thus, may health information. Accordingly, once it the impermissible use or disclosure. In
potentially be a breach under this is established that a use or disclosure performing the risk assessment, covered
subpart. violates the Privacy Rule, the covered entities and business associates may
The Act does not define the terms entity must determine whether the need to consider a number or
‘‘acquisition’’ and ‘‘access.’’ Several violation compromises the security or combination of factors, some of which
commenters asked that we define or privacy of the protected health are described below.7
identify the differences between information. Covered entities and business
acquisition, access, use, and disclosure For the purposes of the definition of associates should consider who
of protected health information, for ‘‘breach,’’ many commenters suggested impermissibly used or to whom the
purposes of the definition of ‘‘breach.’’ that we add a harm threshold such that information was impermissibly
We interpret ‘‘acquisition’’ and ‘‘access’’ an unauthorized use or disclosure of disclosed when evaluating the risk of
to information based on their plain protected health information is harm to individuals. If, for example,
meanings and believe that both terms considered a breach only if the use or protected health information is
are encompassed within the current disclosure poses some harm to the impermissibly disclosed to another
definitions of ‘‘use’’ and ‘‘disclosure’’ in individual. These commenters noted entity governed by the HIPAA Privacy
the HIPAA Rules. Accordingly, we have that the ‘‘compromises the security or and Security Rules or to a Federal
not added separate definitions for these privacy’’ language in section agency that is obligated to comply with
terms. We have retained the statutory 13400(1)(A) of the Act contemplates that the Privacy Act of 1974 (5 U.S.C. 552a)
terms in the regulation in order to covered entities will perform some type and the Federal Information Security
maintain consistency with the statute. of risk assessment to determine if there Management Act of 2002 (44 U.S.C.
In addition, we note that while the is a risk of harm to the individual, and 3541 et seq.), there may be less risk of
HIPAA Security Rule at § 164.304 therefore, if a breach has occurred. harm to the individual, since the
includes a definition of the term Commenters urged that the addition of recipient entity is obligated to protect
‘‘access,’’ such definition is limited to a harm threshold to the definition the privacy and security of the
the ability to use ‘‘system resources’’ would also align this regulation with information it received in the same or
and not to access to information more many State breach notification laws that similar manner as the entity that
generally and thus, we have revised that require entities to reach similar harm disclosed the information. In contrast, if
definition to make clear that it does not thresholds before providing notification. protected health information is
apply for purposes of these breach Finally, some commenters noted that impermissibly disclosed to any entity or
notification rules. failure to include a harm threshold for person that does not have similar
For an acquisition, access, use, or requiring breach notification may obligations to maintain the privacy and
disclosure of protected health diminish the impact of notifications security of the information, the risk of
information to constitute a breach, it received by individuals, as individuals harm to the individual is much greater.
must constitute a violation of the may be flooded with notifications for We expect that there may be
Privacy Rule. Therefore, one of the first breaches that pose no threat to the circumstances where a covered entity
steps in determining whether security or privacy of their protected takes immediate steps to mitigate an
notification is necessary under this health information or, alternatively, may impermissible use or disclosure, such as
subpart is to determine whether a use or cause unwarranted panic in individuals, by obtaining the recipient’s satisfactory
disclosure violates the Privacy Rule. We and the expenditure of undue costs and assurances that the information will not
note that uses or disclosures that other resources by individuals in be further used or disclosed (through a
impermissibly involve more than the remedial action. confidentiality agreement or similar
minimum necessary information, in We agree that the statutory language means) or will be destroyed. If such
violation of §§ 164.502(b) and encompasses a harm threshold and have steps eliminate or reduce the risk of
164.514(d), may qualify as breaches clarified in paragraph (1) of the harm to the individual to a less than
under this subpart. In contrast, a use or definition that ‘‘compromises the ‘‘significant risk,’’ then we interpret that
erowe on DSK5CLS3C1PROD with RULES_2
disclosure of protected health security or privacy of the protected the security and privacy of the
information that is incident to an health information’’ means ‘‘poses a
otherwise permissible use or disclosure significant risk of financial, 7 Covered entities may also wish to review OMB
and occurs despite reasonable reputational, or other harm to the Memorandum M–07–16 for examples of the types
of factors that may need to be taken into account
safeguards and proper minimum individual.’’ This ensures better in determining whether an impermissible use or
necessary procedures would not be a consistency and alignment with State disclosure presents a significant risk of harm to the
violation of the Privacy Rule pursuant to breach notification laws, as well as individual.
VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
7. Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations 42745
information has not been compromised harm—especially in light of fears about identification, these commenters stated
and, therefore, no breach has occurred. employment discrimination. that creating a limited data set was not
In addition, there may be We also address impermissible uses comparable to encrypting information,
and disclosures involving limited data and therefore, should not be included as
circumstances where impermissibly
sets (as the term is used at 45 CFR a method to render protected health
disclosed protected health information
164.514(e) of the Privacy Rule), in information unusable, unreadable, or
is returned prior to it being accessed for
paragraph (1) of the definition of indecipherable to unauthorized
an improper purpose. For example, if a ‘‘breach’’ at § 164.402 of the interim individuals.
laptop is lost or stolen and then final rule. In the RFI discussed above, The majority of commenters,
recovered, and a forensic analysis of the we asked for public comment on however, did support the inclusion of
computer shows that its information whether limited data sets should be the limited data set in the guidance.
was not opened, altered, transferred, or considered unusable, unreadable, or These commenters stated that it would
otherwise compromised, such a breach indecipherable and included as a be impractical to require covered
may not pose a significant risk of harm methodology in the guidance. A limited entities and business associates to notify
to the individuals whose information data set is created by removing the 16 individuals of a breach of information
was on the laptop. Note, however, that direct identifiers listed in within a limited data set because, by
if a computer is lost or stolen, we do not § 164.514(e)(2) from the protected health definition, such information excludes
consider it reasonable to delay breach information.9 These direct identifiers the very identifiers that would enable
notification based on the hope that the include the name, address, social covered entities and business associates,
computer will be recovered. security number, and account number of without undue burden, to identify the
In performing a risk assessment, an individual or the individual’s affected individuals and comply with
covered entities and business associates relative, employer, or household the breach notification requirements.
should also consider the type and member. When these 16 direct Additionally, these commenters cited
amount of protected health information identifiers are removed from the contractual concerns regarding the data
involved in the impermissible use or protected health information, the use agreement, which prohibits the
disclosure. If the nature of the protected information is not completely de- recipient of a limited data set from re-
health information does not pose a identified pursuant to 45 CFR identifying the information and
significant risk of financial, 164.514(b). In particular, the elements of therefore, may pose problems with
reputational, or other harm, then the dates, such as dates of birth, and zip complying with the notification
violation is not a breach. For example, codes, are allowed to remain within the requirements of section 13402(b) of the
if a covered entity improperly discloses limited data set, which increase the Act.
potential for re-identification of the These commenters also noted that the
protected health information that
information. Because there is a risk of decision to exclude the limited data set
merely included the name of an
re-identification of the information from the guidance, such that a breach of
individual and the fact that he received
within a limited data set, the Privacy a limited data set would require breach
services from a hospital, then this
Rule treats this information as protected notification, would reduce the
would constitute a violation of the
health information that may only be likelihood that covered entities would
Privacy Rule, but it may not constitute continue to create and share limited
used or disclosed as permitted by the
a significant risk of financial or data sets. This, in turn, would have a
Privacy Rule.
reputational harm to the individual. In Several commenters suggested that chilling effect on the research and
contrast, if the information indicates the the limited data set should not be public health communities, which rely
type of services that the individual included in the guidance as a method to on receiving information from covered
received (such as oncology services), render protected health information entities in limited data set form.
that the individual received services unusable, unreadable, or indecipherable Finally, commenters noted that the
from a specialized facility (such as a to unauthorized individuals such that removal of the 16 direct identifiers in
substance abuse treatment program 8), or breach notification is not required. the limited data set presents a minimal
if the protected health information These commenters cited concerns about risk of serious harm to the individual by
includes information that increases the the risk of re-identification of protected limiting the possibility that the
risk of identity theft (such as a social health information in a limited data set information could be used for an illicit
security number, account number, or and noted that, as more data exists in purpose if breached. These commenters
mother’s maiden name), then there is a electronic form and as more data also suggested that the inclusion of the
higher likelihood that the impermissible becomes public, it will be easier to limited data set in the guidance would
use or disclosure compromised the combine these various sources to re- align with most state breach notification
security and privacy of the information. establish the identity of the individual. laws, which, as a general matter, only
The risk assessment should be fact Furthermore, due to the risk of re- require notification when certain
specific, and the covered entity or identifiers are exposed and when there
business associate should keep in mind 9 A limited data set is protected health is a likelihood that the breach will result
that many forms of health information, information that excludes the following direct in harm to the individual.
identifiers of the individual or of relatives,
not just information about sexually employers, or household members of the
We also asked commenters if they
transmitted diseases or mental health, individual: (1) Names; (2) postal address believed that the removal of an
should be considered sensitive for information, other than town or city, State, and zip individual’s date of birth or zip code, in
purposes of the risk of reputational code; (3) telephone numbers; (4) fax numbers; (5) addition to the 16 direct identifiers in
e-mail addresses; (6) social security numbers; (7)
erowe on DSK5CLS3C1PROD with RULES_2
medical record numbers; (8) health plan beneficiary
45 CFR 164.514(e)(2), would reduce the
8 Note that an impermissible disclosure that numbers; (9) account numbers; (10) certificate/ risk of re-identification of the
indicates that an individual has received services license plate numbers; (11) vehicle identifiers and information such that it could be
from a substance abuse treatment program may also serial numbers; (12) device identifiers and serial included in the guidance. Several
constitute a violation of 42 U.S.C. 290dd–2 and the numbers; (13) Web URLs; (14) Internet Protocol (IP)
implementing regulations at 42 CFR part 2. These address numbers; (15) biometric identifiers,
commenters responded to this question.
provisions require the confidentiality of substance including finger and voice prints; and (16) full face While some stated that the removal of
abuse patient records. photographic images and any comparable images. these data elements would render the
VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2