Federal law will soon require employers to provide notice to their health plan participants, the Department of Health and Human Services (HHS), and potentially even the media, following breaches of participant unsecured protected health information (PHI), under interim final HHS regulations published in the August 24, 2009, Federal Register.

WHAT THIS MEANS TO YOU AS AN EMPLOYER?

The new regulations are effective for breaches occurring on and after September 23, 2009, and provide employers with much-needed guidance in determining: (1) whether a “breach” has occurred; (2) exactly when notices to the media are needed and how they are to be provided; and (3) how HHS thinks the new federal rules will work in conjunction with existing state notice requirements. HHS does indicate, however, that through March 2010, it will not impose penalties for failing to comply with the rules, but will work with employers and health care providers through technical assistance and voluntary corrections.

The notice requirements detailed in the new rules were created by the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in February of this year as a part of the new stimulus law – the American Recovery and Reinvestment Act of 2009.

It is important to note that the HITECH Act notice requirements do not displace the various state and other federal law requirements for notices of breaches of certain types of information. However, HHS indicates in the preamble to the regulations that entities covered by the Health Insurance Portability and Accountability Act (HIPAA) should be able to comply with the new notice requirements without running afoul of other state and federal notice requirements.

The HHS regulations provide that a breach will occur if 4 requirements are met:

1. Information is “unsecure” under HIPAA. “Unsecured” is defined as information that has not been destroyed under an approved method or secured by a technology that renders the PHI unusable, unreadable, or indecipherable to unauthorized individuals and is developed or accredited by the American National Standards Institute. The new regulations clarify that electronic information that has been encrypted pursuant to the HIPAA security rules will be considered secure for these purposes.

2. Information was used or disclosed in an “unauthorized” manner. HHS says this means that the information was used or disclosed in a manner that is not permitted under the HIPAA privacy rules and notes that this includes a violation of the minimum necessary rule.

3. The use or disclosure poses a “significant risk of financial, reputational, or other harm to the individual.” HHS says covered entities must perform a risk assessment to determine if harm has occurred and review factors such as to whom the information was disclosed and what steps were taken upon discovery of the use or disclosure. HHS noted that information kept in a limited data set generally is not exempt from the breach rule, although disclosure of this information may not pose as great a risk under the “harm” requirement.

4. The use or disclosure does not fall under an exception listed in the statute. The HITECH Act offered three exceptions, which the regulations explain further.
   1. Unintentional access by a covered entity’s or business associate’s employee.
   2. Inadvertent disclosure from one covered entity or business associate employee to another similarly situated employee.
   3. The recipient would not reasonably have been able to retain the information.

The new HHS regulations focus primarily on the different types of notice required in the event of a breach to which the rules apply.

• Notices to Individuals: Under the HITECH Act, an employer health plan will have to notify each individual whose unsecured PHI was, or is believed to have been, improperly used or disclosed. These notices are required to be provided “without unreasonable delay” and “in no case later than 60 calendar days” after discovery. The preamble to the regulations clarifies that if an employer has the necessary information to notify individuals within 10 days of discovery of the breach, but does not notify individuals until 60 days after discovery of the breach, that employer would be in violation of the rules. “Discovery” is defined as actual knowledge of the breach by a member of the plan’s workforce or an agent of the plan, or deemed knowledge if the breach would have been discovered by exercising reasonable diligence.
  
  These individual notices must be written in plain language and include basic information such as: (1) the date of the breach, if known; (2) a brief description of the breach and what the plan is doing to mitigate damages and protect against future breaches; and (3) steps affected participants should take to protect themselves. The notices may be sent by first-class mail to the individual’s last known address or by e-mail if the individual has agreed to receive electronic notices (and has not withdrawn that agreement). If there is insufficient or out-of-date contact information, substitute notice may be provided by an alternative form of written notice, or by phone or other means – if there are fewer than 10 affected individuals. If there are more than 10 affected individuals, substitute notice would be in the form of a notice posted for a specified period on the home page of a relevant website or notice in major print or broadcast media.
  
  
• Notices to Media: In addition to notifying affected individuals, if a breach affects more than 500 residents of one state or other smaller jurisdiction (such as a county, city or town), prominent media outlets serving that jurisdiction must be notified. This notice must be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. This notice must include the same basic information as the individual notice. HHS clarifies in the preamble to the regulations that it expects this notice would usually be done in the form of a press release.

• Notices to HHS: In addition to the required notices to individuals and any potential notices to media outlets, employer-sponsored health plans will have to notify HHS of any breaches of participant unsecured PHI. If a breach involves 500 or more individuals, a plan must notify HHS at the same time it notifies the individuals. The manner and content of this notice are expected to be specified on the HHS website. As required by the HITECH Act, HHS will post on its website a list of HIPAA-covered entities, including employer-sponsored health plans, that submit reports of breaches involving more than 500 individuals. If a breach involves fewer than 500 individuals, the plan will have to track these breaches and notify HHS of them no later than 60 days after the end of the relevant calendar year. Note that the HHS reporting requirements do not depend on where an affected participant resides.

• Notices by Business Associates to Plan: A third-party administrator, claims administrator, pharmacy benefit manager or other business associate to an employer-sponsored health plan will be required to notify the plan itself in the event of a breach of unsecured PHI. Again, the notice must be provided without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. Discovery is defined in terms of actual knowledge by an employee, officer or other agent of the business associate or deemed knowledge if the breach would have been discovered by exercising reasonable diligence.

WHAT SHOULD I DO NEXT?

Employer-sponsored plans will need to update their HIPAA privacy and security policies and procedures to comply with the new notification rules. Employers should consider revising service agreements to ensure that third-party administrators and other service providers are specifically responsible for providing any notices required under the new HHS regulations.

If you have any additional questions regarding the information within this eCommunication, please call Corporate Synergies at 1.866.CSG.1719 or CLICK HERE to contact us today.