Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Week Of 2009 08 31

536 views

Published on

  • Be the first to comment

  • Be the first to like this

Week Of 2009 08 31

  1. 1. BENEFITS UPDATE WEEK OF AUGUST 31, 2009 Final Rules Issued on New HIPAA Security Rule Requirements Recent changes to the HIPAA Privacy and Security Rules via the HITECH Act include direct application of the Privacy and Security Rules to business associates, required notification to participants in the event of a breach of unsecured protected health information (“PHI”), increased participant rights, increased restrictions with respect to use of PHI, and increased enforcement and penalties for noncompliance. See the May 18, 2009 and May 25, 2009 Benefits Updates for more information. On August 24, 2009, interim final rules from the Department of Health and Human Services (“HHS”) were published elaborating on the breach notification requirement and updating prior guidance specifying the technologies or methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. These rules are summarized below. Who Must Comply? The HIPAA Privacy and Security Rules apply to covered entities such as employer health plans and business associates such as third party administrators and brokers. What Is the Effective Date? These rules are effective September 23, 2009. However, HHS will use its enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before February 22, 2010. Between September 23, 2009 and February 22, 2009, HHS expects covered entities to comply with these rules and will work with covered entities, through technical assistance and voluntary corrective action, to achieve compliance. What Information Is Subject to New Notification Rule? The security breach notification rule applies to “unsecured PHI” - PHI that is not secured through the use of a technology or methodology specified by HHS. Safe Harbor HHS has specified that this means that PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals through one of the following two methods: (1) Encryption Encryption is the recommended technology to secure both PHI in motion (e.g., PHI sent by email) and PHI at rest (e.g., PHI stored in servers and flash drives). Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. This Benefits Update is intended to convey general information and may not take into account all the circumstances relevant to a particular person’s situation. 1
  2. 2. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140–2. These include, as appropriate, standards described in NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800– 77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, and may include others which are FIPS 140–2 validated. Valid encryption processes for data at rest are consistent with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices. (2) Destruction Destruction is the recommended methodology for paper, film, or other hard copy media and for electronic media containing PHI (e.g., hard drives, disks, CDs, tapes, flash drives and other portable media). For paper, film, or other hard copy media, this means shredding or another form of destruction such that PHI cannot be read or reconstructed. Electronic media must be cleared, purged, or destroyed consistent with NIST Special Publication 800–88, Guidelines for Media Sanitization such that the PHI cannot be retrieved. Non-Approved Methods HHS specially states that additional means of safeguarding information such as access controls, firewalls, using limited data sets, 1 or redaction does not cause information to be “secure.” This means that, unless a covered entity’s PHI is encrypted or destroyed, it will be subject to the breach notification requirements. 1 “Limited data set'' applies to any PHI that excludes the following: • Names; • Postal address information, other than town or city, State, and zip code; • Telephone numbers; • Fax numbers; • Electronic mail addresses; • Social security numbers; • Medical record numbers; • Health plan beneficiary numbers; • Account numbers; • Certificate/license numbers; • Vehicle identifiers and serial numbers, including license plate numbers; • Device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • Internet Protocol (IP) address numbers; • Biometric identifiers, including finger and voice prints; • Full face photographic images and any comparable images. • Dates of birth; and • Zip codes. This Benefits Update is intended to convey general information and may not take into account all the circumstances relevant to a particular person’s situation. 2
  3. 3. However, a loss or theft of certain information still may not require notification under these rules either because the information is not PHI (as in the case of de-identified information) or because the unredacted information does not compromise the security or privacy of the information and thus does not constitute a breach. What Is a Breach? A breach will occur if 4 requirements are met: 1. Information is “unsecure” as discussed above (i.e., is not encrypted or destroyed). 2. Information was used or disclosed in an “unauthorized” manner. This means that the information was used or disclosed in a manner that is not permitted under the HIPAA Privacy Rule, including the minimum necessary rule. 3. The use or disclosure poses a "significant risk of financial, reputational, or other harm to the individual.” In order to determine whether a covered entity's or business associate's impermissible use or disclosure of PHI constitutes a breach, the covered entity or business associate will need to perform a risk assessment. A risk assessment should be fact-specific and covered entities and business associates must document their risk assessments so that they can demonstrate, if necessary, that no breach notification was required following an impermissible use or disclosure of PHI. Covered entities and business associates should consider the type and amount of PHI involved in the impermissible use or disclosure. Example 1. If a covered entity improperly discloses PHI that merely included the name of an individual and the fact that he received services from a hospital, then this would constitute a violation of the Privacy Rule, but it may not constitute a significant risk of financial or reputational harm to the individual. Example 2. In contrast, if the information indicates the type of services that the individual received (such as oncology services), that the individual received services from a specialized facility (such as a substance abuse treatment program), or if the PHI includes information that increases the risk of identity theft (such as a social security number, account number, or mother's maiden name), then there is a higher likelihood that the impermissible use or disclosure compromised the security and privacy of the information. The covered entity or business associate should keep in mind that many forms of health information, not just information about sexually transmitted diseases or mental health, should be considered sensitive for purposes of the risk of reputational harm - especially in light of fears about employment discrimination. Example 3. It may be determined that an impermissible use or disclosures of a limited data set that includes zip codes, based on the population features of those zip codes, does not create a significant risk that a particular individual can be identified. Therefore, there would be no significant risk of harm to the individual. If, however, the covered entity or business associate determines that the individual can be identified based on the information disclosed and there is otherwise a significant risk of harm to the individual, then breach notification is required, unless one of the other exceptions discussed below applies. Example 4. Where impermissibly disclosed PHI is returned prior to its being accessed for an improper purpose (e.g., if a laptop is lost or stolen and then recovered and a forensic analysis of the computer shows that its information was not opened, altered, transferred, or otherwise compromised), such a breach may not pose a significant risk of harm to the individuals whose information was on the laptop. This Benefits Update is intended to convey general information and may not take into account all the circumstances relevant to a particular person’s situation. 3
  4. 4. Example 5. Where a covered entity takes immediate steps to mitigate an impermissible use or disclosure such as by obtaining the recipient's satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed and such steps eliminate or reduce the risk of harm to the individual to a less than “significant risk,'' the security and privacy of the information has not been compromised and, therefore, no breach has occurred. 4. The use or disclosure does not fall under one of the following exceptions: • Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure. • Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed. • A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Example 1. A billing employee receives and opens an email containing PHI about a patient which a nurse mistakenly sent to the billing employee. The billing employee notices that he is not the intended recipient, alerts the nurse of the misdirected email, and then deletes it. The billing employee unintentionally accessed PHI to which he was not authorized to have access. However, the billing employee's use of the information was done in good faith and within the scope of authority, and therefore, would not constitute a breach and notification would not be required, provided the employee did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule. Example 2. A receptionist at a covered entity who is not authorized to access PHI decides to look through patient files in order to learn of a friend's treatment. In this case, the impermissible access to PHI would not fall within this exception to breach because such access was neither unintentional, done in good faith, nor within the scope of authority. Example 3. A nurse mistakenly hands a patient the discharge papers belonging to another patient, but she quickly realizes her mistake and recovers the PHI from the patient. If the nurse can reasonably conclude that the patient could not have read or otherwise retained the information, then this would not constitute a breach. When Is Individual Notice Required? In the case of a breach of unsecured PHI that is discovered by the covered entity, the covered entity will notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. If a business associate discovers a breach of such information, it will notify the covered entity of such breach. Such notice will include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach. This Benefits Update is intended to convey general information and may not take into account all the circumstances relevant to a particular person’s situation. 4
  5. 5. Content The notice of a breach should include: • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. • A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved). • The steps individuals should take to protect themselves from potential harm resulting from the breach. • A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches. • Contact procedures for individuals to ask questions or learn additional information, which will include a toll-free telephone number, an email address, website, or postal address. The notification must be written in plain language. The covered entity should write the notice at an appropriate reading level, using clear language and syntax, and not include any extraneous material that might diminish the message it is trying to convey. Timing All notifications will be made without unreasonable delay and no later than 60 calendar days after the discovery of a breach. 2 The breach will be considered discovered on the first day it is known to any member of the covered entity’s workforce (other than the person who committed the breach) or the date it would have been known if the covered entity exercised reasonable diligence. HHS notes that 60 days is the “outer limit” and, depending on the circumstances, it may be an unreasonable delay to wait until the 60th day to provide the notification. The covered entity must provide notifications based on the time the business associate discovers the breach, not from the time the business associate notifies the covered entity. However, if the business associate is an independent contractor of the covered entity (i.e., not an agent), then the covered entity must provide notification based on the time the business associate notifies the covered entity of the breach. Covered entities may wish to address the timing of the notification in their business associate contracts. The covered entity or business associate will have the burden of demonstrating that all notifications were made, including evidence demonstrating the necessity of any delay. Method Notice required will be provided in the following form: • Mail or Email. A covered entity must provide breach notice to the individual (or the next of kin of the individual if the individual is deceased) in written form by first-class mail at the last known 2 If a law enforcement official determines that a notification, notice, or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice, or posting will be delayed. This Benefits Update is intended to convey general information and may not take into account all the circumstances relevant to a particular person’s situation. 5
  6. 6. address of the individual. Written notice may be in the form of electronic mail, provided the individual agrees to receive electronic notice and such agreement has not been withdrawn. • Urgency. In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured PHI, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to the written notice. What If the Contact Information is Bad? In the case in which there is insufficient or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written (or, if specified by the individual, electronic) notification to the individual, a substitute form of notice should be provided as follows: • If there are fewer than 10 individuals for whom the covered entity has insufficient or out-of-date contact information to provide the written notice, the covered entity can provide substitute notice to such individuals through an alternative form of written notice, by telephone, or other means. For example, if the covered entity learns that the home address it has for one of its patients is out-of-date but it has the patient's email address, it may provide substitute notice by email even if the patient has not agreed to electronic notice. • If there are 10 or more individuals for which there is insufficient or out-of-date contact information, there should be a conspicuous posting on the home page of the website of the covered entity involved for at least 90 days or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll-free phone number where an individual can learn whether or not the individual's unsecured PHI is possibly included in the breach. When Is Notice to the Media Required? Besides having to provide the substitute notice described above, a covered entity must notify the media where the breach involves more than 500 residents in a state. The notice must be made to "prominent media outlets" serving the state, include the same content as the individual notice, and be provided within the same timeframe (i.e., 60 days). Rather than the more "legal" form of the substitute notice, this media notice may be in the form of a press release (which presumably, the media may choose to report on or not). What constitutes a prominent media outlet will differ depending on the state. HHS also clarifies that the notice requirement only is triggered if the breach involves more than 500 residents of a particular state. If the breach involves 600 individuals - 200 residents each of three neighboring states - no notice would be required. When Is Notice to HHS Required? Notice should also be provided to HHS by covered entities of unsecured PHI that has been acquired or disclosed in a breach. • If the breach was with respect to 500 or more individuals, then such notice must be provided to HHS contemporaneously with the individual notice (i.e., within 60 days). HHS notes that this requirement applies regardless of an individual's state, so a breach that does not trigger the media notice (which applies to more than 500 residents in a state) may still trigger notice to HHS. HHS will post the names of those covered entities that report security breaches involving 500 or more people. This Benefits Update is intended to convey general information and may not take into account all the circumstances relevant to a particular person’s situation. 6
  7. 7. • If the breach was with respect to less than 500 individuals, the covered entity may maintain a log of any such breach occurring and annually submit such a log to HHS documenting such breaches occurring during the year involved. The submission of this information to HHS is due no later than 60 days after the end of each calendar year. HHS also notes that, for 2009, the filing only is required to include breaches occurring on or after September 23, 2009. HHS will post instructions on its website for submitting information to the agency relating both to the immediate notification requirement for breaches involving 500 or more individuals and the annual notification requirement for breaches involving less than 500 individuals. Does HIPAA Preempt Other Related Laws? Generally, “no.” Covered entities must also comply with any applicable state law unless "contrary to" the HIPAA requirement. HHS says it believes that most state laws will not conflict with the HIPAA rule and gives an example where a state law requires notification within 5 days. HHS states that notice within this period also would satisfy the new HIPAA requirement, so the two laws would not conflict. Similarly, if a state law requires additional elements to be included in a notice, HHS says there would be no conflict because a covered entity could develop a notice that satisfies both laws. Covered entities may have obligations under other federal laws with respect to their communication with affected individuals. For example, to the extent a covered entity is obligated to comply with Title VI of the Civil Rights Act of 1964, the covered entity must take reasonable steps to ensure meaningful access for Limited English Proficient persons to the services of the covered entity, which could include translating the notice into frequently encountered languages. Similarly, to the extent that a covered entity is obligated to comply with Section 504 of the Rehabilitation Act of 1973 or the Americans with Disabilities Act of 1990, the covered entity has an obligation to take steps that may be necessary to ensure effective communication with individuals with disabilities, which could include making the notice available in alternate formats, such as Braille, large print, or audio. What Is My Action Plan? Employers should: • develop and document policies and procedures to determine when a breach has occurred, who will prepare individual notifications, who will create a breach notification log, and when a breach will trigger a requirement for notice to the media or immediate notice to HHS; • determine to what extent they can meet the safe harbor guidance for securing PHI; • revise business associate agreements to address the timing for a business associate to notify the covered entity of a breach by the business associate, what information should be reported, and which party will issue the required notifications; • conduct and document risk assessment; and • train workforce members on the requirements in light of the fact that the 60-day breach notification date will be triggered from the date a breach is discovered by anyone in the covered entity's workforce. Where Can I Get Additional Information? For the final rule, visit: http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf For a copy of the HHS news release, visit: This Benefits Update is intended to convey general information and may not take into account all the circumstances relevant to a particular person’s situation. 7
  8. 8. http://www.hhs.gov/news/press/2009pres/08/20090819f.html FTC Issues Final Breach Notification Rule for Electronic Health Information On August 25, 2009, the Federal Trade Commission (“FTC”) issued a final rule requiring certain web- based businesses that are not subject to HIPAA to notify consumers when the security of their electronic health information is breached. Entities operating as covered entities and business associates are subject to HHS' notification rule described in the previous article and not the FTC's breach notification rule. In those limited cases where an entity may be subject to both HHS' and the FTC's rules, such as a vendor that offers personal health records (“PHRs”) to customers of a covered entity as a business associate and also offers PHRs directly to the public, HHS worked with the FTC to ensure both sets of regulations were harmonized by including the same or similar requirements. The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. The FTC rule is effective September 24, 2009 and full compliance is not required until February 22, 2010. The rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form. For a copy of the FTC rule, summary, and breach form, visit: http://www.ftc.gov/opa/2009/08/hbn.shtm This Benefits Update is intended to convey general information and may not take into account all the circumstances relevant to a particular person’s situation. 8

×