HHS Releases Breach Notification Rule

Last week the industry got an early look at the Department of Health and Human Service’s much-anticipated data breach notification rule. Today the rule was published in the Federal Register, making it official. The rule takes effect September 23, 2009.

“Breach Notification for Unsecured Protected Health Information” applies to all HIPAA-covered entities and HIPAA-related business associates. A separate rule is expected any day from the Federal Trade Commission, which will cover non-HIPAA related entities such as vendors of personal health records. Both rules stem from the American Recovery and Reinvestment Act. FTC released a preliminary version of its rule last week, also.

The rule defines a breach; suggests how an entity might investigate a potential breach; and establishes the steps the entity must follow should it determine that a breach has occurred.

A verified breach requires notification of the affected individuals without unreasonable delay and within 60 days of the breach’s discovery, the time frame originally specified in ARRA. Few of the 44 state breach notification laws specify a time period. California requires notification within 5 days; Florida within 45 days.

HHS, and possibly the media, will also require notification. Entities must notify HHS immediately of any breach involving 500 or more individuals; they may log smaller breaches and report them annually. Breaches of more than 500 individuals must also be reported to “prominent” media outlets in the state or jurisdiction within the same time frame as the notification to individuals.

HHS declined to further define a “prominent” media outlet, despite requests received in comments. It notes that the term is relative to the market.

Dust off the Business Associate Agreements

Under the rule, business associates must notify covered entities of breaches they discover no later than 60 days following their discovery. The covered entity is responsible for notifying the affected individuals.

If the business associate is acting as an agent of the covered entity, then the business associate’s discovery of the breach will be imputed to the covered entity. The covered entity must provide breach notifications based on the time the business associate discovered the breach, not from the time the business associate informed the covered entity.

However, if the business associate is an independent contractor of the covered entity, then the covered entity must provide notification based on the time the business associate notified it of the breach. HHS notes that “covered entities may wish to address the timing of the notification in their business associate contracts.”

Final, yet Interim

In order to (almost) meet its ARRA-imposed deadline, HHS issued an interim final rule, meaning that modifications may still come. In effect, entities must prepare to comply with the law before its 60-day comment period has expired.

HHS is taking comments on the rule in two parts. The deadline for comments on the rule’s information collection requirements are due September 8. Presumably, if there’s a problem with the collection requirements, HHS wants to know before the rule goes into effect.

Comments on the overall provisions of the rule are due by October 23, 2009.

Let the Preemption Begin

Contrary state law will be preempted by the breach notification regulations. HHS has already heard about this issue, and in the final interim rule it requests more feedback.

HHS refers to HIPAA for the definition of “contrary,” writing, “a State law is contrary if ‘a covered entity could find it impossible to comply with both the State and federal requirements’ or if the State law ‘stands as an obstacle to the accomplishment and execution of the full purposes and objectives’ of the breach notification provisions in the Act.”

HHS believes that in general covered entities can comply with both state laws and its regulation. For example, it notes that, “in most cases,” it believes a single notification can satisfy requirements under both state and federal law.

California may be the caveat in HHS’s belief. In many ways the state’s breach laws are stricter than the HHS rule and may make it difficult for an entity to meet both laws with a single notice. That’s the topic of a story in this month’s print journal, which takes a look how California entities are teasing apart state and federal breach notification laws. They highlight the challenge organizations everywhere face in determining responsibilities under ARRA’s new privacy regulations.

In “Reports Pour in under CA’s New Privacy Laws,” the Journal reports on the California Department of Public Health, which has been fielding and investigating incidents of unauthorized record access since California’s new breach notification laws took effect on January 1.

1 Comment

  1. The HHS rule also contains a “harm standard” for breach notification.
    Basically, if patient data is lost or stolen, a health care company now may decide for itself whether the breach poses a “significant risk” of financial or reputational harm to the patient.
    If the company determines the risk is not significant enough, that company never has to notify patients of the breach.
    Keep in mind that the companies have their own financial and reputational incentives against notification.

    The Center for Democracy & Technology wrote an article on how this new harm standard for breach notification undermines patient privacy and the transparency of health care entities.

    That article can be found here:
    http://blog.cdt.org/2009/09/11/hhs%E2%80%99-new-harm-standard-for-breach-notification/

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *