• Home
• Solutions
  • Overview
  • Report Automation
  • Information Security
  • Privacy Alerting
  • Scorecards
• Products
  • Overview
  • The Central Dashboard
  • The Log Manager
  • The Privacy Auditor
  • The Clinical Scorecard
  • The Bitwork Appliance
• Demo
• Resources
  • Customer Login
  • Articles
  • Whitepapers
• Company
  • About
  • Mission
  • Affiliations
  • News
• Contact Us

Archive

• Six Sigma in Healthcare
• Changes to HIPAA, Part 3
• Changes to HIPAA, Part 2
• Changes to HIPAA, Part 1
• Security Challenges
• Balanced Scorecards
• IT Challenges
• Stimulus Package
• HIT Job Trends
• EMR Implementation

ARRA's Impact on HIPAA Privacy and Security

(Oct. 21, 2009)

Part 2: Disclosures and Reporting Security Breaches

The American Recovery and Reinvestment Act (ARRA) of 2009 calls for a number of modified HIPAA privacy and security regulations. Part 1 discussed the expanded role of business associates in complying with the privacy and security regulations of protected health information (PHI).

There are several additional provisions that expand and/or change the scope of HIPAA. These most recent provisions are contained in a portion of ARRA called the Health Information Technology for Economic and Clinical Health (HITECH) Act. This article will discuss reporting and disclosure requirements mandated under HITECH.

Defining a security breach

ARRA defines a breach of PHI as the "unauthorized acquisition, access, use or disclosure of PHI." On August 24, 2009, the HHS published new HIPAA guidance that establishes standards for notification of beaches of unsecured PHI. The guidance is effective for breaches occurring on or after September 23, 2009. Violation of the breach notification rule can result in penalties ranging from $100 to $10,000 per violation, and capped at $1.5 million per year. However, HHS has the power to exercise discretion in enforcing the civil penalties for violations that occur before February 20, 2010.

Exceptions to a breach include the following scenarios:

• The acquisition, access or use of PHI is made in good faith and within the scope of employment, such as when a patient record is accessed due to an error in entering patient identifier data.
• An inadvertent disclosure occurs within the confines of the covered entity, for example, in a hospital when an authorized staff member discloses PHI to a physician who has staff privileges with the entity. Provided that the information is not further used or disclosed in violation of HIPAA, the exception applies.
• Good faith belief that an unauthorized person to whom the disclosure of PHI was made would not reasonably have been able to retain the information.

If the breach does not meet one of the three exceptions, the covered entity or business associate must conduct a risk assessment to determine whether there is significant risk of financial, reputational or other harm to the individual. The process must be documented.

Reporting security breaches

Prior to the enactment of ARRA, there were no requirements to report privacy and security breaches to the individuals affected, although business associates were required to notify covered entities. Under HITECH, however, covered entities and business associates must now notify individuals when their unsecured PHI has been compromised and must maintain a breach log and submit it annually to the Department of Health and Human Services (HHS). Similar rules apply to Personal Health Record (PHR) vendors.

HHS still has not yet provided a definition of "unsecured PHI," therefore by default, the definition includes all PHI that is not secured by an encryption standard endorsed by the National Institute of Standards and Technology (NIST). The general default definition of unsecured PHI in the HITECH Act is: "Protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute."

The new guidance adds a harm provision to the definition of breach to include a "significant risk of financial, reputational or other harm t the individual."

Individual notifications must occur without reasonable delay within a maximum of 60 days after the breach is discovered. When individuals cannot be located, a covered entity may be required to post a notice on its public website. Large breaches require additional notification. If more than 500 people are affected by the breach, the covered entity must notify HHS and local print and broadcast media outlets.

Disclosures

Currently, covered entities may use and disclose only the minimum necessary PHI for their business purposes, but have considerable latitude to determine the minimum necessary information. Under HITECH, covered entities must first consider whether partially de-identified data, known as limited data set, can be used to accomplish their objectives and must limit their uses and disclosures to limited data sets if possible.

A limited data set excludes basic identifying information such as the individual's name, social security number, postal addresses, email addresses, telephone numbers and similar identifiers.

Under HITECH, covered entities using electronic health records (EHR) must now supply individuals with an accounting of disclosures from those records made for treatment, payment or healthcare operation purposes, such as submitting insurance claims, during the three years that preceded the request.

Non-Medicare patients can also pay out-of-pocket for healthcare services and request that their provider not to disclose his or her PHI to or submit a claim to the health plan. An employee can also request access to an electronic format and have it sent to another person or entity.

This provision is subject to rulemaking. The earliest date it will apply is January 1, 2010.

Part 3 of this article will discuss how the ARRA requirements around marketing and also the penalties for HIPAA violations.