of Health and Human Services, ("HHS") became effective September 23,
2009, requiring entities to give notice to affected individuals of any
breach of unsecured, protected health information. These rules originate
with the Stimulus Bill and are part of the administration's promotion of
"electronic health records."
Safe Harbor
The new rules contain a safe-harbor. Entities that use HHS-approved
technologies and methodologies that result in the encryption and
destruction of certain health records need not comply with the
notification rules (although notification is still considered a best
practice).
Key to the safe-harbor is the fact that the rules apply only to
breaches of "unsecured" Protected Health Information ("PHI"). The term
"unsecured" refers to PHI that has not been secured through the use of
technology or methodology approved by HHS. HHS Guidance (called the
"HITECH Breach Notification Guidance") describes those approved
technologies and methodologies, making PHI "unusable, unreadable, or
indecipherable to unauthorized individuals". Electronic PHI is secured
when it has been adequately encrypted. Hard copies of PHI can only be
secured when shredded or destroyed such that they cannot be read or
reconstructed.
Current Obligations
A covered entity and a business associate must be able to identify,
record, investigate and report to an affected individual and HHS any
breach occurring after September 23, 2009. A covered entity's work
force must be trained on the new breach notification regulations.
Additionally, a covered entity must include sanctions for violating the
new breach of notification rules, and the sanction must be included in
the covered entity's policies. Therefore, covered entities should
examine their handbooks or other provisions regarding sanctions to
insure that they are broad enough to include sanctions relating to the
breach of notification rules. If not, they need to be updated.
Definition of Breach
If there is a saving grace in all of this, it is that the definition
of a "breach" has been modified as well. The regulations now provide
that a "breach" exists if there is an acquisition, access, use, or
disclosure of PHI in a manner not permitted by the Privacy Rules and
such action "compromises" the security or the privacy of the PHI. The
definition of "compromise" now includes a helpful risk analysis, and
under that analysis the PHI is compromised only if the event poses "a
significant risk of financial, reputational, or other harm to the
individual." In other words, many minor or insignificant breaches may
not pose a significant risk of such harm, and need not be reported to
the affected individual or to HHS. A breach of unsecured PHI is also not
considered to have occurred under certain exceptions:
1. If an unauthorized person to whom the unsecure PHI is disclosed would
not reasonably have been able to retain the PHI;
2. An unintentional acquisition, access, or use of unsecured PHI occurs
by an employee or individual acting under the authority of a HIPAA
covered entity or business associate, but only if (a) the acquisition,
access or use is made in good faith and within the course and scope of
employment or other professional relationship with the covered entity or
business associate and (b) such unsecured PHI is not further acquired,
accessed, used, disclosed by anyone; or
3. Where the inadvertent disclosure occurs from an individual who is
otherwise authorized access to unsecure PHI at a facility operated by a
HIPAA covered entity or business associate, to another similarly
situated individual at the same facility, but only if the unsecured PHI
is not further accessed, acquired, used or disclosed without
authorization.
HIPAA covered entities and business associates should each identify
their business associates, agents and sub-contractors and review their
agreements to include compliance with the new regulations. Handbooks
and training need to be updated as well.
Kevin McManaman
Knudsen, Berkheimer, Richardson & Endacott, LLP
3800 VerMaas Pl
Suite 200
Lincoln NE 68502
402 475 7011
402 475 8912 (F)
No comments:
Post a Comment