1. BENEFITS UPDATE
WEEK OF AUGUST 31, 2009
Final Rules Issued on New HIPAA Security Rule Requirements
Recent changes to the HIPAA Privacy and Security Rules via the HITECH Act include direct application
of the Privacy and Security Rules to business associates, required notification to participants in the event
of a breach of unsecured protected health information (“PHI”), increased participant rights, increased
restrictions with respect to use of PHI, and increased enforcement and penalties for noncompliance. See
the May 18, 2009 and May 25, 2009 Benefits Updates for more information.
On August 24, 2009, interim final rules from the Department of Health and Human Services (“HHS”) were
published elaborating on the breach notification requirement and updating prior guidance specifying the
technologies or methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized
individuals.
These rules are summarized below.
Who Must Comply?
The HIPAA Privacy and Security Rules apply to covered entities such as employer health plans and
business associates such as third party administrators and brokers.
What Is the Effective Date?
These rules are effective September 23, 2009.
However, HHS will use its enforcement discretion to not impose sanctions for failure to provide the
required notifications for breaches that are discovered before February 22, 2010. Between September
23, 2009 and February 22, 2009, HHS expects covered entities to comply with these rules and will work
with covered entities, through technical assistance and voluntary corrective action, to achieve
compliance.
What Information Is Subject to New Notification Rule?
The security breach notification rule applies to “unsecured PHI” - PHI that is not secured through the use
of a technology or methodology specified by HHS.
Safe Harbor
HHS has specified that this means that PHI is rendered unusable, unreadable, or indecipherable to
unauthorized individuals through one of the following two methods:
(1) Encryption
Encryption is the recommended technology to secure both PHI in motion (e.g., PHI sent by email) and
PHI at rest (e.g., PHI stored in servers and flash drives).
Encryption is the use of an algorithmic process to transform data into a form in which there is a low
probability of assigning meaning without use of a confidential process or key.
This Benefits Update is intended to convey general information and may not take into account all the
circumstances relevant to a particular person’s situation.
1
2. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device
or at a location separate from the data they are used to encrypt or decrypt.
Valid encryption processes for data in motion are those that comply with the requirements of Federal
Information Processing Standards (FIPS) 140–2. These include, as appropriate, standards described in
NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security
(TLS) Implementations; 800– 77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, and may
include others which are FIPS 140–2 validated.
Valid encryption processes for data at rest are consistent with NIST Special Publication 800–111, Guide
to Storage Encryption Technologies for End User Devices.
(2) Destruction
Destruction is the recommended methodology for paper, film, or other hard copy media and for electronic
media containing PHI (e.g., hard drives, disks, CDs, tapes, flash drives and other portable media).
For paper, film, or other hard copy media, this means shredding or another form of destruction such that
PHI cannot be read or reconstructed.
Electronic media must be cleared, purged, or destroyed consistent with NIST Special Publication 800–88,
Guidelines for Media Sanitization such that the PHI cannot be retrieved.
Non-Approved Methods
HHS specially states that additional means of safeguarding information such as access controls, firewalls,
using limited data sets, 1 or redaction does not cause information to be “secure.” This means that, unless
a covered entity’s PHI is encrypted or destroyed, it will be subject to the breach notification requirements.
1
“Limited data set'' applies to any PHI that excludes the following:
• Names;
• Postal address information, other than town or city, State, and zip code;
• Telephone numbers;
• Fax numbers;
• Electronic mail addresses;
• Social security numbers;
• Medical record numbers;
• Health plan beneficiary numbers;
• Account numbers;
• Certificate/license numbers;
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
• Biometric identifiers, including finger and voice prints;
• Full face photographic images and any comparable images.
• Dates of birth; and
• Zip codes.
This Benefits Update is intended to convey general information and may not take into account all the
circumstances relevant to a particular person’s situation.
2
3. However, a loss or theft of certain information still may not require notification under these rules either
because the information is not PHI (as in the case of de-identified information) or because the unredacted
information does not compromise the security or privacy of the information and thus does not constitute a
breach.
What Is a Breach?
A breach will occur if 4 requirements are met:
1. Information is “unsecure” as discussed above (i.e., is not encrypted or destroyed).
2. Information was used or disclosed in an “unauthorized” manner. This means that the information was
used or disclosed in a manner that is not permitted under the HIPAA Privacy Rule, including the minimum
necessary rule.
3. The use or disclosure poses a "significant risk of financial, reputational, or other harm to the individual.”
In order to determine whether a covered entity's or business associate's impermissible use or disclosure
of PHI constitutes a breach, the covered entity or business associate will need to perform a risk
assessment. A risk assessment should be fact-specific and covered entities and business associates
must document their risk assessments so that they can demonstrate, if necessary, that no breach
notification was required following an impermissible use or disclosure of PHI. Covered entities and
business associates should consider the type and amount of PHI involved in the impermissible use or
disclosure.
Example 1. If a covered entity improperly discloses PHI that merely included the name of an individual
and the fact that he received services from a hospital, then this would constitute a violation of the Privacy
Rule, but it may not constitute a significant risk of financial or reputational harm to the individual.
Example 2. In contrast, if the information indicates the type of services that the individual received (such
as oncology services), that the individual received services from a specialized facility (such as a
substance abuse treatment program), or if the PHI includes information that increases the risk of identity
theft (such as a social security number, account number, or mother's maiden name), then there is a
higher likelihood that the impermissible use or disclosure compromised the security and privacy of the
information.
The covered entity or business associate should keep in mind that many forms of health information, not
just information about sexually transmitted diseases or mental health, should be considered sensitive for
purposes of the risk of reputational harm - especially in light of fears about employment discrimination.
Example 3. It may be determined that an impermissible use or disclosures of a limited data set that
includes zip codes, based on the population features of those zip codes, does not create a significant risk
that a particular individual can be identified. Therefore, there would be no significant risk of harm to the
individual. If, however, the covered entity or business associate determines that the individual can be
identified based on the information disclosed and there is otherwise a significant risk of harm to the
individual, then breach notification is required, unless one of the other exceptions discussed below
applies.
Example 4. Where impermissibly disclosed PHI is returned prior to its being accessed for an improper
purpose (e.g., if a laptop is lost or stolen and then recovered and a forensic analysis of the computer
shows that its information was not opened, altered, transferred, or otherwise compromised), such a
breach may not pose a significant risk of harm to the individuals whose information was on the laptop.
This Benefits Update is intended to convey general information and may not take into account all the
circumstances relevant to a particular person’s situation.
3
4. Example 5. Where a covered entity takes immediate steps to mitigate an impermissible use or disclosure
such as by obtaining the recipient's satisfactory assurances that the information will not be further used or
disclosed (through a confidentiality agreement or similar means) or will be destroyed and such steps
eliminate or reduce the risk of harm to the individual to a less than “significant risk,'' the security and
privacy of the information has not been compromised and, therefore, no breach has occurred.
4. The use or disclosure does not fall under one of the following exceptions:
• Any unintentional acquisition, access, or use of PHI by a workforce member or person acting
under the authority of a covered entity or a business associate if such acquisition, access, or use
was made in good faith and within the scope of authority and does not result in further use or
disclosure.
• Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or
business associate to another person authorized to access PHI at the same covered entity or
business associate, or organized health care arrangement in which the covered entity
participates, and the information received as a result of such disclosure is not further used or
disclosed.
• A disclosure of PHI where a covered entity or business associate has a good faith belief that an
unauthorized person to whom the disclosure was made would not reasonably have been able to
retain such information.
Example 1. A billing employee receives and opens an email containing PHI about a patient which a nurse
mistakenly sent to the billing employee. The billing employee notices that he is not the intended recipient,
alerts the nurse of the misdirected email, and then deletes it. The billing employee unintentionally
accessed PHI to which he was not authorized to have access. However, the billing employee's use of the
information was done in good faith and within the scope of authority, and therefore, would not constitute a
breach and notification would not be required, provided the employee did not further use or disclose the
information accessed in a manner not permitted by the Privacy Rule.
Example 2. A receptionist at a covered entity who is not authorized to access PHI decides to look through
patient files in order to learn of a friend's treatment. In this case, the impermissible access to PHI would
not fall within this exception to breach because such access was neither unintentional, done in good faith,
nor within the scope of authority.
Example 3. A nurse mistakenly hands a patient the discharge papers belonging to another patient, but
she quickly realizes her mistake and recovers the PHI from the patient. If the nurse can reasonably
conclude that the patient could not have read or otherwise retained the information, then this would not
constitute a breach.
When Is Individual Notice Required?
In the case of a breach of unsecured PHI that is discovered by the covered entity, the covered entity will
notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to
have been, accessed, acquired, or disclosed as a result of such breach.
If a business associate discovers a breach of such information, it will notify the covered entity of such
breach. Such notice will include the identification of each individual whose unsecured PHI has been, or is
reasonably believed by the business associate to have been, accessed, acquired, or disclosed during
such breach.
This Benefits Update is intended to convey general information and may not take into account all the
circumstances relevant to a particular person’s situation.
4
5. Content
The notice of a breach should include:
• A brief description of what happened, including the date of the breach and the date of the
discovery of the breach, if known.
• A description of the types of unsecured PHI that were involved in the breach (such as whether full
name, social security number, date of birth, home address, account number, diagnosis, disability
code, or other types of information were involved).
• The steps individuals should take to protect themselves from potential harm resulting from the
breach.
• A brief description of what the covered entity involved is doing to investigate the breach, to
mitigate harm to individuals, and to protect against any further breaches.
• Contact procedures for individuals to ask questions or learn additional information, which will
include a toll-free telephone number, an email address, website, or postal address.
The notification must be written in plain language. The covered entity should write the notice at an
appropriate reading level, using clear language and syntax, and not include any extraneous material that
might diminish the message it is trying to convey.
Timing
All notifications will be made without unreasonable delay and no later than 60 calendar days after the
discovery of a breach. 2
The breach will be considered discovered on the first day it is known to any member of the covered
entity’s workforce (other than the person who committed the breach) or the date it would have been
known if the covered entity exercised reasonable diligence. HHS notes that 60 days is the “outer limit”
and, depending on the circumstances, it may be an unreasonable delay to wait until the 60th day to
provide the notification.
The covered entity must provide notifications based on the time the business associate discovers the
breach, not from the time the business associate notifies the covered entity. However, if the business
associate is an independent contractor of the covered entity (i.e., not an agent), then the covered entity
must provide notification based on the time the business associate notifies the covered entity of the
breach. Covered entities may wish to address the timing of the notification in their business associate
contracts.
The covered entity or business associate will have the burden of demonstrating that all notifications were
made, including evidence demonstrating the necessity of any delay.
Method
Notice required will be provided in the following form:
• Mail or Email. A covered entity must provide breach notice to the individual (or the next of kin of
the individual if the individual is deceased) in written form by first-class mail at the last known
2
If a law enforcement official determines that a notification, notice, or posting required under this section
would impede a criminal investigation or cause damage to national security, such notification, notice, or
posting will be delayed.
This Benefits Update is intended to convey general information and may not take into account all the
circumstances relevant to a particular person’s situation.
5
6. address of the individual. Written notice may be in the form of electronic mail, provided the
individual agrees to receive electronic notice and such agreement has not been withdrawn.
• Urgency. In any case deemed by the covered entity to require urgency because of possible
imminent misuse of unsecured PHI, the covered entity may provide information to individuals by
telephone or other means, as appropriate, in addition to the written notice.
What If the Contact Information is Bad?
In the case in which there is insufficient or out-of-date contact information (including a phone number,
email address, or any other form of appropriate communication) that precludes direct written (or, if
specified by the individual, electronic) notification to the individual, a substitute form of notice should be
provided as follows:
• If there are fewer than 10 individuals for whom the covered entity has insufficient or out-of-date
contact information to provide the written notice, the covered entity can provide substitute notice to
such individuals through an alternative form of written notice, by telephone, or other means. For
example, if the covered entity learns that the home address it has for one of its patients is out-of-date
but it has the patient's email address, it may provide substitute notice by email even if the patient has
not agreed to electronic notice.
• If there are 10 or more individuals for which there is insufficient or out-of-date contact information,
there should be a conspicuous posting on the home page of the website of the covered entity
involved for at least 90 days or notice in major print or broadcast media, including major media in
geographic areas where the individuals affected by the breach likely reside. Such a notice in media or
web posting will include a toll-free phone number where an individual can learn whether or not the
individual's unsecured PHI is possibly included in the breach.
When Is Notice to the Media Required?
Besides having to provide the substitute notice described above, a covered entity must notify the media
where the breach involves more than 500 residents in a state. The notice must be made to "prominent
media outlets" serving the state, include the same content as the individual notice, and be provided within
the same timeframe (i.e., 60 days). Rather than the more "legal" form of the substitute notice, this media
notice may be in the form of a press release (which presumably, the media may choose to report on or
not). What constitutes a prominent media outlet will differ depending on the state.
HHS also clarifies that the notice requirement only is triggered if the breach involves more than 500
residents of a particular state. If the breach involves 600 individuals - 200 residents each of three
neighboring states - no notice would be required.
When Is Notice to HHS Required?
Notice should also be provided to HHS by covered entities of unsecured PHI that has been acquired or
disclosed in a breach.
• If the breach was with respect to 500 or more individuals, then such notice must be provided to
HHS contemporaneously with the individual notice (i.e., within 60 days). HHS notes that this
requirement applies regardless of an individual's state, so a breach that does not trigger the
media notice (which applies to more than 500 residents in a state) may still trigger notice to HHS.
HHS will post the names of those covered entities that report security breaches involving 500 or
more people.
This Benefits Update is intended to convey general information and may not take into account all the
circumstances relevant to a particular person’s situation.
6
7. • If the breach was with respect to less than 500 individuals, the covered entity may maintain a log
of any such breach occurring and annually submit such a log to HHS documenting such breaches
occurring during the year involved. The submission of this information to HHS is due no later than
60 days after the end of each calendar year. HHS also notes that, for 2009, the filing only is
required to include breaches occurring on or after September 23, 2009.
HHS will post instructions on its website for submitting information to the agency relating both to the
immediate notification requirement for breaches involving 500 or more individuals and the annual
notification requirement for breaches involving less than 500 individuals.
Does HIPAA Preempt Other Related Laws?
Generally, “no.” Covered entities must also comply with any applicable state law unless "contrary to" the
HIPAA requirement. HHS says it believes that most state laws will not conflict with the HIPAA rule and
gives an example where a state law requires notification within 5 days. HHS states that notice within this
period also would satisfy the new HIPAA requirement, so the two laws would not conflict. Similarly, if a
state law requires additional elements to be included in a notice, HHS says there would be no conflict
because a covered entity could develop a notice that satisfies both laws.
Covered entities may have obligations under other federal laws with respect to their communication with
affected individuals. For example, to the extent a covered entity is obligated to comply with Title VI of the
Civil Rights Act of 1964, the covered entity must take reasonable steps to ensure meaningful access for
Limited English Proficient persons to the services of the covered entity, which could include translating
the notice into frequently encountered languages. Similarly, to the extent that a covered entity is obligated
to comply with Section 504 of the Rehabilitation Act of 1973 or the Americans with Disabilities Act of
1990, the covered entity has an obligation to take steps that may be necessary to ensure effective
communication with individuals with disabilities, which could include making the notice available in
alternate formats, such as Braille, large print, or audio.
What Is My Action Plan?
Employers should:
• develop and document policies and procedures to determine when a breach has occurred, who
will prepare individual notifications, who will create a breach notification log, and when a breach
will trigger a requirement for notice to the media or immediate notice to HHS;
• determine to what extent they can meet the safe harbor guidance for securing PHI;
• revise business associate agreements to address the timing for a business associate to notify the
covered entity of a breach by the business associate, what information should be reported, and
which party will issue the required notifications;
• conduct and document risk assessment; and
• train workforce members on the requirements in light of the fact that the 60-day breach
notification date will be triggered from the date a breach is discovered by anyone in the covered
entity's workforce.
Where Can I Get Additional Information?
For the final rule, visit:
http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf
For a copy of the HHS news release, visit:
This Benefits Update is intended to convey general information and may not take into account all the
circumstances relevant to a particular person’s situation.
7
8. http://www.hhs.gov/news/press/2009pres/08/20090819f.html
FTC Issues Final Breach Notification Rule for Electronic Health Information
On August 25, 2009, the Federal Trade Commission (“FTC”) issued a final rule requiring certain web-
based businesses that are not subject to HIPAA to notify consumers when the security of their electronic
health information is breached.
Entities operating as covered entities and business associates are subject to HHS' notification rule
described in the previous article and not the FTC's breach notification rule. In those limited cases where
an entity may be subject to both HHS' and the FTC's rules, such as a vendor that offers personal health
records (“PHRs”) to customers of a covered entity as a business associate and also offers PHRs directly
to the public, HHS worked with the FTC to ensure both sets of regulations were harmonized by including
the same or similar requirements.
The rule applies to both vendors of personal health records – which provide online repositories that
people can use to keep track of their health information – and entities that offer third-party applications for
personal health records. These applications could include, for example, devices such as blood pressure
cuffs or pedometers whose readings consumers can upload into their personal health records.
The FTC rule is effective September 24, 2009 and full compliance is not required until February 22,
2010.
The rule requires vendors of personal health records and related entities to notify consumers following a
breach involving unsecured information. In addition, if a service provider to one of these entities has a
breach, it must notify the entity, which in turn must notify consumers. The rule also specifies the timing,
method, and content of notification, and in the case of certain breaches involving 500 or more people,
requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a
standard form.
For a copy of the FTC rule, summary, and breach form, visit:
http://www.ftc.gov/opa/2009/08/hbn.shtm
This Benefits Update is intended to convey general information and may not take into account all the
circumstances relevant to a particular person’s situation.
8