We have received numerous questions regarding how to handle a breach of protected health information. This article is a reminder of what you should do.
The Department of Health and Human Services (HHS) released guidance regarding the new protected health information (PHI) security breach notification requirements set forth in the American Recovery and Reinvestment Act of 2009 (ARRA). The ARRA established notification requirements to further protect consumers from security breaches compromising the privacy of their PHI. Under the new requirements, "Covered Entities" (including group health plans and health care providers) and their "Business Associates" (persons or entities that use or disclose PHI on behalf of a covered entity that is not members of the covered entity's workforce) have specified notification requirements in the case of a breach of an individual's "unsecured" PHI.
ARRA General Security Breach Notification Requirements
In general, within 60 calendar days after the discovery of a breach of "unsecured" PHI, you must notify:
- Each affected individual of such breach.
- Prominent media outlets in the state (if the breach involves more than 500 residents of a state or jurisdiction).
- The Secretary of the HHS. (If the breach involves 500 or more individuals, then notification must be made immediately to the secretary. If the breach involves less than 500 individuals, then a log may be maintained and submitted annually to the secretary.)
If the breach is by a Business Associate of a Covered Entity, the Business Associate must notify the Covered Entity (not the affected individuals) of the breach.
ARRA Notification Requirements
The ARRA's new notification requirements apply only where "unsecured" PHI is breached. Unsecured PHI is PHI that is not secured through the use of a technology or methodology specified by the Secretary of HHS. Pursuant to the HHS guidance, PHI is "secured" if it is rendered unusable, unreadable, or indecipherable to unauthorized individuals by one of two methods, encryption or destruction, as set forth in the guidance.
Practical Steps to Take
You and your Business Associates must comply with the new notice rules or ensure that your PHI is secured. Accordingly, you should:
- Review and revise your policies and procedures to ensure PHI is "secured," and/or implement procedures to comply with the breach notification requirements in the event any "unsecured" PHI is disclosed due to a security breach, review and revise existing Business Associate Agreements to ensure that they require Business Associates to comply with the new ARRA requirements, and
- Be aware of state laws in many jurisdictions requiring notification to residents whose personal information was or may have been disclosed due to a security system breach.