The Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires physicians, health plans, and other covered entities to notify individuals when their unsecured health information is breached. Covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures. The HITECH Act also provides guidance on proper methods of encryption and destruction of health information. The updated rules went into effect March 26, 2013 and practices must comply by September 23, 2013.
The regulations define “unsecured protected health information” as “protected health information that is not secured through the use of a technology or methodology specified by the Secretary of HHS in guidance.” This guidance was initially published in the Federal Register on April 27, 2009 and revised in the Federal Register(www.gpo.gov) published on January 25, 2013.
In essence, the guidance outlines ways to render the protected health information (PHI) as unusable, unreadable, or indecipherable to unauthorized individuals.
If the protected health information is secured in accordance with the guidance, there is no need to provide notification if there is a breach of that information.
The definition of a breach was revised under the updated rules that went into effect on March 26, 2013.
Under the previous rule, a breach was defined as the “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information (e.g. poses a significant risk of financial, reputational, or other harm to the individual), except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
Under the new rule, a breach is presumed to have occurred (regardless if it poses a significant risk of financial, reputational, or other harm to the individual), unless a risk analysis based on the following four factors can prove there is a low probability that the patient’s Protected Health Information (PHI) was compromised:
In all breaches, any individual whose PHI has been inappropriately released is to be notified. The notification must contain the following information:
This notice must be provided by first class mail, unless the individual has authorized the use of an electronic mail address for such notices. All notices must be issued within 60 days of discovery of the potential breach and there cannot be unreasonable delays in providing notice (i.e., if one discovers and confirms a breach in ten days they cannot wait until day 60 to provide the notice).
If there are fewer than ten individuals for whom the covered entity does not have sufficient contact information to provide written notice, the covered entity can provide substitute notice through an alternative form of written notice, by telephone or other means.
If there are ten or more individuals for whom the covered entity does not have sufficient contact information to provide written notice, the covered entity must provide substitute notice through either a posting on their Web home page for 90 days or notice in major print or broadcast media. The covered entity must also provide a toll-free phone number, active for 90 days, where individuals can learn whether their information was part of the breach.
If there are over 500 individuals involved in the breach, the covered entity must notify the Secretary of HHS within 60 days. If there are 500 individuals from the same state or jurisdiction, the covered entity must also notify the local media that a breach occurred.
The covered entity is required to retain a log of all breaches and submit an annual report to the Secretary of HHS on those breaches. Since the burden of proof for breach exceptions and adequate notification lies with the covered entity, it is important for them also to keep documentation of any investigation of potential breaches and all notification activities.
Share this page
Alert: Message field is required.
You must sign in before you can share a page on AAFP connection.
Breach Notification Requirements