Home / Archived Articles / Health Insurance Portability and Accountability Act (HIPAA) Reform

Articles

Health Insurance Portability and Accountability Act (HIPAA) Reform

The American Recovery and Reinvestment Act of 2009 (“ARRA”) made several changes to HIPAA
requirements that group health plan sponsors should be aware of, including the requirement that
covered entities (including group health plans) provide notification to individuals and the
Department of Health and Human Services (“HHS”) if unsecured protected health information
(“PHI”) has been breached.

When the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”)
was initiated as part of the ARRA, it extended certain HIPAA privacy and security provisions to
business associates. Plan sponsors of group health plans may work with business associates
with whom they have entered into contracts with to share PHI. Those business associates are
now subject to HIPAA privacy and security rules to the same extent as the covered entity. HHS is
now required to conduct periodic audits of business associates in addition to covered entities.
Business associates will now be subject to the same civil and criminal penalties for violations.
The “interim rule” took effect on September 23, 2009. HHS has stated that it will not impose
sanctions for any failure to provide notification for breaches discovered before 180 calendar
days from the publication of the interim rules on August 23, 2009 or before February 22,
2010.

On April 17, 2009, HHS released initial guidance on how PHI can be protected so it is not
considered unsecured PHI. Unsecured PHI has been further defined in new guidance issued on
August 24, 2009 by HHS as “PHI that is not secured by technology or methodology that renders the
PHI unreadable, unusable or indecipherable to unauthorized individuals.”

Several clarifications were made in the recent guidance. Breach is defined as the “unauthorized
acquisition, access, use, or disclosure of protected health information which compromises the
security or privacy of such information, except where an unauthorized person to whom such
information is disclosed would not reasonably have been able to retain such information." Also
clarified is the reference to “unauthorized” acquisition, access, use or disclosure of PHI and means
an impermissible use or disclosure of PHI under the HIPAA Privacy Rule. The guidance pointed
out that not all violations of the HIPAA Privacy Rule will constitute a breach. Covered entities, in
the event of a privacy rule violation, must determine if the breach also triggers the notification
requirements outlined below.

The guidance also stated PHI is compromised if it “poses a significant risk of financial, reputational,
or other harm to the individual.” The covered entity must perform a risk assessment, and HHS
recommends considering the following factors:

-Who impermissibly used the information or to whom the information was impermissibly
disclosed

-Whether immediate steps were taken to mitigate an impermissible use or disclosure such
that the risk of harm to the individual is less than a “significant risk”

-Whether impermissibly disclosed PHI is returned before being accessed for an improper
purpose

-Whether the type and amount of PHI impermissibly used or disclosed poses a significant risk
of financial, reputational, or other harm.

To assist in your compliance efforts the following outline will list your responsibilities if a breach
should occur; once a breach has occurred providing unauthorized access, use or disclosure of PHI, the
group health plan must notify affected individuals within 60 days after a breach is
discovered. Individuals or entities include:

1. Secretary of HHS on all breaches - if 500 or more individuals in a single State or jurisdiction are affected, notification must be
provided in prominent media outlets serving that State or jurisdiction

2. Web site or major print or broadcast media for Plans that do not have current or sufficient
information to contact 10 or more individuals

3. The covered entity, if the breach is discovered by a business associate.

Notices to individuals should include the following information:

1. Date of the breach (if known), date of discovery, a brief description of what happened

2. Types of unsecured PHI involved

3. Steps to avoid harm as a result of the breach;

4. Description of what the plan is doing to investigate, mitigate losses and avoid further
breaches

5. Contact procedures for questions or to obtain additional information, including a toll- free
number, e- mail address, Web site or postal address.

HHS guidance also considers unsecured PHI not subject to notification requirements if it is
rendered “unusable, unreadable, or indecipherable to unauthorized individuals.” However, in the
recent guidance issued by the HHS, they have modified exceptions to the notification requirements
to include:

-Exception for Unintentional Access - Notification requirements will not apply if an
unintentional acquisition, access or use of PHI by an employee or individual acting under the
authority of a covered entity or business associate, if done in good faith and within the scope
their authority. Guidance modified the definition of workforce member by including
employees, volunteers, trainees, and other person whose conduct in the performance of
work for a covered entity is under the direct control of such entity, whether or not they are
paid by the covered entity.

-Exception for Inadvertent Disclosure - Notification requirements do not apply to those who
have disclosed to another person authorized to access PHI at the same covered entity or
with a business associate.

-Exception Where Disclosed PHI Would Not Reasonably be Retained - Disclosure would
not constitute a breach if an unauthorized person to whom the disclosure was made would
not reasonably have been able to retain such information (i.e. PHI returned by the post office
as unopened and undeliverable).

Two methods are recognized by which PHI can be “secured:”

1. Encryption - guidance provides an exclusive list of acceptable encryption methodologies. If
encryption is used to secure PHI, the encryption keys must be kept on a separate device
from the data being encrypted or decrypted

2. Destruction - hard copies of PHI will be considered destroyed if they are unreadable and
cannot be reconstructed. Electronic media must be cleared, purged or destroyed consistent
with publications issued by the National Institute of Standards and Technology.

This publication is available here (i.e. edited, revised, rewritten or adapted), in lieu of destruction,
is not an acceptable method to secure paper- based PHI.

We recommend employers begin the compliance process by updating their privacy and security
policies and procedures to reflect the new rules, including an update to your Notice of Privacy
Practices required by the HIPAA Privacy Rules. Workforce members should be informed of the
new requirements as well.

Business associate contracts were previously the responsibility of the covered entity in identifying
and obtaining necessary agreements. The new rules require business associates to be more
proactive in compliance with security policies and procedures as well as adopting appropriate
physical, administrative and technical safeguards. As a result of these new rules, business
associate contracts should be revised for compliance.

Please check with your compliance officer to determine the next steps for your organization.