On August 19, 2009, the Department of Health and Human Services (HHS) issued an interim final rule entitled “Breach Notification for Unsecured Protected Health Information.” This rule describes how healthcare providers must notify patients when the security of their protected health information has been breached. Providers must comply with these new requirements beginning on September 23, 2009. They must also revise their internal policies to include these requirements.
According to HHS, a breach occurs when protected health information is acquired, accessed, used, or disclosed in a way that poses “significant risk of financial, reputational, or other harm to the individual.” Breaches involve access to a patient’s information by unauthorized persons, except when providers or employees disclose information in good faith to unauthorized persons based upon the belief that such persons are unable to retain this information.
HHS states that breach notification must include:
- “A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
- A description of the types of unsecured [emphasis added] protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
- Any steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.”
Providers have sixty (60) calendar days from discovery of a breach to notify patients whose information has been compromised. Providers must send written notification, via first-class mail, to such patients at their last known addresses. Notification may also be delivered electronically when patients have agreed to this form of communication.
If patients are deceased, notification should be mailed to patients’ next of kin or personal representatives. In an emergency situation in which imminent misuse of the health information may occur, providers may notify individuals by telephone or other means, in addition to providing written notice.
If written notice is impossible to provide due to incomplete or outdated contact information, a substitute form of notice must be provided. When there is insufficient contact information for fewer than ten (10) individuals, notice may be given by telephone, another type of written communication, or other means. When sufficient contact information is unavailable for ten (10) or more individuals, such notice shall:
- Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and
- Include a toll-free telephone number that remains active for at least 90 days that individuals can use to learn whether their unsecured protected health information may be included in the breach.
Providers also have a duty to notify the media of a breach affecting more than five hundred (500) individuals residing in one State or jurisdiction. In this situation, providers need to notify “prominent media outlets” serving the particular State or jurisdiction. Notice must be in written form and given no later than sixty (60) days after discovery of the breach.
The Secretary of HHS must also receive notice of breaches, but the timing depends on the number of individuals affected. When five hundred (500) or more patients are involved, providers need to mail written notification to the Secretary at the same time as it is sent to the individuals affected. For breaches involving fewer than five hundred (500) patients, providers must maintain documentation of these breaches throughout the year. This documentation must be sent to the Secretary no later than sixty (60) days after the end of the calendar year.
©Copyright, 2009 by Elizabeth E. Hogue, Esq. All rights reserved. No portion of these materials may be reproduced by any means without the advance written permission of the author.
Ms. Hogue is a Washington DC-based attorney specializing in home health issues. She has developed a HIPAA Policy appropriate for home health agencies, private duty agencies, hospices, HME suppliers and individual providers such as therapists, ALFs, ILFs, physicians, etc. Contact her directly for ordering information. ElizabethHogue@ElizabethHogue.net
