SlideShare a Scribd company logo

E9 20169

The National Council
The National Council
1 of 32
Download to read offline
Monday, August 24, 2009 Part II Department of Health and Human Services 45 CFR Parts 160 and 164 Breach Notification for Unsecured Protected Health Information; Interim Final Rule erowe on DSK5CLS3C1PROD with RULES_2 VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:FRFM24AUR2.SGM 24AUR2
42740 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations DEPARTMENT OF HEALTH AND 509F, 200 Independence Avenue, SW., Administrative Simplification HUMAN SERVICES Washington, DC 20201. Please submit provisions of the Health Insurance one original and two copies. Portability and Accountability Act of Office of the Secretary • Hand Delivery or Courier: Office for 1996 (HIPAA) (Pub. L. 104–191) and Civil Rights, Attention: HITECH Breach their business associates. 45 CFR Parts 160 and 164 Notification, Hubert H. Humphrey These breach notification provisions Building, Room 509F, 200 are found in section 13402 of the Act RIN 0991–AB56 and apply to HIPAA covered entities Independence Avenue, SW., Breach Notification for Unsecured Washington, DC 20201. Please submit and their business associates that Protected Health Information one original and two copies. (Because access, maintain, retain, modify, record, access to the interior of the Hubert H. store, destroy, or otherwise hold, use, or AGENCY: Office for Civil Rights, Humphrey Building is not readily disclose unsecured protected health Department of Health and Human available to persons without federal information. The Act incorporates the Services. government identification, commenters definitions of ‘‘covered entity,’’ ACTION: Interim final rule with request are encouraged to leave their comments ‘‘business associate,’’ and ‘‘protected for comments. in the mail drop slots located in the health information’’ used in the HIPAA main lobby of the building.) Administrative Simplification SUMMARY: The Department of Health and Inspection of Public Comments: All regulations (45 CFR parts 160, 162, and Human Services (HHS) is issuing this comments received before the close of 164) (HIPAA Rules) at § 160.103. Under interim final rule with a request for the comment period will be available for the HIPAA Rules, a covered entity is a comments to require notification of public inspection, including any health plan, health care clearinghouse, breaches of unsecured protected health personally identifiable or confidential or health care provider that transmits information. Section 13402 of the business information that is included in any health information electronically in Health Information Technology for a comment. We will post all comments connection with a covered transaction, Economic and Clinical Health (HITECH) received before the close of the such as submitting health care claims to Act, part of the American Recovery and comment period at http:// a health plan. Business associate, as Reinvestment Act of 2009 (ARRA) that www.regulations.gov. Because defined in the HIPAA Rules, means a was enacted on February 17, 2009, comments will be made public, they person who performs functions or requires HHS to issue interim final should not include any sensitive activities on behalf of, or certain regulations within 180 days to require personal information, such as a person’s services for, a covered entity that covered entities under the Health social security number; date of birth; involve the use or disclosure of Insurance Portability and driver’s license number, state individually identifiable health Accountability Act of 1996 (HIPAA) and identification number or foreign country information. Examples of business their business associates to provide equivalent; passport number; financial associates include third party notification in the case of breaches of account number; or credit or debit card administrators or pharmacy benefit unsecured protected health information. number. Comments also should not managers for health plans, claims For purposes of determining what include any sensitive health processing or billing companies, information is ‘‘unsecured protected information, such as medical records or transcription companies, and persons health information,’’ in this document other individually identifiable health who perform legal, actuarial, HHS is also issuing an update to its information. accounting, management, or guidance specifying the technologies Docket: For access to the docket to administrative services for covered and methodologies that render protected read background documents or entities and who require access to health information unusable, comments received, go to http:// protected health information. The unreadable, or indecipherable to www.regulations.gov or U.S. Department HIPAA Rules define ‘‘protected health unauthorized individuals. of Health and Human Services, Office information’’ as the individually identifiable health information held or DATES: Effective Date: This interim final for Civil Rights, 200 Independence transmitted in any form or medium by rule is effective September 23, 2009. Avenue, SW., Washington, DC 20201 these HIPAA covered entities and Comment Date: Comments on the (call ahead to the contact listed below business associates, subject to certain provisions of this interim final rule are to arrange for inspection). limited exceptions. due on or before October 23, 2009. FOR FURTHER INFORMATION CONTACT: The Act requires HIPAA covered Comments on the information collection Andra Wicks, 202–205–2292. entities to provide notification to requirements associated with this rule SUPPLEMENTARY INFORMATION: affected individuals and to the Secretary are due on or before September 8, 2009. of HHS following the discovery of a ADDRESSES: You may submit comments, I. Background breach of unsecured protected health identified by RIN 0991–AB56, by any of The Health Information Technology information. In addition, in some cases, the following methods (please do not for Economic and Clinical Health the Act requires covered entities to submit duplicate comments): (HITECH) Act, Title XIII of Division A provide notification to the media of • Federal eRulemaking Portal: http:// and Title IV of Division B of the breaches. In the case of a breach of www.regulations.gov. Follow the American Recovery and Reinvestment unsecured protected health information instructions for submitting comments. Act of 2009 (ARRA) (Pub. L. 111–5), was at or by a business associate of a covered Attachments should be in Microsoft enacted on February 17, 2009. Subtitle entity, the Act requires the business erowe on DSK5CLS3C1PROD with RULES_2 Word, WordPerfect, or Excel; however, D of Division A of the HITECH Act (the associate to notify the covered entity of we prefer Microsoft Word. Act), entitled ‘‘Privacy,’’ among other the breach. Finally, the Act requires the • Regular, Express, or Overnight Mail: provisions, requires the Department of Secretary to post on an HHS Web site U.S. Department of Health and Human Health and Human Services (HHS or the a list of covered entities that experience Services, Office for Civil Rights, Department) to issue interim final breaches of unsecured protected health Attention: HITECH Breach Notification, regulations for breach notification by information involving more than 500 Hubert H. Humphrey Building, Room covered entities subject to the individuals. VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations 42741 Section 13400(1) of the Act defines discovery of a breach of security of ‘‘unsecured protected health ‘‘breach’’ to mean, generally, the unsecured PHR identifiable health information’’ as ‘‘protected health unauthorized acquisition, access, use, or information.1 As with the definition of information that is not secured through disclosure of protected health ‘‘unsecured protected health the use of a technology or methodology information which compromises the information,’’ the provisions at section specified by the Secretary in guidance’’ security or privacy of such information. 13407(f)(3) define ‘‘unsecured PHR and requires the Secretary to specify in The Act provides exceptions to this identifiable health information’’ as PHR the guidance the technologies and definition to encompass disclosures identifiable health information that is methodologies that render protected where the recipient of the information not protected through the use of a health information unusable, would not reasonably have been able to technology or methodology specified by unreadable, or indecipherable to retain the information, certain the Secretary of HHS in guidance. Thus, unauthorized individuals. As required unintentional acquisition, access, or use entities subject to the FTC breach by the Act, this guidance was issued on of information by employees or persons notification rules must also use the April 17, 2009, and later published in acting under the authority of a covered Secretary’s guidance to determine the Federal Register on April 27, 2009 entity or business associate, as well as whether the information subject to a (74 FR 19006). The guidance specified certain inadvertent disclosures among breach was ‘‘unsecured’’ and, therefore, encryption and destruction as the persons similarly authorized to access whether breach notification is required. technologies and methodologies for protected health information at a When HHS issued the guidance, HHS rendering protected health information, business associate or covered entity. also published in the same document a as well as PHR identifiable health Further, section 13402(h) of the Act request for information (RFI), inviting information under section 13407 of the defines ‘‘unsecured protected health public comment both on the guidance Act and the FTC’s implementing information’’ as ‘‘protected health itself, as well as on the breach regulation, unusable, unreadable, or information that is not secured through provisions of section 13402 of the Act indecipherable to unauthorized the use of a technology or methodology generally. After considering the public individuals such that breach specified by the Secretary in guidance’’ comment, we are issuing an updated notification is not required. The RFI and provides that the guidance specify version of the guidance in Section II asked for general comment on this the technologies and methodologies that below. In addition, we discuss public guidance as well as for specific render protected health information comment received on the Act’s breach comment on the technologies and unusable, unreadable, or indecipherable notification provisions where relevant methodologies to render protected to unauthorized individuals. Covered below in the section-by-section health information unusable, entities and business associates that description of the interim final rule. unreadable, or indecipherable to implement the specified technologies We have concluded that we have good unauthorized individuals. and methodologies with respect to cause, under 5 U.S.C. 553(b)(B), to Many commenters expressed concern protected health information are not waive the notice-and-comment and confusion regarding the purpose of required to provide notifications in the requirements of the Administrative the guidance and its impact on a event of a breach of such information— Procedure Act and to proceed with this covered entity’s responsibilities under that is, the information is not interim final rule. Section 13402(j) the HIPAA Security Rule (45 CFR part considered ‘‘unsecured’’ in such cases. explicitly required us to issue these 164, subparts A and C). We emphasize As required by the Act, the Secretary regulations as ‘‘interim final that this guidance does nothing to initially issued this guidance on April regulations’’ and to do so within 180 modify a covered entity’s 17, 2009 (it was subsequently published days. Based on this statutory directive responsibilities with respect to the in the Federal Register at 74 FR 19006 and limited time frame, we concluded Security Rule nor does it impose any on April 27, 2009). The guidance listed that notice-and-comment rulemaking new requirements upon covered entities and described encryption and was impracticable and contrary to to encrypt all protected health destruction as the two technologies and public policy. Nevertheless, we sought information. The Security Rule requires methodologies for rendering protected comments in the RFI referenced above covered entities to safeguard electronic health information unusable, and considered those comments when protected health information and unreadable, or indecipherable to drafting this rule. In addition, we permits covered entities to use any unauthorized individuals. provide the public with a 60-day period security measures that allow them to In cases in which notification is following publication of this document reasonably and appropriately required, the Act at section 13402 to submit comments on the interim final implement all safeguard requirements. prescribes the timeliness, content, and rule. Under 45 CFR 164.312(a)(2)(iv) and methods of providing the breach (e)(2)(ii), a covered entity must consider II. Guidance Specifying the notifications. We discuss these and the implementing encryption as a method Technologies and Methodologies That above statutory provisions in more for safeguarding electronic protected Render Protected Health Information detail below where we describe section- health information; however, because Unusable, Unreadable, or by-section how these new regulations these are addressable implementation implement the breach notification Indecipherable to Unauthorized specifications, a covered entity may be provisions at section 13402 of the Act. Individuals in compliance with the Security Rule In addition to the breach notification A. Background even if it reasonably decides not to provisions for HIPAA covered entities As discussed above, section 13402 of encrypt electronic protected health and business associates at section the Act requires breach notification information and instead uses a erowe on DSK5CLS3C1PROD with RULES_2 13402, section 13407 of the Act, which following the discovery of a breach of comparable method to safeguard the is to be implemented and enforced by unsecured protected health information. information. the Federal Trade Commission (FTC), Section 13402(h) of the Act defines Therefore, if a covered entity chooses imposes similar breach notification to encrypt protected health information requirements upon vendors of personal 1 The FTC issued a notice of proposed rulemaking to comply with the Security Rule, does health records (PHRs) and their third to implement section 13407 of the Act on April 20, so pursuant to this guidance, and party service providers following the 2009 (74 FR 17914). subsequently discovers a breach of that VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
42742 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations encrypted information, the covered inaccessible to unauthorized of the NIST pertaining to data storage on entity will not be required to provide individuals, we do not believe that enterprise-level storage devices, such as breach notification because the access controls meet the statutory RAID (redundant array of inexpensive information is not considered standard of rendering protected health disks), or SAN (storage-attached ‘‘unsecured protected health information unusable, unreadable, or network) systems. information’’ as it has been rendered indecipherable to unauthorized For ease of reference, we have unusable, unreadable, or indecipherable individuals. If access controls are published this updated guidance in this to unauthorized individuals. On the compromised, the underlying document below; however, it will also other hand, if a covered entity has information may still be usable, be available on the HHS Web site at decided to use a method other than readable, or decipherable to an http://www.hhs.gov/ocr/privacy/. Any encryption or an encryption algorithm unauthorized individual, and thus, further comments regarding this that is not specified in this guidance to constitute unsecured protected health guidance received in response to the safeguard protected health information, information for which breach interim final rule will be addressed in then although that covered entity may notification is required. Therefore, we the first annual update to the guidance, be in compliance with the Security have not included access controls in the to be issued in April 2010. Rule, following a breach of this guidance; however, we do emphasize information, the covered entity would the benefit of strong access controls, B. Guidance Specifying the have to provide breach notification to which may function to prevent breaches Technologies and Methodologies that affected individuals. For example, a of unsecured protected health Render Protected Health Information covered entity that has a large database information from occurring in the first Unusable, Unreadable, or of protected health information may place. Indecipherable to Unauthorized choose, based on their risk assessment Other commenters suggested that the Individuals under the Security Rule, to rely on guidance include redaction of paper firewalls and other access controls to records as an alternative to destruction. Protected health information (PHI) is make the information inaccessible, as Because redaction is not a standardized rendered unusable, unreadable, or opposed to encrypting the information. methodology with proven capabilities to indecipherable to unauthorized While the Security Rule permits the use destroy or render the underlying individuals if one or more of the of firewalls and access controls as information unusable, unreadable or following applies: reasonable and appropriate safeguards, a indecipherable, we do not believe that (a) Electronic PHI has been encrypted covered entity that seeks to ensure redaction is an accepted alternative as specified in the HIPAA Security Rule breach notification is not required in the method to secure paper-based protected by ‘‘the use of an algorithmic process to event of a breach of the information in health information. Therefore, we have transform data into a form in which the database would need to encrypt the clarified in this guidance that only there is a low probability of assigning information pursuant to the guidance. destruction of paper protected health meaning without use of a confidential We also received several comments information, and not redaction, will process or key’’ 2 and such confidential asking for clarification and additional satisfy the requirements to relieve a process or key that might enable detail regarding the forms of covered entity or business associate decryption has not been breached. To information and the specific devices from breach notification. We note, avoid a breach of the confidential and protocols described in the guidance. however, that covered entities and process or key, these decryption tools As a result, we provide clarification business associates may continue to should be stored on a device or at a regarding the forms of information create limited data sets or de-identify location separate from the data they are addressed in the National Institute of protected health information through used to encrypt or decrypt. The Standards and Technology (NIST) redaction if the removal of identifiers encryption processes identified below publications referenced in the guidance. results in the information satisfying the have been tested by the National We clarify that ‘‘data in motion’’ criteria of 45 CFR 164.514(e)(2) or Institute of Standards and Technology includes data that is moving through a 164.514(b), respectively. Further, a loss (NIST) and judged to meet this standard. network, including wireless or theft of information that has been (i) Valid encryption processes for data transmission, whether by e-mail or redacted appropriately may not require at rest are consistent with NIST Special structured electronic interchange, while notification under these rules either Publication 800–111, Guide to Storage ‘‘data at rest’’ includes data that resides because the information is not protected Encryption Technologies for End User in databases, file systems, flash drives, health information (as in the case of de- Devices.3 4 memory, and any other structured identified information) or because the storage method. ‘‘Data in use’’ includes unredacted information does not (ii) Valid encryption processes for data in the process of being created, compromise the security or privacy of data in motion are those which comply, retrieved, updated, or deleted, and ‘‘data the information and thus, does not as appropriate, with NIST Special disposed’’ includes discarded paper constitute a breach as described in Publications 800–52, Guidelines for the records or recycled electronic media. Section IV below. Selection and Use of Transport Layer Additionally, many commenters In response to comments received, we Security (TLS) Implementations; 800– suggested that access controls be also make two additional clarifications 77, Guide to IPsec VPNs; or 800–113, included in the guidance as a method in the guidance. First, for purposes of Guide to SSL VPNs, or others which are for rendering protected health the guidance below and ensuring Federal Information Processing information unusable, unreadable, or encryption keys are not breached, we Standards (FIPS) 140–2 validated.5 erowe on DSK5CLS3C1PROD with RULES_2 indecipherable to unauthorized clarify that covered entities and individuals. We recognize that access business associates should keep 2 45 CFR 164.304, definition of ‘‘encryption.’’ 3 NIST Roadmap plans include the development controls, as well as other security encryption keys on a separate device of security guidelines for enterprise-level storage methods such as firewalls, are important from the data that they encrypt or devices, and such guidelines will be considered in tools for safeguarding protected health decrypt. Second, we also include in the updates to this guidance, when available. information. While we believe access guidance below a note regarding 4 Available at http://www.csrc.nist.gov/. controls may render information roadmap guidance activities on the part 5 Available at http://www.csrc.nist.gov/. VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations 42743 (b) The media on which the PHI is detailed discussion and an example of Protected Health Information stored or recorded have been destroyed our harmonization efforts. We note that the definition of in one of the following ways: ‘‘breach’’ is limited to protected health (i) Paper, film, or other hard copy IV. Section-by-Section Description of Interim Final Rule information. With respect to a covered media have been shredded or destroyed entity or business associate of a covered such that the PHI cannot be read or The following discussion describes entity, protected health information is otherwise cannot be reconstructed. the provisions of the interim final rule individually identifiable health Redaction is specifically excluded as a section by section. Those interested in information that is transmitted or means of data destruction. (ii) Electronic media have been commenting on the interim final rule maintained in any form or medium, cleared, purged, or destroyed consistent can assist the Department by preceding including electronic information. 45 with NIST Special Publication 800–88, discussion of any particular provision or CFR 160.103. If information is de- Guidelines for Media Sanitization,6 such topic with a citation to the section of the identified in accordance with 45 CFR that the PHI cannot be retrieved. interim final rule being discussed. 164.514(b), it is not protected health information, and thus, any inadvertent III. Overview of Interim Final Rule A. Applicability—Section 164.400 or unauthorized use or disclosure of We are adding a new subpart D to part Section 164.400 of the interim final such information will not be considered 164 of title 45 of the Code of Federal a breach for purposes of this subpart. rule provides that this breach Regulations (CFR) to implement the Additionally, § 160.103 excludes certain notification rule is applicable to breach notification provisions in section types of individually identifiable health breaches occurring on or after 30 days 13402 of the Act. These provisions information from the definition of from the date of publication of this apply to HIPAA covered entities and ‘‘protected health information,’’ such as interim final rule. See Section IV.K. their business associates and set forth employment records held by a covered Effective/Compliance Date of this rule entity in its role as employer. If the requirements for notification to for further discussion. individually identifiable health affected individuals, the media, and the Secretary of HHS following a breach of B. Definitions—Section 164.402 information that is not protected health unsecured protected health information. information is used or disclosed in an In drafting this interim final regulation, Section 164.402 of the interim final unauthorized manner, it would not we considered the public comments rule adopts definitions for the terms qualify as a breach for purposes of this received in response to the RFI ‘‘breach’’ and ‘‘unsecured protected subpart—although the covered entity described above. health information.’’ should consider whether it has In addition, we consulted closely with notification requirements under other the FTC in the development of these 1. Breach laws. Further, we note that although the regulations. Commenters in response to Section 13402 of the Act and this definition of ‘‘breach’’ applies to both the RFI as well as the FTC’s notice interim final rule require covered protected health information generally, of proposed rulemaking urged HHS and entities and business associates to covered entities and business associates the FTC to work together to ensure that provide notification following a breach are required to provide the breach the regulated entities know with which of unsecured protected health notifications required by the Act and rule they must comply and that those information. Section 13400(1)(A) of the this interim final rule (discussed below) entities that are subject to both rules Act defines ‘‘breach’’ as the only upon a breach of unsecured because they may operate in different protected health information. See also ‘‘unauthorized acquisition, access, use, roles are not subject to two completely Section II of this document for a list of or disclosure of protected health different and inconsistent regulatory the technologies and methodologies that information which compromises the schemes. In addition, commenters were render protected health information security or privacy of the protected concerned that individuals could secure such that notification is not health information, except where an receive multiple notices of the same required in the event of a breach. breach if the HHS and the FTC unauthorized person to whom such regulations overlapped. Thus, HHS information is disclosed would not Unauthorized Acquisition, Access, Use, coordinated with the FTC to ensure reasonably have been able to retain such or Disclosure these issues were addressed in the information.’’ Section 13400(1)(B) of the The statute defines a ‘‘breach’’ as the respective rulemakings. First, the rules Act provides several exceptions to the ‘‘unauthorized’’ acquisition, access, use, make clear that entities operating as definition of ‘‘breach.’’ Based on section or disclosure of protected health HIPAA covered entities and business 13400(1)(A), we have defined ‘‘breach’’ information. Several commenters asked associates are subject to HHS’, and not at § 164.402 of the interim final rule as that we define ‘‘unauthorized’’ or that the FTC’s, breach notification rule. ‘‘the acquisition, access, use, or we clarify its meaning. We clarify that Second, in those limited cases where an disclosure of protected health ‘‘unauthorized’’ is an impermissible use entity may be subject to both HHS’ and information in a manner not permitted or disclosure of protected health the FTC’s rules, such as a vendor that under subpart E of this part which information under the HIPAA Privacy offers PHRs to customers of a HIPAA compromises the security or privacy of Rule (subpart E of 45 CFR part 164). covered entity as a business associate the protected health information.’’ We Accordingly, the definition of ‘‘breach’’ and also offers PHRs directly to the have added paragraph (1) to the at § 160.402 of the interim final rule public, we worked with the FTC to definition to clarify when the security or interprets the ‘‘unauthorized privacy of information is considered to erowe on DSK5CLS3C1PROD with RULES_2 ensure both sets of regulations were acquisition, access, use, or disclosure of harmonized by including the same or be compromised. Paragraph (2) of the protected health information’’ as ‘‘the similar requirements, within the definition then includes the statutory acquisition, access, use, or disclosure of constraints of the statutory language. exceptions, including the exception protected health information in a See Section IV.F. below for a more within section 13400(1)(A) that refers to manner not permitted under subpart E whether the recipient would reasonably of this part.’’ We emphasize that not all 6 Available at http://www.csrc.nist.gov/. have been able to retain the information. violations of the Privacy Rule will be VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
42744 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations breaches under this subpart, and 45 CFR 164.502(a)(1)(iii) and, therefore, existing obligations on Federal agencies therefore, covered entities and business would not qualify as a potential breach. (some of which also must comply with associates need not provide breach Finally, violations of administrative these rules as HIPAA covered entities) notification in all cases of impermissible requirements, such as a lack of pursuant to OMB Memorandum M–07– uses and disclosures. We also note that reasonable safeguards or a lack of 16 to have in place breach notification the HIPAA Security Rule provides for training, do not themselves qualify as policies for personally identifiable administrative, physical, and technical potential breaches under this subpart information that take into account the safeguards and organizational (although such violations certainly may likely risk of harm caused by a breach requirements for electronic protected lead to impermissible uses or in determining whether breach health information, but does not govern disclosures that qualify as breaches). notification is required. Thus, to uses and disclosures of protected health determine if an impermissible use or Compromises the Security or Privacy of information. Accordingly, a violation of disclosure of protected health Protected Health Information the Security Rule does not itself information constitutes a breach, constitute a potential breach under this The Act and regulation next limit the covered entities and business associates subpart, although such a violation may definition of ‘‘breach’’ to a use or will need to perform a risk assessment lead to a use or disclosure of protected disclosure that ‘‘compromises the to determine if there is a significant risk health information that is not permitted security or privacy’’ of the protected of harm to the individual as a result of under the Privacy Rule and thus, may health information. Accordingly, once it the impermissible use or disclosure. In potentially be a breach under this is established that a use or disclosure performing the risk assessment, covered subpart. violates the Privacy Rule, the covered entities and business associates may The Act does not define the terms entity must determine whether the need to consider a number or ‘‘acquisition’’ and ‘‘access.’’ Several violation compromises the security or combination of factors, some of which commenters asked that we define or privacy of the protected health are described below.7 identify the differences between information. Covered entities and business acquisition, access, use, and disclosure For the purposes of the definition of associates should consider who of protected health information, for ‘‘breach,’’ many commenters suggested impermissibly used or to whom the purposes of the definition of ‘‘breach.’’ that we add a harm threshold such that information was impermissibly We interpret ‘‘acquisition’’ and ‘‘access’’ an unauthorized use or disclosure of disclosed when evaluating the risk of to information based on their plain protected health information is harm to individuals. If, for example, meanings and believe that both terms considered a breach only if the use or protected health information is are encompassed within the current disclosure poses some harm to the impermissibly disclosed to another definitions of ‘‘use’’ and ‘‘disclosure’’ in individual. These commenters noted entity governed by the HIPAA Privacy the HIPAA Rules. Accordingly, we have that the ‘‘compromises the security or and Security Rules or to a Federal not added separate definitions for these privacy’’ language in section agency that is obligated to comply with terms. We have retained the statutory 13400(1)(A) of the Act contemplates that the Privacy Act of 1974 (5 U.S.C. 552a) terms in the regulation in order to covered entities will perform some type and the Federal Information Security maintain consistency with the statute. of risk assessment to determine if there Management Act of 2002 (44 U.S.C. In addition, we note that while the is a risk of harm to the individual, and 3541 et seq.), there may be less risk of HIPAA Security Rule at § 164.304 therefore, if a breach has occurred. harm to the individual, since the includes a definition of the term Commenters urged that the addition of recipient entity is obligated to protect ‘‘access,’’ such definition is limited to a harm threshold to the definition the privacy and security of the the ability to use ‘‘system resources’’ would also align this regulation with information it received in the same or and not to access to information more many State breach notification laws that similar manner as the entity that generally and thus, we have revised that require entities to reach similar harm disclosed the information. In contrast, if definition to make clear that it does not thresholds before providing notification. protected health information is apply for purposes of these breach Finally, some commenters noted that impermissibly disclosed to any entity or notification rules. failure to include a harm threshold for person that does not have similar For an acquisition, access, use, or requiring breach notification may obligations to maintain the privacy and disclosure of protected health diminish the impact of notifications security of the information, the risk of information to constitute a breach, it received by individuals, as individuals harm to the individual is much greater. must constitute a violation of the may be flooded with notifications for We expect that there may be Privacy Rule. Therefore, one of the first breaches that pose no threat to the circumstances where a covered entity steps in determining whether security or privacy of their protected takes immediate steps to mitigate an notification is necessary under this health information or, alternatively, may impermissible use or disclosure, such as subpart is to determine whether a use or cause unwarranted panic in individuals, by obtaining the recipient’s satisfactory disclosure violates the Privacy Rule. We and the expenditure of undue costs and assurances that the information will not note that uses or disclosures that other resources by individuals in be further used or disclosed (through a impermissibly involve more than the remedial action. confidentiality agreement or similar minimum necessary information, in We agree that the statutory language means) or will be destroyed. If such violation of §§ 164.502(b) and encompasses a harm threshold and have steps eliminate or reduce the risk of 164.514(d), may qualify as breaches clarified in paragraph (1) of the harm to the individual to a less than under this subpart. In contrast, a use or definition that ‘‘compromises the ‘‘significant risk,’’ then we interpret that erowe on DSK5CLS3C1PROD with RULES_2 disclosure of protected health security or privacy of the protected the security and privacy of the information that is incident to an health information’’ means ‘‘poses a otherwise permissible use or disclosure significant risk of financial, 7 Covered entities may also wish to review OMB and occurs despite reasonable reputational, or other harm to the Memorandum M–07–16 for examples of the types of factors that may need to be taken into account safeguards and proper minimum individual.’’ This ensures better in determining whether an impermissible use or necessary procedures would not be a consistency and alignment with State disclosure presents a significant risk of harm to the violation of the Privacy Rule pursuant to breach notification laws, as well as individual. VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations 42745 information has not been compromised harm—especially in light of fears about identification, these commenters stated and, therefore, no breach has occurred. employment discrimination. that creating a limited data set was not In addition, there may be We also address impermissible uses comparable to encrypting information, and disclosures involving limited data and therefore, should not be included as circumstances where impermissibly sets (as the term is used at 45 CFR a method to render protected health disclosed protected health information 164.514(e) of the Privacy Rule), in information unusable, unreadable, or is returned prior to it being accessed for paragraph (1) of the definition of indecipherable to unauthorized an improper purpose. For example, if a ‘‘breach’’ at § 164.402 of the interim individuals. laptop is lost or stolen and then final rule. In the RFI discussed above, The majority of commenters, recovered, and a forensic analysis of the we asked for public comment on however, did support the inclusion of computer shows that its information whether limited data sets should be the limited data set in the guidance. was not opened, altered, transferred, or considered unusable, unreadable, or These commenters stated that it would otherwise compromised, such a breach indecipherable and included as a be impractical to require covered may not pose a significant risk of harm methodology in the guidance. A limited entities and business associates to notify to the individuals whose information data set is created by removing the 16 individuals of a breach of information was on the laptop. Note, however, that direct identifiers listed in within a limited data set because, by if a computer is lost or stolen, we do not § 164.514(e)(2) from the protected health definition, such information excludes consider it reasonable to delay breach information.9 These direct identifiers the very identifiers that would enable notification based on the hope that the include the name, address, social covered entities and business associates, computer will be recovered. security number, and account number of without undue burden, to identify the In performing a risk assessment, an individual or the individual’s affected individuals and comply with covered entities and business associates relative, employer, or household the breach notification requirements. should also consider the type and member. When these 16 direct Additionally, these commenters cited amount of protected health information identifiers are removed from the contractual concerns regarding the data involved in the impermissible use or protected health information, the use agreement, which prohibits the disclosure. If the nature of the protected information is not completely de- recipient of a limited data set from re- health information does not pose a identified pursuant to 45 CFR identifying the information and significant risk of financial, 164.514(b). In particular, the elements of therefore, may pose problems with reputational, or other harm, then the dates, such as dates of birth, and zip complying with the notification violation is not a breach. For example, codes, are allowed to remain within the requirements of section 13402(b) of the if a covered entity improperly discloses limited data set, which increase the Act. potential for re-identification of the These commenters also noted that the protected health information that information. Because there is a risk of decision to exclude the limited data set merely included the name of an re-identification of the information from the guidance, such that a breach of individual and the fact that he received within a limited data set, the Privacy a limited data set would require breach services from a hospital, then this Rule treats this information as protected notification, would reduce the would constitute a violation of the health information that may only be likelihood that covered entities would Privacy Rule, but it may not constitute continue to create and share limited used or disclosed as permitted by the a significant risk of financial or data sets. This, in turn, would have a Privacy Rule. reputational harm to the individual. In Several commenters suggested that chilling effect on the research and contrast, if the information indicates the the limited data set should not be public health communities, which rely type of services that the individual included in the guidance as a method to on receiving information from covered received (such as oncology services), render protected health information entities in limited data set form. that the individual received services unusable, unreadable, or indecipherable Finally, commenters noted that the from a specialized facility (such as a to unauthorized individuals such that removal of the 16 direct identifiers in substance abuse treatment program 8), or breach notification is not required. the limited data set presents a minimal if the protected health information These commenters cited concerns about risk of serious harm to the individual by includes information that increases the the risk of re-identification of protected limiting the possibility that the risk of identity theft (such as a social health information in a limited data set information could be used for an illicit security number, account number, or and noted that, as more data exists in purpose if breached. These commenters mother’s maiden name), then there is a electronic form and as more data also suggested that the inclusion of the higher likelihood that the impermissible becomes public, it will be easier to limited data set in the guidance would use or disclosure compromised the combine these various sources to re- align with most state breach notification security and privacy of the information. establish the identity of the individual. laws, which, as a general matter, only The risk assessment should be fact Furthermore, due to the risk of re- require notification when certain specific, and the covered entity or identifiers are exposed and when there business associate should keep in mind 9 A limited data set is protected health is a likelihood that the breach will result that many forms of health information, information that excludes the following direct in harm to the individual. identifiers of the individual or of relatives, not just information about sexually employers, or household members of the We also asked commenters if they transmitted diseases or mental health, individual: (1) Names; (2) postal address believed that the removal of an should be considered sensitive for information, other than town or city, State, and zip individual’s date of birth or zip code, in purposes of the risk of reputational code; (3) telephone numbers; (4) fax numbers; (5) addition to the 16 direct identifiers in e-mail addresses; (6) social security numbers; (7) erowe on DSK5CLS3C1PROD with RULES_2 medical record numbers; (8) health plan beneficiary 45 CFR 164.514(e)(2), would reduce the 8 Note that an impermissible disclosure that numbers; (9) account numbers; (10) certificate/ risk of re-identification of the indicates that an individual has received services license plate numbers; (11) vehicle identifiers and information such that it could be from a substance abuse treatment program may also serial numbers; (12) device identifiers and serial included in the guidance. Several constitute a violation of 42 U.S.C. 290dd–2 and the numbers; (13) Web URLs; (14) Internet Protocol (IP) implementing regulations at 42 CFR part 2. These address numbers; (15) biometric identifiers, commenters responded to this question. provisions require the confidentiality of substance including finger and voice prints; and (16) full face While some stated that the removal of abuse patient records. photographic images and any comparable images. these data elements would render the VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169
E9 20169

Recommended

HITECH Modifications to HIPAA
HITECH Modifications to HIPAAHITECH Modifications to HIPAA
HITECH Modifications to HIPAAGuardEra Access Solutions, Inc.
 
2010 16718
2010 167182010 16718
2010 16718The National Council
 
Hipaa 2013 final rule 2013 01073
Hipaa 2013 final rule 2013 01073Hipaa 2013 final rule 2013 01073
Hipaa 2013 final rule 2013 01073Liberteks
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4bakerdb
 
Data file.technical drs.hipaa presentation may 2011
Data file.technical drs.hipaa presentation may 2011Data file.technical drs.hipaa presentation may 2011
Data file.technical drs.hipaa presentation may 2011Technical Doctors
 
Hr 5040
Hr 5040Hr 5040
Hr 5040The National Council
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
Occupational Safety And Health Act
Occupational Safety And Health ActOccupational Safety And Health Act
Occupational Safety And Health ActHolly Vega
 

Recommended

HITECH Modifications to HIPAA
HITECH Modifications to HIPAAHITECH Modifications to HIPAA
HITECH Modifications to HIPAAGuardEra Access Solutions, Inc.
 
2010 16718
2010 167182010 16718
2010 16718The National Council
 
Hipaa 2013 final rule 2013 01073
Hipaa 2013 final rule 2013 01073Hipaa 2013 final rule 2013 01073
Hipaa 2013 final rule 2013 01073Liberteks
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4bakerdb
 
Data file.technical drs.hipaa presentation may 2011
Data file.technical drs.hipaa presentation may 2011Data file.technical drs.hipaa presentation may 2011
Data file.technical drs.hipaa presentation may 2011Technical Doctors
 
Hr 5040
Hr 5040Hr 5040
Hr 5040The National Council
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
Occupational Safety And Health Act
Occupational Safety And Health ActOccupational Safety And Health Act
Occupational Safety And Health ActHolly Vega
 
TNC Meaningful Use Webinar
TNC Meaningful Use WebinarTNC Meaningful Use Webinar
TNC Meaningful Use WebinarThe National Council
 
20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar final20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar finalThe National Council
 
National council live avalere responses
National council live avalere responsesNational council live avalere responses
National council live avalere responsesThe National Council
 
20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar final20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar finalThe National Council
 
Conference 2010 final program
Conference 2010 final programConference 2010 final program
Conference 2010 final programThe National Council
 
Samhsa si paper
Samhsa si paperSamhsa si paper
Samhsa si paperThe National Council
 
Toolkit final
Toolkit finalToolkit final
Toolkit finalThe National Council
 
Continuum of Care (CoC) Homeless Assistance Grant Program
Continuum of Care (CoC) Homeless Assistance Grant ProgramContinuum of Care (CoC) Homeless Assistance Grant Program
Continuum of Care (CoC) Homeless Assistance Grant ProgramThe National Council
 
Cfp chl2010
Cfp chl2010Cfp chl2010
Cfp chl2010The National Council
 
Ccd prevention regulation comments draft
Ccd prevention regulation comments draftCcd prevention regulation comments draft
Ccd prevention regulation comments draftThe National Council
 
September 2010 draft preventive services comments
September 2010 draft preventive services commentsSeptember 2010 draft preventive services comments
September 2010 draft preventive services commentsThe National Council
 
Ccd prevention regulation comments draft
Ccd prevention regulation comments draftCcd prevention regulation comments draft
Ccd prevention regulation comments draftThe National Council
 
Hill briefing 9 22-10 rosenberg comments
Hill briefing 9 22-10 rosenberg commentsHill briefing 9 22-10 rosenberg comments
Hill briefing 9 22-10 rosenberg commentsThe National Council
 
Hhsgovernorlettermfp
HhsgovernorlettermfpHhsgovernorlettermfp
HhsgovernorlettermfpThe National Council
 
Comments on modern addictions and mental health system
Comments on modern addictions and mental health systemComments on modern addictions and mental health system
Comments on modern addictions and mental health systemThe National Council
 
Community to fiscal commission september 2010 final 2
Community to fiscal commission september 2010 final 2 Community to fiscal commission september 2010 final 2
Community to fiscal commission september 2010 final 2 The National Council
 
Draft comments on external appeals
Draft comments on external appealsDraft comments on external appeals
Draft comments on external appealsThe National Council
 
Nc mag veterans final
Nc mag veterans finalNc mag veterans final
Nc mag veterans finalThe National Council
 
Mh and addiction services for service members and veterans
Mh and addiction services for service members and veteransMh and addiction services for service members and veterans
Mh and addiction services for service members and veteransThe National Council
 
Mh and addiction services for service members and veterans
Mh and addiction services for service members and veteransMh and addiction services for service members and veterans
Mh and addiction services for service members and veteransThe National Council
 

More Related Content

More from The National Council

20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar final20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar finalThe National Council
 
National council live avalere responses
National council live avalere responsesNational council live avalere responses
National council live avalere responsesThe National Council
 
20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar final20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar finalThe National Council
 
Continuum of Care (CoC) Homeless Assistance Grant Program
Continuum of Care (CoC) Homeless Assistance Grant ProgramContinuum of Care (CoC) Homeless Assistance Grant Program
Continuum of Care (CoC) Homeless Assistance Grant ProgramThe National Council
 
Ccd prevention regulation comments draft
Ccd prevention regulation comments draftCcd prevention regulation comments draft
Ccd prevention regulation comments draftThe National Council
 
September 2010 draft preventive services comments
September 2010 draft preventive services commentsSeptember 2010 draft preventive services comments
September 2010 draft preventive services commentsThe National Council
 
Ccd prevention regulation comments draft
Ccd prevention regulation comments draftCcd prevention regulation comments draft
Ccd prevention regulation comments draftThe National Council
 
Hill briefing 9 22-10 rosenberg comments
Hill briefing 9 22-10 rosenberg commentsHill briefing 9 22-10 rosenberg comments
Hill briefing 9 22-10 rosenberg commentsThe National Council
 
Comments on modern addictions and mental health system
Comments on modern addictions and mental health systemComments on modern addictions and mental health system
Comments on modern addictions and mental health systemThe National Council
 
Community to fiscal commission september 2010 final 2
Community to fiscal commission september 2010 final 2 Community to fiscal commission september 2010 final 2
Community to fiscal commission september 2010 final 2 The National Council
 
Draft comments on external appeals
Draft comments on external appealsDraft comments on external appeals
Draft comments on external appealsThe National Council
 
Mh and addiction services for service members and veterans
Mh and addiction services for service members and veteransMh and addiction services for service members and veterans
Mh and addiction services for service members and veteransThe National Council
 
Mh and addiction services for service members and veterans
Mh and addiction services for service members and veteransMh and addiction services for service members and veterans
Mh and addiction services for service members and veteransThe National Council
 

More from The National Council (20)

TNC Meaningful Use Webinar
TNC Meaningful Use WebinarTNC Meaningful Use Webinar
TNC Meaningful Use Webinar
 
20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar final20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar final
 
National council live avalere responses
National council live avalere responsesNational council live avalere responses
National council live avalere responses
 
20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar final20100922 nccbh avalere employer webinar final
20100922 nccbh avalere employer webinar final
 
Conference 2010 final program
Conference 2010 final programConference 2010 final program
Conference 2010 final program
 
Samhsa si paper
Samhsa si paperSamhsa si paper
Samhsa si paper
 
Toolkit final
Toolkit finalToolkit final
Toolkit final
 
Continuum of Care (CoC) Homeless Assistance Grant Program
Continuum of Care (CoC) Homeless Assistance Grant ProgramContinuum of Care (CoC) Homeless Assistance Grant Program
Continuum of Care (CoC) Homeless Assistance Grant Program
 
Cfp chl2010
Cfp chl2010Cfp chl2010
Cfp chl2010
 
Ccd prevention regulation comments draft
Ccd prevention regulation comments draftCcd prevention regulation comments draft
Ccd prevention regulation comments draft
 
September 2010 draft preventive services comments
September 2010 draft preventive services commentsSeptember 2010 draft preventive services comments
September 2010 draft preventive services comments
 
Ccd prevention regulation comments draft
Ccd prevention regulation comments draftCcd prevention regulation comments draft
Ccd prevention regulation comments draft
 
Hill briefing 9 22-10 rosenberg comments
Hill briefing 9 22-10 rosenberg commentsHill briefing 9 22-10 rosenberg comments
Hill briefing 9 22-10 rosenberg comments
 
Hhsgovernorlettermfp
HhsgovernorlettermfpHhsgovernorlettermfp
Hhsgovernorlettermfp
 
Comments on modern addictions and mental health system
Comments on modern addictions and mental health systemComments on modern addictions and mental health system
Comments on modern addictions and mental health system
 
Community to fiscal commission september 2010 final 2
Community to fiscal commission september 2010 final 2 Community to fiscal commission september 2010 final 2
Community to fiscal commission september 2010 final 2
 
Draft comments on external appeals
Draft comments on external appealsDraft comments on external appeals
Draft comments on external appeals
 
Nc mag veterans final
Nc mag veterans finalNc mag veterans final
Nc mag veterans final
 
Mh and addiction services for service members and veterans
Mh and addiction services for service members and veteransMh and addiction services for service members and veterans
Mh and addiction services for service members and veterans
 
Mh and addiction services for service members and veterans
Mh and addiction services for service members and veteransMh and addiction services for service members and veterans
Mh and addiction services for service members and veterans
 

E9 20169

  • 1. Monday, August 24, 2009 Part II Department of Health and Human Services 45 CFR Parts 160 and 164 Breach Notification for Unsecured Protected Health Information; Interim Final Rule erowe on DSK5CLS3C1PROD with RULES_2 VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:FRFM24AUR2.SGM 24AUR2
  • 2. 42740 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations DEPARTMENT OF HEALTH AND 509F, 200 Independence Avenue, SW., Administrative Simplification HUMAN SERVICES Washington, DC 20201. Please submit provisions of the Health Insurance one original and two copies. Portability and Accountability Act of Office of the Secretary • Hand Delivery or Courier: Office for 1996 (HIPAA) (Pub. L. 104–191) and Civil Rights, Attention: HITECH Breach their business associates. 45 CFR Parts 160 and 164 Notification, Hubert H. Humphrey These breach notification provisions Building, Room 509F, 200 are found in section 13402 of the Act RIN 0991–AB56 and apply to HIPAA covered entities Independence Avenue, SW., Breach Notification for Unsecured Washington, DC 20201. Please submit and their business associates that Protected Health Information one original and two copies. (Because access, maintain, retain, modify, record, access to the interior of the Hubert H. store, destroy, or otherwise hold, use, or AGENCY: Office for Civil Rights, Humphrey Building is not readily disclose unsecured protected health Department of Health and Human available to persons without federal information. The Act incorporates the Services. government identification, commenters definitions of ‘‘covered entity,’’ ACTION: Interim final rule with request are encouraged to leave their comments ‘‘business associate,’’ and ‘‘protected for comments. in the mail drop slots located in the health information’’ used in the HIPAA main lobby of the building.) Administrative Simplification SUMMARY: The Department of Health and Inspection of Public Comments: All regulations (45 CFR parts 160, 162, and Human Services (HHS) is issuing this comments received before the close of 164) (HIPAA Rules) at § 160.103. Under interim final rule with a request for the comment period will be available for the HIPAA Rules, a covered entity is a comments to require notification of public inspection, including any health plan, health care clearinghouse, breaches of unsecured protected health personally identifiable or confidential or health care provider that transmits information. Section 13402 of the business information that is included in any health information electronically in Health Information Technology for a comment. We will post all comments connection with a covered transaction, Economic and Clinical Health (HITECH) received before the close of the such as submitting health care claims to Act, part of the American Recovery and comment period at http:// a health plan. Business associate, as Reinvestment Act of 2009 (ARRA) that www.regulations.gov. Because defined in the HIPAA Rules, means a was enacted on February 17, 2009, comments will be made public, they person who performs functions or requires HHS to issue interim final should not include any sensitive activities on behalf of, or certain regulations within 180 days to require personal information, such as a person’s services for, a covered entity that covered entities under the Health social security number; date of birth; involve the use or disclosure of Insurance Portability and driver’s license number, state individually identifiable health Accountability Act of 1996 (HIPAA) and identification number or foreign country information. Examples of business their business associates to provide equivalent; passport number; financial associates include third party notification in the case of breaches of account number; or credit or debit card administrators or pharmacy benefit unsecured protected health information. number. Comments also should not managers for health plans, claims For purposes of determining what include any sensitive health processing or billing companies, information is ‘‘unsecured protected information, such as medical records or transcription companies, and persons health information,’’ in this document other individually identifiable health who perform legal, actuarial, HHS is also issuing an update to its information. accounting, management, or guidance specifying the technologies Docket: For access to the docket to administrative services for covered and methodologies that render protected read background documents or entities and who require access to health information unusable, comments received, go to http:// protected health information. The unreadable, or indecipherable to www.regulations.gov or U.S. Department HIPAA Rules define ‘‘protected health unauthorized individuals. of Health and Human Services, Office information’’ as the individually identifiable health information held or DATES: Effective Date: This interim final for Civil Rights, 200 Independence transmitted in any form or medium by rule is effective September 23, 2009. Avenue, SW., Washington, DC 20201 these HIPAA covered entities and Comment Date: Comments on the (call ahead to the contact listed below business associates, subject to certain provisions of this interim final rule are to arrange for inspection). limited exceptions. due on or before October 23, 2009. FOR FURTHER INFORMATION CONTACT: The Act requires HIPAA covered Comments on the information collection Andra Wicks, 202–205–2292. entities to provide notification to requirements associated with this rule SUPPLEMENTARY INFORMATION: affected individuals and to the Secretary are due on or before September 8, 2009. of HHS following the discovery of a ADDRESSES: You may submit comments, I. Background breach of unsecured protected health identified by RIN 0991–AB56, by any of The Health Information Technology information. In addition, in some cases, the following methods (please do not for Economic and Clinical Health the Act requires covered entities to submit duplicate comments): (HITECH) Act, Title XIII of Division A provide notification to the media of • Federal eRulemaking Portal: http:// and Title IV of Division B of the breaches. In the case of a breach of www.regulations.gov. Follow the American Recovery and Reinvestment unsecured protected health information instructions for submitting comments. Act of 2009 (ARRA) (Pub. L. 111–5), was at or by a business associate of a covered Attachments should be in Microsoft enacted on February 17, 2009. Subtitle entity, the Act requires the business erowe on DSK5CLS3C1PROD with RULES_2 Word, WordPerfect, or Excel; however, D of Division A of the HITECH Act (the associate to notify the covered entity of we prefer Microsoft Word. Act), entitled ‘‘Privacy,’’ among other the breach. Finally, the Act requires the • Regular, Express, or Overnight Mail: provisions, requires the Department of Secretary to post on an HHS Web site U.S. Department of Health and Human Health and Human Services (HHS or the a list of covered entities that experience Services, Office for Civil Rights, Department) to issue interim final breaches of unsecured protected health Attention: HITECH Breach Notification, regulations for breach notification by information involving more than 500 Hubert H. Humphrey Building, Room covered entities subject to the individuals. VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
  • 3. Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations 42741 Section 13400(1) of the Act defines discovery of a breach of security of ‘‘unsecured protected health ‘‘breach’’ to mean, generally, the unsecured PHR identifiable health information’’ as ‘‘protected health unauthorized acquisition, access, use, or information.1 As with the definition of information that is not secured through disclosure of protected health ‘‘unsecured protected health the use of a technology or methodology information which compromises the information,’’ the provisions at section specified by the Secretary in guidance’’ security or privacy of such information. 13407(f)(3) define ‘‘unsecured PHR and requires the Secretary to specify in The Act provides exceptions to this identifiable health information’’ as PHR the guidance the technologies and definition to encompass disclosures identifiable health information that is methodologies that render protected where the recipient of the information not protected through the use of a health information unusable, would not reasonably have been able to technology or methodology specified by unreadable, or indecipherable to retain the information, certain the Secretary of HHS in guidance. Thus, unauthorized individuals. As required unintentional acquisition, access, or use entities subject to the FTC breach by the Act, this guidance was issued on of information by employees or persons notification rules must also use the April 17, 2009, and later published in acting under the authority of a covered Secretary’s guidance to determine the Federal Register on April 27, 2009 entity or business associate, as well as whether the information subject to a (74 FR 19006). The guidance specified certain inadvertent disclosures among breach was ‘‘unsecured’’ and, therefore, encryption and destruction as the persons similarly authorized to access whether breach notification is required. technologies and methodologies for protected health information at a When HHS issued the guidance, HHS rendering protected health information, business associate or covered entity. also published in the same document a as well as PHR identifiable health Further, section 13402(h) of the Act request for information (RFI), inviting information under section 13407 of the defines ‘‘unsecured protected health public comment both on the guidance Act and the FTC’s implementing information’’ as ‘‘protected health itself, as well as on the breach regulation, unusable, unreadable, or information that is not secured through provisions of section 13402 of the Act indecipherable to unauthorized the use of a technology or methodology generally. After considering the public individuals such that breach specified by the Secretary in guidance’’ comment, we are issuing an updated notification is not required. The RFI and provides that the guidance specify version of the guidance in Section II asked for general comment on this the technologies and methodologies that below. In addition, we discuss public guidance as well as for specific render protected health information comment received on the Act’s breach comment on the technologies and unusable, unreadable, or indecipherable notification provisions where relevant methodologies to render protected to unauthorized individuals. Covered below in the section-by-section health information unusable, entities and business associates that description of the interim final rule. unreadable, or indecipherable to implement the specified technologies We have concluded that we have good unauthorized individuals. and methodologies with respect to cause, under 5 U.S.C. 553(b)(B), to Many commenters expressed concern protected health information are not waive the notice-and-comment and confusion regarding the purpose of required to provide notifications in the requirements of the Administrative the guidance and its impact on a event of a breach of such information— Procedure Act and to proceed with this covered entity’s responsibilities under that is, the information is not interim final rule. Section 13402(j) the HIPAA Security Rule (45 CFR part considered ‘‘unsecured’’ in such cases. explicitly required us to issue these 164, subparts A and C). We emphasize As required by the Act, the Secretary regulations as ‘‘interim final that this guidance does nothing to initially issued this guidance on April regulations’’ and to do so within 180 modify a covered entity’s 17, 2009 (it was subsequently published days. Based on this statutory directive responsibilities with respect to the in the Federal Register at 74 FR 19006 and limited time frame, we concluded Security Rule nor does it impose any on April 27, 2009). The guidance listed that notice-and-comment rulemaking new requirements upon covered entities and described encryption and was impracticable and contrary to to encrypt all protected health destruction as the two technologies and public policy. Nevertheless, we sought information. The Security Rule requires methodologies for rendering protected comments in the RFI referenced above covered entities to safeguard electronic health information unusable, and considered those comments when protected health information and unreadable, or indecipherable to drafting this rule. In addition, we permits covered entities to use any unauthorized individuals. provide the public with a 60-day period security measures that allow them to In cases in which notification is following publication of this document reasonably and appropriately required, the Act at section 13402 to submit comments on the interim final implement all safeguard requirements. prescribes the timeliness, content, and rule. Under 45 CFR 164.312(a)(2)(iv) and methods of providing the breach (e)(2)(ii), a covered entity must consider II. Guidance Specifying the notifications. We discuss these and the implementing encryption as a method Technologies and Methodologies That above statutory provisions in more for safeguarding electronic protected Render Protected Health Information detail below where we describe section- health information; however, because Unusable, Unreadable, or by-section how these new regulations these are addressable implementation implement the breach notification Indecipherable to Unauthorized specifications, a covered entity may be provisions at section 13402 of the Act. Individuals in compliance with the Security Rule In addition to the breach notification A. Background even if it reasonably decides not to provisions for HIPAA covered entities As discussed above, section 13402 of encrypt electronic protected health and business associates at section the Act requires breach notification information and instead uses a erowe on DSK5CLS3C1PROD with RULES_2 13402, section 13407 of the Act, which following the discovery of a breach of comparable method to safeguard the is to be implemented and enforced by unsecured protected health information. information. the Federal Trade Commission (FTC), Section 13402(h) of the Act defines Therefore, if a covered entity chooses imposes similar breach notification to encrypt protected health information requirements upon vendors of personal 1 The FTC issued a notice of proposed rulemaking to comply with the Security Rule, does health records (PHRs) and their third to implement section 13407 of the Act on April 20, so pursuant to this guidance, and party service providers following the 2009 (74 FR 17914). subsequently discovers a breach of that VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
  • 4. 42742 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations encrypted information, the covered inaccessible to unauthorized of the NIST pertaining to data storage on entity will not be required to provide individuals, we do not believe that enterprise-level storage devices, such as breach notification because the access controls meet the statutory RAID (redundant array of inexpensive information is not considered standard of rendering protected health disks), or SAN (storage-attached ‘‘unsecured protected health information unusable, unreadable, or network) systems. information’’ as it has been rendered indecipherable to unauthorized For ease of reference, we have unusable, unreadable, or indecipherable individuals. If access controls are published this updated guidance in this to unauthorized individuals. On the compromised, the underlying document below; however, it will also other hand, if a covered entity has information may still be usable, be available on the HHS Web site at decided to use a method other than readable, or decipherable to an http://www.hhs.gov/ocr/privacy/. Any encryption or an encryption algorithm unauthorized individual, and thus, further comments regarding this that is not specified in this guidance to constitute unsecured protected health guidance received in response to the safeguard protected health information, information for which breach interim final rule will be addressed in then although that covered entity may notification is required. Therefore, we the first annual update to the guidance, be in compliance with the Security have not included access controls in the to be issued in April 2010. Rule, following a breach of this guidance; however, we do emphasize information, the covered entity would the benefit of strong access controls, B. Guidance Specifying the have to provide breach notification to which may function to prevent breaches Technologies and Methodologies that affected individuals. For example, a of unsecured protected health Render Protected Health Information covered entity that has a large database information from occurring in the first Unusable, Unreadable, or of protected health information may place. Indecipherable to Unauthorized choose, based on their risk assessment Other commenters suggested that the Individuals under the Security Rule, to rely on guidance include redaction of paper firewalls and other access controls to records as an alternative to destruction. Protected health information (PHI) is make the information inaccessible, as Because redaction is not a standardized rendered unusable, unreadable, or opposed to encrypting the information. methodology with proven capabilities to indecipherable to unauthorized While the Security Rule permits the use destroy or render the underlying individuals if one or more of the of firewalls and access controls as information unusable, unreadable or following applies: reasonable and appropriate safeguards, a indecipherable, we do not believe that (a) Electronic PHI has been encrypted covered entity that seeks to ensure redaction is an accepted alternative as specified in the HIPAA Security Rule breach notification is not required in the method to secure paper-based protected by ‘‘the use of an algorithmic process to event of a breach of the information in health information. Therefore, we have transform data into a form in which the database would need to encrypt the clarified in this guidance that only there is a low probability of assigning information pursuant to the guidance. destruction of paper protected health meaning without use of a confidential We also received several comments information, and not redaction, will process or key’’ 2 and such confidential asking for clarification and additional satisfy the requirements to relieve a process or key that might enable detail regarding the forms of covered entity or business associate decryption has not been breached. To information and the specific devices from breach notification. We note, avoid a breach of the confidential and protocols described in the guidance. however, that covered entities and process or key, these decryption tools As a result, we provide clarification business associates may continue to should be stored on a device or at a regarding the forms of information create limited data sets or de-identify location separate from the data they are addressed in the National Institute of protected health information through used to encrypt or decrypt. The Standards and Technology (NIST) redaction if the removal of identifiers encryption processes identified below publications referenced in the guidance. results in the information satisfying the have been tested by the National We clarify that ‘‘data in motion’’ criteria of 45 CFR 164.514(e)(2) or Institute of Standards and Technology includes data that is moving through a 164.514(b), respectively. Further, a loss (NIST) and judged to meet this standard. network, including wireless or theft of information that has been (i) Valid encryption processes for data transmission, whether by e-mail or redacted appropriately may not require at rest are consistent with NIST Special structured electronic interchange, while notification under these rules either Publication 800–111, Guide to Storage ‘‘data at rest’’ includes data that resides because the information is not protected Encryption Technologies for End User in databases, file systems, flash drives, health information (as in the case of de- Devices.3 4 memory, and any other structured identified information) or because the storage method. ‘‘Data in use’’ includes unredacted information does not (ii) Valid encryption processes for data in the process of being created, compromise the security or privacy of data in motion are those which comply, retrieved, updated, or deleted, and ‘‘data the information and thus, does not as appropriate, with NIST Special disposed’’ includes discarded paper constitute a breach as described in Publications 800–52, Guidelines for the records or recycled electronic media. Section IV below. Selection and Use of Transport Layer Additionally, many commenters In response to comments received, we Security (TLS) Implementations; 800– suggested that access controls be also make two additional clarifications 77, Guide to IPsec VPNs; or 800–113, included in the guidance as a method in the guidance. First, for purposes of Guide to SSL VPNs, or others which are for rendering protected health the guidance below and ensuring Federal Information Processing information unusable, unreadable, or encryption keys are not breached, we Standards (FIPS) 140–2 validated.5 erowe on DSK5CLS3C1PROD with RULES_2 indecipherable to unauthorized clarify that covered entities and individuals. We recognize that access business associates should keep 2 45 CFR 164.304, definition of ‘‘encryption.’’ 3 NIST Roadmap plans include the development controls, as well as other security encryption keys on a separate device of security guidelines for enterprise-level storage methods such as firewalls, are important from the data that they encrypt or devices, and such guidelines will be considered in tools for safeguarding protected health decrypt. Second, we also include in the updates to this guidance, when available. information. While we believe access guidance below a note regarding 4 Available at http://www.csrc.nist.gov/. controls may render information roadmap guidance activities on the part 5 Available at http://www.csrc.nist.gov/. VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
  • 5. Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations 42743 (b) The media on which the PHI is detailed discussion and an example of Protected Health Information stored or recorded have been destroyed our harmonization efforts. We note that the definition of in one of the following ways: ‘‘breach’’ is limited to protected health (i) Paper, film, or other hard copy IV. Section-by-Section Description of Interim Final Rule information. With respect to a covered media have been shredded or destroyed entity or business associate of a covered such that the PHI cannot be read or The following discussion describes entity, protected health information is otherwise cannot be reconstructed. the provisions of the interim final rule individually identifiable health Redaction is specifically excluded as a section by section. Those interested in information that is transmitted or means of data destruction. (ii) Electronic media have been commenting on the interim final rule maintained in any form or medium, cleared, purged, or destroyed consistent can assist the Department by preceding including electronic information. 45 with NIST Special Publication 800–88, discussion of any particular provision or CFR 160.103. If information is de- Guidelines for Media Sanitization,6 such topic with a citation to the section of the identified in accordance with 45 CFR that the PHI cannot be retrieved. interim final rule being discussed. 164.514(b), it is not protected health information, and thus, any inadvertent III. Overview of Interim Final Rule A. Applicability—Section 164.400 or unauthorized use or disclosure of We are adding a new subpart D to part Section 164.400 of the interim final such information will not be considered 164 of title 45 of the Code of Federal a breach for purposes of this subpart. rule provides that this breach Regulations (CFR) to implement the Additionally, § 160.103 excludes certain notification rule is applicable to breach notification provisions in section types of individually identifiable health breaches occurring on or after 30 days 13402 of the Act. These provisions information from the definition of from the date of publication of this apply to HIPAA covered entities and ‘‘protected health information,’’ such as interim final rule. See Section IV.K. their business associates and set forth employment records held by a covered Effective/Compliance Date of this rule entity in its role as employer. If the requirements for notification to for further discussion. individually identifiable health affected individuals, the media, and the Secretary of HHS following a breach of B. Definitions—Section 164.402 information that is not protected health unsecured protected health information. information is used or disclosed in an In drafting this interim final regulation, Section 164.402 of the interim final unauthorized manner, it would not we considered the public comments rule adopts definitions for the terms qualify as a breach for purposes of this received in response to the RFI ‘‘breach’’ and ‘‘unsecured protected subpart—although the covered entity described above. health information.’’ should consider whether it has In addition, we consulted closely with notification requirements under other the FTC in the development of these 1. Breach laws. Further, we note that although the regulations. Commenters in response to Section 13402 of the Act and this definition of ‘‘breach’’ applies to both the RFI as well as the FTC’s notice interim final rule require covered protected health information generally, of proposed rulemaking urged HHS and entities and business associates to covered entities and business associates the FTC to work together to ensure that provide notification following a breach are required to provide the breach the regulated entities know with which of unsecured protected health notifications required by the Act and rule they must comply and that those information. Section 13400(1)(A) of the this interim final rule (discussed below) entities that are subject to both rules Act defines ‘‘breach’’ as the only upon a breach of unsecured because they may operate in different protected health information. See also ‘‘unauthorized acquisition, access, use, roles are not subject to two completely Section II of this document for a list of or disclosure of protected health different and inconsistent regulatory the technologies and methodologies that information which compromises the schemes. In addition, commenters were render protected health information security or privacy of the protected concerned that individuals could secure such that notification is not health information, except where an receive multiple notices of the same required in the event of a breach. breach if the HHS and the FTC unauthorized person to whom such regulations overlapped. Thus, HHS information is disclosed would not Unauthorized Acquisition, Access, Use, coordinated with the FTC to ensure reasonably have been able to retain such or Disclosure these issues were addressed in the information.’’ Section 13400(1)(B) of the The statute defines a ‘‘breach’’ as the respective rulemakings. First, the rules Act provides several exceptions to the ‘‘unauthorized’’ acquisition, access, use, make clear that entities operating as definition of ‘‘breach.’’ Based on section or disclosure of protected health HIPAA covered entities and business 13400(1)(A), we have defined ‘‘breach’’ information. Several commenters asked associates are subject to HHS’, and not at § 164.402 of the interim final rule as that we define ‘‘unauthorized’’ or that the FTC’s, breach notification rule. ‘‘the acquisition, access, use, or we clarify its meaning. We clarify that Second, in those limited cases where an disclosure of protected health ‘‘unauthorized’’ is an impermissible use entity may be subject to both HHS’ and information in a manner not permitted or disclosure of protected health the FTC’s rules, such as a vendor that under subpart E of this part which information under the HIPAA Privacy offers PHRs to customers of a HIPAA compromises the security or privacy of Rule (subpart E of 45 CFR part 164). covered entity as a business associate the protected health information.’’ We Accordingly, the definition of ‘‘breach’’ and also offers PHRs directly to the have added paragraph (1) to the at § 160.402 of the interim final rule public, we worked with the FTC to definition to clarify when the security or interprets the ‘‘unauthorized privacy of information is considered to erowe on DSK5CLS3C1PROD with RULES_2 ensure both sets of regulations were acquisition, access, use, or disclosure of harmonized by including the same or be compromised. Paragraph (2) of the protected health information’’ as ‘‘the similar requirements, within the definition then includes the statutory acquisition, access, use, or disclosure of constraints of the statutory language. exceptions, including the exception protected health information in a See Section IV.F. below for a more within section 13400(1)(A) that refers to manner not permitted under subpart E whether the recipient would reasonably of this part.’’ We emphasize that not all 6 Available at http://www.csrc.nist.gov/. have been able to retain the information. violations of the Privacy Rule will be VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
  • 6. 42744 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations breaches under this subpart, and 45 CFR 164.502(a)(1)(iii) and, therefore, existing obligations on Federal agencies therefore, covered entities and business would not qualify as a potential breach. (some of which also must comply with associates need not provide breach Finally, violations of administrative these rules as HIPAA covered entities) notification in all cases of impermissible requirements, such as a lack of pursuant to OMB Memorandum M–07– uses and disclosures. We also note that reasonable safeguards or a lack of 16 to have in place breach notification the HIPAA Security Rule provides for training, do not themselves qualify as policies for personally identifiable administrative, physical, and technical potential breaches under this subpart information that take into account the safeguards and organizational (although such violations certainly may likely risk of harm caused by a breach requirements for electronic protected lead to impermissible uses or in determining whether breach health information, but does not govern disclosures that qualify as breaches). notification is required. Thus, to uses and disclosures of protected health determine if an impermissible use or Compromises the Security or Privacy of information. Accordingly, a violation of disclosure of protected health Protected Health Information the Security Rule does not itself information constitutes a breach, constitute a potential breach under this The Act and regulation next limit the covered entities and business associates subpart, although such a violation may definition of ‘‘breach’’ to a use or will need to perform a risk assessment lead to a use or disclosure of protected disclosure that ‘‘compromises the to determine if there is a significant risk health information that is not permitted security or privacy’’ of the protected of harm to the individual as a result of under the Privacy Rule and thus, may health information. Accordingly, once it the impermissible use or disclosure. In potentially be a breach under this is established that a use or disclosure performing the risk assessment, covered subpart. violates the Privacy Rule, the covered entities and business associates may The Act does not define the terms entity must determine whether the need to consider a number or ‘‘acquisition’’ and ‘‘access.’’ Several violation compromises the security or combination of factors, some of which commenters asked that we define or privacy of the protected health are described below.7 identify the differences between information. Covered entities and business acquisition, access, use, and disclosure For the purposes of the definition of associates should consider who of protected health information, for ‘‘breach,’’ many commenters suggested impermissibly used or to whom the purposes of the definition of ‘‘breach.’’ that we add a harm threshold such that information was impermissibly We interpret ‘‘acquisition’’ and ‘‘access’’ an unauthorized use or disclosure of disclosed when evaluating the risk of to information based on their plain protected health information is harm to individuals. If, for example, meanings and believe that both terms considered a breach only if the use or protected health information is are encompassed within the current disclosure poses some harm to the impermissibly disclosed to another definitions of ‘‘use’’ and ‘‘disclosure’’ in individual. These commenters noted entity governed by the HIPAA Privacy the HIPAA Rules. Accordingly, we have that the ‘‘compromises the security or and Security Rules or to a Federal not added separate definitions for these privacy’’ language in section agency that is obligated to comply with terms. We have retained the statutory 13400(1)(A) of the Act contemplates that the Privacy Act of 1974 (5 U.S.C. 552a) terms in the regulation in order to covered entities will perform some type and the Federal Information Security maintain consistency with the statute. of risk assessment to determine if there Management Act of 2002 (44 U.S.C. In addition, we note that while the is a risk of harm to the individual, and 3541 et seq.), there may be less risk of HIPAA Security Rule at § 164.304 therefore, if a breach has occurred. harm to the individual, since the includes a definition of the term Commenters urged that the addition of recipient entity is obligated to protect ‘‘access,’’ such definition is limited to a harm threshold to the definition the privacy and security of the the ability to use ‘‘system resources’’ would also align this regulation with information it received in the same or and not to access to information more many State breach notification laws that similar manner as the entity that generally and thus, we have revised that require entities to reach similar harm disclosed the information. In contrast, if definition to make clear that it does not thresholds before providing notification. protected health information is apply for purposes of these breach Finally, some commenters noted that impermissibly disclosed to any entity or notification rules. failure to include a harm threshold for person that does not have similar For an acquisition, access, use, or requiring breach notification may obligations to maintain the privacy and disclosure of protected health diminish the impact of notifications security of the information, the risk of information to constitute a breach, it received by individuals, as individuals harm to the individual is much greater. must constitute a violation of the may be flooded with notifications for We expect that there may be Privacy Rule. Therefore, one of the first breaches that pose no threat to the circumstances where a covered entity steps in determining whether security or privacy of their protected takes immediate steps to mitigate an notification is necessary under this health information or, alternatively, may impermissible use or disclosure, such as subpart is to determine whether a use or cause unwarranted panic in individuals, by obtaining the recipient’s satisfactory disclosure violates the Privacy Rule. We and the expenditure of undue costs and assurances that the information will not note that uses or disclosures that other resources by individuals in be further used or disclosed (through a impermissibly involve more than the remedial action. confidentiality agreement or similar minimum necessary information, in We agree that the statutory language means) or will be destroyed. If such violation of §§ 164.502(b) and encompasses a harm threshold and have steps eliminate or reduce the risk of 164.514(d), may qualify as breaches clarified in paragraph (1) of the harm to the individual to a less than under this subpart. In contrast, a use or definition that ‘‘compromises the ‘‘significant risk,’’ then we interpret that erowe on DSK5CLS3C1PROD with RULES_2 disclosure of protected health security or privacy of the protected the security and privacy of the information that is incident to an health information’’ means ‘‘poses a otherwise permissible use or disclosure significant risk of financial, 7 Covered entities may also wish to review OMB and occurs despite reasonable reputational, or other harm to the Memorandum M–07–16 for examples of the types of factors that may need to be taken into account safeguards and proper minimum individual.’’ This ensures better in determining whether an impermissible use or necessary procedures would not be a consistency and alignment with State disclosure presents a significant risk of harm to the violation of the Privacy Rule pursuant to breach notification laws, as well as individual. VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2
  • 7. Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations 42745 information has not been compromised harm—especially in light of fears about identification, these commenters stated and, therefore, no breach has occurred. employment discrimination. that creating a limited data set was not In addition, there may be We also address impermissible uses comparable to encrypting information, and disclosures involving limited data and therefore, should not be included as circumstances where impermissibly sets (as the term is used at 45 CFR a method to render protected health disclosed protected health information 164.514(e) of the Privacy Rule), in information unusable, unreadable, or is returned prior to it being accessed for paragraph (1) of the definition of indecipherable to unauthorized an improper purpose. For example, if a ‘‘breach’’ at § 164.402 of the interim individuals. laptop is lost or stolen and then final rule. In the RFI discussed above, The majority of commenters, recovered, and a forensic analysis of the we asked for public comment on however, did support the inclusion of computer shows that its information whether limited data sets should be the limited data set in the guidance. was not opened, altered, transferred, or considered unusable, unreadable, or These commenters stated that it would otherwise compromised, such a breach indecipherable and included as a be impractical to require covered may not pose a significant risk of harm methodology in the guidance. A limited entities and business associates to notify to the individuals whose information data set is created by removing the 16 individuals of a breach of information was on the laptop. Note, however, that direct identifiers listed in within a limited data set because, by if a computer is lost or stolen, we do not § 164.514(e)(2) from the protected health definition, such information excludes consider it reasonable to delay breach information.9 These direct identifiers the very identifiers that would enable notification based on the hope that the include the name, address, social covered entities and business associates, computer will be recovered. security number, and account number of without undue burden, to identify the In performing a risk assessment, an individual or the individual’s affected individuals and comply with covered entities and business associates relative, employer, or household the breach notification requirements. should also consider the type and member. When these 16 direct Additionally, these commenters cited amount of protected health information identifiers are removed from the contractual concerns regarding the data involved in the impermissible use or protected health information, the use agreement, which prohibits the disclosure. If the nature of the protected information is not completely de- recipient of a limited data set from re- health information does not pose a identified pursuant to 45 CFR identifying the information and significant risk of financial, 164.514(b). In particular, the elements of therefore, may pose problems with reputational, or other harm, then the dates, such as dates of birth, and zip complying with the notification violation is not a breach. For example, codes, are allowed to remain within the requirements of section 13402(b) of the if a covered entity improperly discloses limited data set, which increase the Act. potential for re-identification of the These commenters also noted that the protected health information that information. Because there is a risk of decision to exclude the limited data set merely included the name of an re-identification of the information from the guidance, such that a breach of individual and the fact that he received within a limited data set, the Privacy a limited data set would require breach services from a hospital, then this Rule treats this information as protected notification, would reduce the would constitute a violation of the health information that may only be likelihood that covered entities would Privacy Rule, but it may not constitute continue to create and share limited used or disclosed as permitted by the a significant risk of financial or data sets. This, in turn, would have a Privacy Rule. reputational harm to the individual. In Several commenters suggested that chilling effect on the research and contrast, if the information indicates the the limited data set should not be public health communities, which rely type of services that the individual included in the guidance as a method to on receiving information from covered received (such as oncology services), render protected health information entities in limited data set form. that the individual received services unusable, unreadable, or indecipherable Finally, commenters noted that the from a specialized facility (such as a to unauthorized individuals such that removal of the 16 direct identifiers in substance abuse treatment program 8), or breach notification is not required. the limited data set presents a minimal if the protected health information These commenters cited concerns about risk of serious harm to the individual by includes information that increases the the risk of re-identification of protected limiting the possibility that the risk of identity theft (such as a social health information in a limited data set information could be used for an illicit security number, account number, or and noted that, as more data exists in purpose if breached. These commenters mother’s maiden name), then there is a electronic form and as more data also suggested that the inclusion of the higher likelihood that the impermissible becomes public, it will be easier to limited data set in the guidance would use or disclosure compromised the combine these various sources to re- align with most state breach notification security and privacy of the information. establish the identity of the individual. laws, which, as a general matter, only The risk assessment should be fact Furthermore, due to the risk of re- require notification when certain specific, and the covered entity or identifiers are exposed and when there business associate should keep in mind 9 A limited data set is protected health is a likelihood that the breach will result that many forms of health information, information that excludes the following direct in harm to the individual. identifiers of the individual or of relatives, not just information about sexually employers, or household members of the We also asked commenters if they transmitted diseases or mental health, individual: (1) Names; (2) postal address believed that the removal of an should be considered sensitive for information, other than town or city, State, and zip individual’s date of birth or zip code, in purposes of the risk of reputational code; (3) telephone numbers; (4) fax numbers; (5) addition to the 16 direct identifiers in e-mail addresses; (6) social security numbers; (7) erowe on DSK5CLS3C1PROD with RULES_2 medical record numbers; (8) health plan beneficiary 45 CFR 164.514(e)(2), would reduce the 8 Note that an impermissible disclosure that numbers; (9) account numbers; (10) certificate/ risk of re-identification of the indicates that an individual has received services license plate numbers; (11) vehicle identifiers and information such that it could be from a substance abuse treatment program may also serial numbers; (12) device identifiers and serial included in the guidance. Several constitute a violation of 42 U.S.C. 290dd–2 and the numbers; (13) Web URLs; (14) Internet Protocol (IP) implementing regulations at 42 CFR part 2. These address numbers; (15) biometric identifiers, commenters responded to this question. provisions require the confidentiality of substance including finger and voice prints; and (16) full face While some stated that the removal of abuse patient records. photographic images and any comparable images. these data elements would render the VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 E:FRFM24AUR2.SGM 24AUR2