May 22, 2009
HHS Guidance on Securing Protected Health Information and Avoiding Breach Notification
Later this year, group health plans, including employer-sponsored health plans and multiemployer health plans, will be required to provide notice to affected individuals when certain unsecured protected health information (PHI) is used or disclosed improperly. Standards for these new breach notification rules are being developed by the Department of Health and Human Services (HHS).
The first guidance implementing the breach notification rules was published by HHS in April 2009.1 The guidance sets forth a safe harbor rule that plan sponsors can follow to secure PHI and therefore avoid the breach notification requirements. In the guidance, HHS clarifies when information is secure (and therefore not subject to the breach notification rules) or unsecure.
HHS is required to issue regulations in August elaborating on the breach notification requirement. The breach notification rules will be effective 30 days after the second set of guidance is published; which would be around mid-September 2009.2
This Capital Checkup discusses the April HHS guidance and what actions plan sponsors need to take in the coming months.
Background on HIPAA Breach Notification
The American Recovery and Reinvestment Act of 2009 (ARRA), signed into law by President Obama on February 17, 2009, contains two separate provisions addressing breach notification: one applicable to Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates, and the other applicable to vendors of personal health records (PHR)3 and other entities linked to PHRs.4
Under the new law, group health plans will be required to notify plan participants when there is a breach involving "unsecured protected health information." The breach rules apply to both electronic and paper unsecured PHI. A breach happens when PHI is acquired, accessed, used or disclosed in an unauthorized manner that compromises the security or privacy of the information. However, an unauthorized use or disclosure is not considered a breach, and therefore there is no breach notification requirement, if the information is secured using the methods listed by HHS in their recent guidance.
New Guidance Establishes Exclusive Methods of Securing Data
The new guidance sets forth two exclusive methods to make PHI unusable, unreadable or indecipherable to unauthorized individuals (i.e., to make it secure):
- Encryption As noted in the guidance, the HIPAA security rule defines encryption as "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key." The guidance describes encryption as the recommended technology to secure both PHI in motion (for example, PHI sent by e-mail over the Internet) and PHI at rest (for example, PHI stored in servers, hard drives, and back-up tapes). Instead of listing specific encryption methods or acceptable specifications for encryption, the guidance cites Special Publications from the National Institute of Standards and Technology (NIST) as setting forth acceptable parameters for encryption.5
- Destruction The guidance describes destruction as the recommended technology/methodology for paper, film, or other "hard copy media" and for electronic media containing PHI (e.g., hard drives, disks, CDs, tapes, flash drives and other portable media). For paper, the guidance requires shredding or other form of destruction such that PHI cannot be read or reconstructed. For electronic media, rather than specifying the acceptable methods for clearing, purging or destroying stored ePHI, the guidance cites a Special Publication from NIST for acceptable parameters.6 The NIST publication includes destruction methods that are widely available and easy to implement, such as overwriting and shredding.
Although HHS intends for its list to be exhaustive, additional methods may be endorsed in future guidance.
For plan sponsors that conducted a HIPAA security evaluation, and the frequent reassessments that are required under the security rules, it may be odd to learn of exclusive requirements. Generally, the HIPAA security rule is not prescriptive but, rather, allows covered entities to perform a security assessment of their own risks, implement safeguards they determine are appropriate, and address possible breaches by mitigating damages and correcting the error.
The existing HIPAA security rules still apply. However, the new safe harbor guidance is an added security protection for most plan sponsors, should they choose to take advantage of it. Plan sponsors are not required to observe the new safe harbor rule, but the safe harbor offers a clear path to avoiding breach notification.
Additional Guidance Expected
In August 2009, HHS is required to issue additional guidance on what to do in event of a breach of unsecured PHI. The additional guidance will likely provide information about how notification is to occur.
Under the new law, group health plans must provide notice of a breach to each affected individual and to the Secretary of the HHS. Notice must be provided without unreasonable delay, and in no case later than 60 calendar days after the breach is discovered. Notice must be provided to the HHS immediately, if the breach affected 500 or more individuals. In some cases, the media must also be notified.7
The notice must include a description of what happened, the types of PHI involved, the steps that individuals should take to protect themselves, the steps the covered entity is taking to investigate and mitigate harm, and contact information for follow-up questions.
If a HIPAA business associate is responsible for the breach, the business associate must notify the covered entity of the breach, listing each individual whose PHI was, or is reasonably believed to have been, accessed, acquired or disclosed.
Guidance issued in August should clarify these rules. If guidance is issued in August, the breach notification requirements are effective in September 2009.
Implications and Action Steps for Group Health Plan Sponsors
Plan sponsors seeking to prevent a breach of unsecured PHI and to comply with the breach notification requirement should:
- Assess the plan's readiness to comply with the new safe harbor encryption and destruction standards;
- Decide whether to implement security safeguards that take advantage of the safe harbor;
- Determine where data exists and how best to protect that data (e.g., at the plan office, offsite, on servers, in motion);
- Evaluate with technical experts whether transmission encryption methods already in use meet the applicable NIST specifications and, if they do not, consider whether alternate methods should be adopted;
- Evaluate the methods used to destroy ePHI stored on electronic media to determine if they meet applicable NIST criteria;
- Review (and revise as needed) policies and procedures relating to destruction of paper and other hard copies containing PHI;
- Revise existing HIPAA policies and procedures, as appropriate;
- Provide training to affected members of the workforce about breach notification and any changes in policies and procedures adopted to prevent breaches;
- Because a breach requiring notification can have both direct and indirect costs, which may be quite high, review liability insurance policies to determine existing coverage and whether additional coverage should be purchased; and
- Be on the look out for updates to this guidance, as well as an interim final rule on breach notification, which the ARRA requires the HHS to issue by the middle of August 2009.
● ● ●
As with all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for authoritative advice on the interpretation and application of the American Recovery and Reinvestment Act of 2009. The Segal Company, including its Administration and Technology Consulting (ATC) practice, can be retained to work with plan sponsors and their attorneys on HIPAA compliance, as modified by the ARRA.
- The guidance was published in the April 27, 2009 issue of the Federal Register. (Click on the following text to return to the Capital Checkup.)
- This new notice requirement applies to breaches discovered 30 days after the publication of interim final regulations, which are required to be published not later than 180 days after enactment. If those regulations are published on time, this breach notification requirement will apply to breaches discovered after mid September 2009. (Click on the following text to return to the Capital Checkup.)
- Under the ARRA, a PHR is an electronic record of identifiable health information managed, shared, and controlled by or primarily for an individual. This is distinct from an electronic health record (EHR), which contains health-related information about an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff. (Click on the following text to return to the Capital Checkup.)
- For a broader discussion of the ARRA's changes to the HIPAA privacy and security rules, see The Segal Company's March 2009 Bulletin, "Stimulus Law Includes Major Changes to HIPAA Privacy and Security Rules." The proposed rule issued recently by the Federal Trade Commission (FTC) implementing the breach notification requirement applicable to PHR vendors (and related entities) is not discussed in this Capital Checkup because it does not apply to HIPAA covered entities or to the business associates of HIPAA covered entities. The FTC's proposed rule was published in the April 20, 2009 issue of the Federal Register. (Click on the following text to return to the Capital Checkup.)
- The guides are available on the NIST Web site. The guide for data at rest is Guide to Storage Encryption Technologies for End User Devices. There are three guides for data in motion: Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, Guide to IPsec VPNs and Guide to SSL VPNs. (Click on the following text to return to the Capital Checkup.)
- The publication, Guidelines for Media Sanitization, is on the NIST Web site. (Click on the following text to return to the Capital Checkup.)
- Notice to the media is an option when there is insufficient contact information for the affected individuals and is required following the discovery of a breach involving more than 500 residents of one state or jurisdiction. (Click on the following text to return to the Capital Checkup.)
Capital Checkup is The Segal Company's periodic electronic newsletter summarizing activity with respect to health care and related subjects. Capital Checkup is for informational purposes only. It is not intended to provide guidance on current laws or pending legislation. On all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for legal advice.