news and events header
Bookmark and Share

Health and Human Services (HHS)
and Protected Health Information

Health and Human Services (HHS)

The U.S. Department of Health and Human Services (HHS) issued an interim final rule on Aug. 19, 2009, requiring entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their protected health information is breached. This new rule applies to health care providers and health plans, covered entities and business associates, including third-party administrators, to promptly notify affected individuals following breaches, as well as to notify the HHS Secretary and the media for breaches involving 500 or more individuals. Breaches affecting fewer individuals are to be reported to the HHS Secretary annually.

The Federal Trade Commission (FTC) on Aug. 17, 2009, issued companion breach notification regulations that apply to vendors of health records and certain others, including third-party service providers, not covered by HIPAA and full compliance is required by February 22, 2010. According to Jon Neiditz, an attorney and information management practice leader at Nelson Mullins in Atlanta, “Pretty much anyone in the IT world is a third-party service provider…” “Health insurance brokers in almost all cases are business associates,” he added. “If you have a wellness program and access to personal health records for employees, you may have to deal with the federal breach notification rules”, he said.

Entities subject to HHS and FTC regulations and that secure health information as specified by HHS guidance, do not have to provide notice of a breach. The two permitted methods of securing health information to avoid having to send notice in the event of a breach are: encryption and destruction. Access controls have not been included in the guidance, although HHS noted there are benefits from strong access controls. HHS rejected redaction as an alternative to destruction, saying in the background to the rule “we do not believe that redaction is an accepted alternative method to secure paper-based PHI (Private Health Information).”

Studies have shown resulting losses to be as high as 20 to 40 percent of notified customers. Because breaches are so costly, it is expected that many entities covered by the rule will decide to rely more on HHS guidance’s encryption standards.

Encryption and Destruction

The Health Information Technology for Economic and Clinical Health (HITECH) Act required that HHS issue guidance on technologies and methodologies that render PHI unusable, unreadable or indecipherable to unauthorized individuals, which the secretary of HHS did on April 17, 2009. That guidance listed and described encryption and destruction as the two HHS-approved technologies and methodologies, for purposes of avoiding the notification requirement following a breach.

HHS sought comment on the guidance and request for information issued on April 27, 2009. In its background on the recent interim final rule, the department said many commenters were confused about the guidance’s purpose and its impact on a covered entity’s responsibilities under the HIPAA Security Rule. HHS emphasized that “this guidance does nothing to modify a covered entity’s responsibilities with respect to the Security Rule, nor does it impose any new requirements upon covered entities to encrypt all PHI.” However, if a covered entity chooses to encrypt PHI according to the April 2009 guidance, it will not be required to provide breach notification.

According to HHS guidance, the encryption process for “data at rest” must be consistent with National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. “Data at rest” includes data located in databases, file systems, flash drives, memory and any other structured storage method. Similarly, “Data in motion” must comply as appropriate with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or other guides that are validated by the Federal Information Processing Standards (FIPS) 140-2. “Data in motion” includes data that is moving through a network, including wireless transmission, whether by e-mail or structured electronic interchange.

One challenge with encryption, Neiditz noted, is that “it takes two to tango.” That is, the intended recipient of e-mail with PHI has to have the technology to read encrypted e-mail.

Notice Requirements

If the HIPAA guidance on technologies and methodologies that render unusable PHI is not followed and there is a breach, the HHS rule requires written or e-mail notice in accordance with the rule’s detailed requirements for either option. The covered entity must notify each individual whose unsecured protected information has been accessed as a result of the breach within 60 calendar days after the discovery of the breach.

A covered entity will be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known to any “workforce member or agent the covered entity,” according to HHS. The department clarified that when any further use or disclosure of the information is permitted under the HIPAA Privacy Rule, there is no breach because the security and privacy of the information has not been compromised.

HHS posed this case scenario:
“ A billing employee receives and opens an e-mail containing Personal Health Information (PHI) about a patient that a nurse mistakenly sent to him. The billing employee notices that he is not the intended recipient, alerts the nurse about the misdirected e-mail and deletes it. The billing employee unintentionally accessed PHI to which he was not authorized. However, the billing employee’s use of the information was done in good faith and within the scope of authority and, therefore, would not constitute a breach and notification would not be required.”

More Enforcement Authority

HHS released the rule two days after a deadline set by the HITECH Act. Neiditz stated that there may be legal challenges since HHS did not meet its deadline. Up to this point, there has been relatively little enforcement of HIPAA, but under the new law and rules effective in February 2010, there will be much more enforcement authority.

It was also emphasized that the HITECH Act allows state attorneys general to bring civil actions against people who violate HIPAA rules. State attorneys general have special interest in pursuing entities that fail to satisfy breach notification requirements, according to Neiditz, who called this change “extraordinarily important.” While most states have breach notification rules, the new federal requirements are much likely to trigger required notices when there is a breach, he commented.

Find out more by contacting us. Call us toll free at (888) 680-8800or visit us at the link below:

Contact Us for more info

Quick Links