The American Recovery and Reinvestment Act passed at the end of February contains a number of changes to HIPAA privacy and security rules. Among the most important changes are new notification obligations in cases of breaches of protected health information (PHI).
Upon discovering a breach of unsecured PHI, health plans will now be required to notify affected individuals and—if more than 500 individuals are affected—the Department of Health and Human Services (HHS) and prominent media outlets serving the area. Health plans will also be required to maintain and submit annually to HHS a log of all breaches.
The new notification obligations are expected to take effect by September 15 (30 days after regulations regarding the notification obligations are required to be published). Health plans will, therefore, need to act quickly to revise their HIPAA policies and procedures and amend business associate agreements to reflect the new breach notification obligations.
Use of De-identified Information Can Help Avoid Breaches
Given that the new notification obligations involved with breaches of unsecured PHI are both onerous and potentially embarrassing, the primary goal of all health plans should be to avoid such breaches.
One way to minimize risk of security breaches and avoid breach notification obligations is to use de-identified information to the maximum extent possible. De-identified information is not PHI and, therefore, is not subject to the breach notification requirements. Of course, it is not always possible to use de-identified information.
HHS Guidance Specifies Technologies to Secure PHI
Limiting the amount of "unsecured" PHI is another way to reduce likelihood of a reportable breach. HHS guidance published April 17 specifies technologies that secure PHI by rendering it unusable, unreadable or indecipherable to unauthorized individuals. If health plans apply the technologies and methodologies specified in the guidance to secure information, they will not be obligated to provide ARRA notifications in the event the information is breached.
Under the guidance, PHI is rendered unusable, unreadable or indecipherable to unauthorized individuals only if one or more of the following applies:
Encryption. Electronic PHI has been encrypted by "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key" and such confidential process or key has not been breached. Encryption processes that meet this standard for data at rest (data in databases, file systems and other structured storage methods) are those consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Encryption processes for data in motion (data that is moving through a network, including wireless transmission) must comply with Federal Information Processing Standards 140-2.
Destruction. The media on which the PHI is stored or recorded has been destroyed by shredding or otherwise destroying paper, film or other hard copy media such that the PHI cannot be read or reconstructed, and clearing, purging or destroying electronic media consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
Take Steps Now to Ensure Compliance
Health plans should take steps now to minimize the risk of breaches of unsecured PHI. These actions can also help health plans avoid the new breach notification obligations—and ensure compliance in the event a reportable breach occurs. Recommended steps include:
- Assemble a team of information security specialists within your organization who are familiar with the NIST standards described above.
- Review your paper and electronic PHI. This should be the same PHI identified during original HIPAA privacy and security compliance work—but you may wish to determine whether changes have been made since that time.
- Work with the team to identify procedures for encrypting and/or destroying health plan data at your organization so it complies with the safe harbor from the breach notification obligations.
- Revise your HIPAA policies and procedures to address these procedures and breach notification obligations.
- Revise your business associate agreements to address these new procedures and obligations.
Template Agreements and Procedures Offer Head Start
While additional guidance regarding breach notifications is still forthcoming, health plans may have only a 30-day window between the regulation issuance and effective dates. For this reason, we believe it is important to focus on compliance efforts now.
To assist our clients in updating their HIPAA policies in a cost-effective manner, lawyers in the Faegre & Benson employee benefits practice are preparing a template business associate agreement updated to reflect the ARRA provisions. We are also preparing procedures regarding securing PHI and breach notifications.
We will offer these documents—which we expect to make available by the end of June—on a subscription-fee basis. If you choose this option, you will be charged a single fixed fee for the updated documents. Should the documents require modification once the regulations are published, we will provide those updates without charge.
We will continue to work with you as usual on your other HIPAA compliance needs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.