HHS rules give employers needed guidance, indicate delayed enforcement
Federal law will soon require employers to provide notice to their health plan participants, the Department of Health and Human Services (HHS), and potentially even the media, following breaches of participant unsecured protected health information (PHI), under interim final HHS regulations set to be published in the August 24, 2009, Federal Register.
The new regulations are effective for breaches occurring on and after September 23, 2009, and provide employers with much-needed guidance in determining: (1) whether a “breach” has occurred; (2) exactly when notices to the media are needed and how they are to be provided; and (3) how HHS thinks the new federal rules will work in conjunction with existing state notice requirements. HHS does indicate, however, that through March 2010, it will not impose penalties for failing to comply with the rules, but will work with employers and health care providers through technical assistance and voluntary corrections.
The notice requirements detailed in the new rules were created by the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in February of this year as a part of the new stimulus law – the American Recovery and Reinvestment Act of 2009.
It is important to note that the HITECH Act notice requirements do not displace the various state law requirements for notices of breaches of certain types of information. However, HHS indicates in the preamble to the regulations that entities covered by the Health Insurance Portability and Accountability Act (HIPAA) should be able to comply with the new notice requirements without running afoul of other state and federal notice requirements.
Under the HITECH Act, notices are generally required upon a “breach” of “unsecured” PHI, and the regulations clarify both terms:
- For purposes of the regulations, the term “breach” means the “acquisition, access, use or disclosure” of PHI in a manner not permitted by the HIPAA privacy rules which “compromises the security or privacy” of the PHI. Security and privacy are considered to be compromised when a breach poses a “significant risk of financial, reputational or other harm” to an individual. Importantly, breach is specifically defined to exclude certain situations, such as a disclosure where there is a good faith belief that the unauthorized person who received PHI could not have retained it.
- Under the HITECH Act and follow-up HHS guidance, notices are required only for breaches of “unsecured” PHI. “Unsecured” is defined as information that has not been destroyed under an approved method or secured by a technology that renders the PHI unusable, unreadable, or indecipherable to unauthorized individuals and is developed or accredited by the American National Standards Institute. The new regulations clarify that electronic information that has been encrypted pursuant to the HIPAA security rules will be considered secure for these purposes.
The new HHS regulations focus primarily on the different types of notice required in the event of a breach to which the rules apply.
- Notices to Individuals: Under the HITECH Act, an employer health plan will have to notify each individual whose unsecured PHI was, or is believed to have been, improperly used or disclosed. These notices are required to be provided “without unreasonable delay” and “in no case later than 60 calendar days” after discovery. The preamble to the regulations clarifies that if an employer has the necessary information to notify individuals within 10 days of discovery of the breach, but does not notify individuals until 60 days after discovery of the breach, that employer would be in violation of the rules. “Discovery” is defined as actual knowledge of the breach by a member of the plan’s workforce or an agent of the plan, or deemed knowledge if the breach would have been discovered by exercising reasonable diligence.
These individual notices must be written in plain language and include basic information such as: (1) the date of the breach, if known; (2) a brief description of the breach and what the plan is doing to mitigate damages and protect against future breaches; and (3) steps affected participants should take to protect themselves. The notices may be sent by first-class mail to the individual’s last known address or by e-mail if the individual has agreed to receive electronic notices (and has not withdrawn that agreement). If there is insufficient or out-of-date contact information, substitute notice may be provided by an alternative form of written notice, or by phone or other means – if there are fewer than 10 affected individuals. If there are more than 10 affected individuals, substitute notice would be in the form of a notice posted for a specified period on the home page of a relevant website or notice in major print or broadcast media.
- Notices to Media: In addition to notifying affected individuals, if a breach affects more than 500 residents of one state or other smaller jurisdiction (such as a county, city or town), prominent media outlets serving that jurisdiction must be notified. This notice must be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. This notice must include the same basic information as the individual notice. HHS clarifies in the preamble to the regulations that it expects this notice would usually be done in the form of a press release.
- Notices to HHS: In addition to the required notices to individuals and any potential notices to media outlets, employer-sponsored health plans will have to notify HHS of any breaches of participant unsecured PHI. If a breach involves 500 or more individuals, a plan must notify HHS at the same time it notifies the individuals. The manner and content of this notice are expected to be specified on the HHS website. As required by the HITECH Act, HHS will post on its website a list of HIPAA-covered entities, including employer-sponsored health plans, that submit reports of breaches involving more than 500 individuals. If a breach involves fewer than 500 individuals, the plan will have to track these breaches and notify HHS of them no later than 60 days after the end of the relevant calendar year. Note that the HHS reporting requirements do not depend on where an affected participant resides.
- Notices by Business Associates to Plan: A third-party administrator, claims administrator, pharmacy benefit manager or other business associate to an employer-sponsored health plan will be required to notify the plan itself in the event of a breach of unsecured PHI. Again, the notice must be provided without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. Discovery is defined in terms of actual knowledge by an employee, officer or other agent of the business associate, or deemed knowledge if the breach would have been discovered by exercising reasonable diligence.
In addition to clarifying the various notices required under the HITECH Act, the HHS regulations clarify that employer-sponsored plans will need to update their HIPAA privacy and security policies and procedures to comply with the new notification rules. Employers also should consider revising service agreements to ensure that third-party administrators and other service providers are specifically responsible for providing any notices required under the new HHS regulations.
The breach notice requirements for employer health plans and other covered entities reflect only one of the HIPAA privacy and security changes made by the HITECH Act. The Act, for example, will also subject business associates, which were not originally covered by HIPAA, directly to the requirements of the HIPAA privacy and security rules as of February 17, 2010. In addition, the HITECH Act has already increased the civil penalties for HIPAA violations and given state attorneys general new authority to pursue HIPAA actions. Finally, the HITECH Act also subjects vendors of web-based personal health record systems, which generally are not covered entities under HIPAA, to breach notice requirements similar to those that apply to employer-sponsored health plans. New Federal Trade Commission regulations cover those breaches of personal health record information.
To discuss these or other employee benefit issues, contact a member of the firm’s Employee Benefits and Executive Compensation Practice Group, or the Client Services Department at 866-287-2576 or via e-mail at firstname.lastname@example.org.
Note: This article was published in the August 24, 2009 issue of the Benefits eAuthority.