HIPAA/HITECH 2009: Into the Breach
Breach notification requirements were first introduced into HIPAA requirements upon passage of HITECH in 2009
Beginning September 23, 2009, covered entities were obligated to notify the HHS Secretary of all breaches of protected health information occurring on or after that date. As of September 23, 2009, covered entities were required to report breaches affecting 500 or more individuals to the Secretary without unreasonable delay and in no case later than 60 days from discovery of the breach, while breaches affecting fewer individuals must be reported to the Secretary within 60 days of the end of the calendar year in which the breach occurred.
This year, the deadline for breach reporting for 2012 breaches affecting fewer than 500 individuals is February 28!
HIPAA 2013-Breaches Clarified
In HIPAA 2013, the rule includes final modifications to the Breach Notification Rule, which will replace an interim final rule originally published in 2009 as required by the HITECH Act. HHS estimates that they will receive approximately 19,000 breach notifications annually and that those breaches will affect approximately 6.71 million individuals.
HIPAA 2013: No harm, no foul? Not so much!
The Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants the interim final rule published on August 24, 2009. It focuses more objectively on the risk that the protected health information has been compromised
This final rule modifies and clarifies the definition of breach and the risk assessment approach outlined in the interim final rule. Language was added to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.
HHS has clarified their position that breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised The covered entity or business associate has the burden of proof!
HHS believes that this presumption in the final rule will help ensure that all covered entities and business associates interpret and apply the regulation in a uniform manner.
The new language is consistent with language in § 164.414, which provides that covered entities and business associates have the burden of proof to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach. This burden is met by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised The covered entity or business associate must maintain documentation sufficient to meet that burden of proof.
The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary.
HIPAA 2013: Encrypt Early and Often
Every time there is a HIPAA data breach penalty for a lost laptop or hard drive, Office for Civil Rights (OCR) Director Leon Rodriguez likes to emphasize that the penalty would have been avoided if the data was encrypted. The HITECH Act of 2009 modified the HIPAA data breach rule by stating that if a device is lost or stolen, the loss is not reportable as a HIPAA data breach if the data is encrypted in compliance with data encryption guidance from the National Institute of Standards and Technology (NIST.)
To avoid the hit to your organization’s reputation and bottom line if you have to ameliorate a breach, it’s strongly suggested that you encrypt data at rest and portable data such as laptops and flash drives.
The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule.
HIPAA 2013-Notice of Privacy Practices Must Change
The final rule also requires covered entities to include in their Notice of Privacy Practices a statement of the right of affected individuals to be notified following a breach of unsecured protected health information. HHS believes that individuals should be informed of their right to receive and the obligations of covered entities to provide notification following a breach.
HHS indicated that a simple statement in the Notice of Privacy Practice that an individual has a right to or will receive notifications of breaches of his or her unsecured protected healht information will suffice for purposes of this requirement.
HIPAA 2013- Costs
HHS estimates that private entities will bear 93 percent of the costs of compliance with the breach notification
requirements, or about $13.5 million. This is because the majority of breach reports are filed by health care providers, all of whose costs were attributable to the private sector.
HIPAA 2013 is loaded with many challenges for covered entities and business associates Hopefully, your organization has been preparing for these final rules since passage of HITECH. If you have not, the time is NOW!