The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has added new requirements for employers, plan service providers (PSPs) and anyone who touches protected health information (PHI). Called the Health Information Technology for Economic and Clinical Health (HITECH) Act, it outlines new notification rules for anyone in contact with PHI. It arrived in the American Recovery and Reinvestment Act of 2009 (ARRA) package issued February, 2009, and was effective September 23, 2009.
So what is HITECH all about? First, you’ll need some definitions:
• Breach: Unauthorized access, use or disclosure of PHI.
• Unsecured PHI: PHI that is not secured by encryption or destruction and could be interpreted by unauthorized individuals.
• Disclosure log: A log of legal disclosures that did not require an employee notice. Employees may request to see their personal disclosure log.
The HITECH Act requires covered entities and business associates to provide notification if a breach involves unsecured PHI. Unsecured PHI has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. Electronic PHI must be encrypted to be considered secure while in motion (emails), in use, at rest (residing on a data server) or it must be destroyed.
Merely password protecting PHI is not enough. The guidance specifying the technologies and methodologies for rendering PHI “secured” is exhaustive. Again, PHI must be encrypted or destroyed to be considered “secure.”
To qualify as a breach that requires notification, there must be significant risk of harm to the individual. Facts and circumstances of the breach will determine the risk. Were immediate steps taken to obtain a guarantee that the information would not be used or disclosed in violation of HIPAA privacy laws? Was the PHI returned prior to being accessed, such as an unopened explanation of benefit statement returned to the health care provider? If it is determined that significant harm will occur, the individual(s) must be notified.
Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities that a breach has occurred.
The notification of breach must include:
1. A brief description of what happened, and the date of the discovery of the breach, if known.
2. A description of the types of unsecured PHI that were involved in the breach (such as full name and disability code).
3. The steps individuals should take to protect themselves from potential harm resulting from the breach.
4. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses and to protect against any further breaches.
5. Contact procedures for individuals to ask questions or learn additional information.
Covered entities and business associates must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.
For more information straight from the Department of Labor (DOL) go to: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/. The Department of Health and Human Services has the whole scoop on breach notification.
Need to review the basics of HIPAA? Check out the MHM Resource website at: https://www.mhmresources.com and click on “Employer Solutions” to view the dropdown menu.
Encourage your employer clients to consult with their legal counsel to determine their HIPAA processes and procedures and to update their business associate agreement to conform to these latest HIPAA requirements.
The information contained in this article is not intended to be legal, accounting, or other professional advice. We assume no liability whatsoever in connection with its use, nor are these comments directed to specific situations.