Facebook, Twitter, LinkedIn, YouTube, RSS, EmailFacebookTwitterLinkedInYoutubeRSS News FeedEmail


Don't Sweep the Breach Under the Rug! Notification Under the HITECH Act

by The Human Equation, Inc. on 10/22/2009
Facebook, Twitter, LinkedIn, Google+, YouTube, RSS Facebook Twitter Linkedin Google+ YouTube RSS

As more and more personal information ends up being maintained in some form of electronic medium, the concern surrounding data security breaches has never been higher. Since the consequences of a breach can be devastating to those whose information has been compromised, proactive measures must be taken to limit the damage. One such measure involves providing prompt notice to those affected individuals that their sensitive information may have fallen into the wrong hands.

Many states have legislatively adopted this approach in the context of data security breaches involving financial information, such as credit card and social security numbers. Under these laws, organizations are required to promptly notify affected individuals that their financial information has been compromised. Upon receiving such notice, those individuals can then take appropriate measures to prevent the harm that typically flows from a data breach, such as fraudulent charges against credit or identity theft.

The concept of requiring early notice of a data security breach has now found its way into the health care arena. The Health Information Technology for Economic and Clinical Health Act, or the HITECH Act, which was included in the American Recovery and Reinvestment Act of 2009, requires covered entities under the Health Insurance Portability and Accountability Act (HIPAA) to provide notification in the event of a data security breach involving unsecured protected health information. As in the case of breaches involving financial information, the goal of the HITECH Act is to give those individuals whose unsecured protected health information was compromised as much notice as possible so they can take appropriate preventative steps to limit the damage.

The HITECH Act provides that a covered entity, as defined in HIPAA, that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, in the case of a breach of such information…notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been accessed, acquired, or disclosed as a result of such breach.” Unsecured protected health information is information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technologies or methodologies specified by the Secretary of the Department of Health and Human Services (HHS).

Satisfaction of the duty to notify of such a breach, which also applies to a business associate of the covered entity, must be accomplished within a reasonable time. Specifically, the required notification must be made “without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach by the covered entity or the business associate.” Pursuant to the Act, a breach is treated as discovered as of the first day on which it is know to the covered entity or business associate or should reasonably have been known. Knowledge of the breach is imputed to the entity once any person that is an employee, officer, or other agent of the covered entity or business associate, other than the individual committing the breach, knows of the breach. This is the point in which the clock for notification begins to run.

According to the regulations interpreting the HITECH Act, the following elements, written in plain language, must be included in the notification:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
  • A brief description of the types of unsecured protected health information that were involved in the breach, such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved;
  • Any steps individuals should take to protect themselves from potential harm;
  • A brief description of what the involved covered entity is doing to investigate the breach, to mitigate harm, and to protect against further breaches; and
  • Contact procedures for individuals to ask questions or to learn additional information, which shall include a toll-free telephone number, an email address, website, or postal address.

The HITECH Act details the different methods for providing notification of a breach. The first method is written notification by first-class mail to the individual at the last known address of the individual. If the individual in question currently agrees to electronic notice, then the notification may be accomplished by electronic mail.

The second method applies in cases in which there is insufficient or out-of-date contact information that precludes written notification. In such cases, substitute notification in a manner that is reasonably calculated to reach the affected individuals may be undertaken by the covered entity. If the breach involves fewer than ten individuals, then the substitute notice may be provided by an alternative form of written notice, telephone, or other means. If the breach involves ten or more individuals, then the substitute notice shall be in the form of either a conspicuous posting for a period of 90 days on the home page of the covered entity’s website, or a conspicuous notice in a major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. These postings must include a toll-free telephone number where individuals can learn whether their unsecured protected health information was included in the breach. The toll-free telephone number must remain active for at least 90 days.

The final method of notification under the HITECH Act applies in cases deemed by the covered entity to require urgency because of possible imminent misuse of the unsecured protected health information. In such cases, the covered entity may provide information to affected individuals by telephone or other means, as appropriate, in addition to providing the required written notification.

In cases involving a breach of more than 500 residents of a state or jurisdiction, a covered entity must notify prominent media outlets serving such state or jurisdiction. Such notification must be accomplished without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. In such cases, the covered entity must also notify the Secretary of the HHS. In the case of breaches involving less than 500 individuals, a covered entity is required to maintain a log or other documentation of such breaches, and, not later than 60 days after the end of each calendar year, the covered entity must provide such information to the Secretary.

While the HITECH Act provides several timelines for providing notification of the breach, a covered entity may be relieved of the strict time requirements if a law enforcement official believes that providing notification of a breach would impede a criminal investigation or cause damage to national security. In such cases, the covered entity may delay providing notification in the manner requested by the law enforcement official.

The regulations interpreting the HITECH Act apply with respect to breaches of unsecured protected health information occurring on or after September 23, 2009. However, the HHS has indicated that it will not begin imposing sanctions for failure to provide the required notice until after February 22, 2010. Thus, covered entities and their business associates have a grace period to update their internal policies and procedures in order to comply with the HITECH Act’s provisions. However, despite this grace period, the implementation of the HITECH Act’s data breach notification provisions should serve to reinforce the principal that hiding the existence of a data breach is often considered the bigger misdeed than the breach itself.

To learn more about HIPAA, please click here.

Tags: ,
Categories: 2009

Add comment

  • Comment
  • Preview

  privacy policy
The Human Equation's newsletters and publications are intended as an information source for the clients and friends of the firm. Their content should not be construed as legal advice, and readers should not act upon the information in these publications without professional guidance. Please note that newsletters and publications that are archived by The Human Equation are not updated after initial publication and may not contain the most current information available.

Refer to friendRefer to friend

Permission to ReprintPermission to Reprint

Contact a Subject Matter ExpertContact an Expert

Subscribe to Our NewsletterSubscribe to Our Newsletter


© 2019 - The Human Equation, Inc. All rights reserved. - Privacy Policy - Disclaimer -
Follow us on Facebook.comFollow us on Twitter.comFollow us on Linkedin.comFollow us on YouTube.comSubscribe to our RSS FeedSend us an email
Subscribe to our newsletter
900 South Pine Island Road, Suite 300 - Plantation, FL 33324 - Phone: 800-521-9667 / 954-382-0030 - Fax: 954-382-2810