The Department of Health and Human Services issued an interim final rule on Aug. 19, 2009, establishing standards for notification of breaches of unsecured protected health information (PHI). The rule clarifies certain key definitions and concepts, generally in a manner that is favorable to covered entities and business associates, while remaining true to the Health Insurance Portability and Accountability Act of 1996 and the new Health Information Technology for Economic and Clinical Health Act.  The bulk of the interim final rule implements the breach notification provisions of the Act as they apply to HIPAA covered entities and their business associates.  The HITECH breach notice rules will go live in about a month, so there is little time to waste. HITECH encourages HHS to step up its audit activities. Sanctions have been increased, and state attorneys general have been given concurrent jurisdiction over the HITECH mandates. As a consequence, the compliance bar has been raised significantly. 

The rule makes clear that the definition of “breach” is limited to PHI. In determining whether notification is required under the Act, one must first determine whether a use or disclosure violates the privacy rule. This means, among other things, that the breach notice rules do not apply to employment records, which are not PHI. (Notification requirements under other laws may still apply to employment records).  A “breach” must relate to a use or disclosure that “compromises the security or privacy” of PHI. Once it is established that a use or disclosure violates the privacy rule, the covered entity must determine whether the violation compromises the security or privacy of the PHI. Here, HHS officials said that the breach must “pose a significant risk of financial, reputational, or other harm to the individual” to trigger the obligation to provide notice.  In appropriate instances, this will require covered entities and business associates to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure.  Covered entities and business associates are also instructed to consider who impermissibly used the information or to whom the information was impermissibly disclosed when evaluating the risk of harm to individuals.  For example, if PHI is impermissibly disclosed to another covered entity, the chance of significant harm may be more remote, since the recipient is already obligated to protect PHI. Covered entities and business associates should also consider the type and amount of PHI involved in the impermissible use or disclosure. 

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access