HHS & FTC Release Guidance On HITECH Act Data Breach Rules for HIPAA Covered Entities & Entities Dealing With Personal Health Records

On April 17, 2009, the Department of Health & Human Services (“HHS”) released its initial guidance (the “HHS Guidance”) to health care providers, health plans and health care clearinghouses and their business associates (“HIPAA Covered Entities”) about when the new data breach notification rules (“UPHI Breach Notice Rules”) added to federal law under the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) will require the HIPAA Covered Entity to provide notification of breach of the security of “unsecured protected health information” (“Unsecured PHI”). 

Concurrently, the Federal Trade Commission (“FTC”) released proposed regulations (the “FTC Rules”) to implement new health information data breach and other health information privacy and security mandates included in the HITECH Act for non-HIPAA Covered Entities providing or accessing personal health records and certain other consumer health information (“PHR”).  

The HHS Guidance and FTC Rules are required as part of the agencies responsibilities for implementing various amendments to the Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) privacy and data security requirements and other federal health care technology reforms enacted under the HITECH Act when President Obama signed the American Recovery and Reinvestment Act of 2009 (“ARRA”) into law on February 17, 2009.

The HHS Guidance and FTC Guidance respectively relate to two new separate breach notification regulations:

·         The HHS Guidance sets forth guidance concerning new rules applicable to HIPAA Covered Entities under Section 13402 of the HITECH Act (the “UPHI Breach Notice Rules”);

·         The FTC Rule proposes new rules to apply to vendors of personal health records and other non-HIPAA covered entities dealing with “personal health records” (“PHRs”) within the meaning of the HITECH Act (the “PHR Breach Notice Rules”).

Entities covered by either of these rules will be required to provide certain specified notifications when and if a breach of this data occurs unless they comply with the applicable HHS or FTC Guidance (whichever is applicable) for safeguarding the data.

HHS Guidance To HIPAA Covered Entities

Section 13402 of the HITECH Act requires HHS to issue interim final regulations requiring HIPAA Covered Entities to provide for notification in the case of breaches of unsecured protected health information in accordance with the HITECH Act.  In anticipation of these breach notification requirements, Section 13402(h) of the HITECH Act defines “unsecured protected health information” to mean protected health information that is not secured through the use of a technology or methodology required in HHS guidance to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. The HITECH Act additionally required the Secretary of HHS to issue guidance setting forth the required technologies and methodologies to be required by the UPHI Breach Notice Rules by April 18, 2009.   HHS met this initial guidance deadline by posting the HHS Guidance on it website this week at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf.

Bearing the lengthy title, “Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009,” the HHS Guidance sets forth the initially required guidance about the UPHI Breach Notice Rules.  According to the HHS Notice, its guidance became immediately effective when published on April 17, 2009.  Meanwhile, however, the HHS Guidance also concurrently requests comments on this UPHI Breach Notification Rules of the HITECH Act.

The HHS Guidance outlines the minimum safeguards that HHS expects to require HIPAA Covered Entities to use to safeguard protected health information (“PHI”) against unauthorized use or access for purposes of the UPHI Breach Notice Rules and invites HIPAA Covered Entities and other interested persons to submit comments to HHS by May 22, 2009. According to the HHS Guidance, the HHS Guidance “will apply to breaches 30 days after publication of the forthcoming interim final regulations.” 

FTC Guidance For PHRs

The enactment of the PHR Breach Notification Rules as part of the HITECH Act reflects the growing awareness by Congress of the proliferation of vendors offering personal health records or technologies used to create or access personal health records on line and its concern about the adequacy of existing privacy protections for information contained in those records.

In response to these concerns about the adequacy of the privacy protections afforded for personal health information and other consumer health information collected, accessed, and maintained by various non-HIPAA Covered Entities in online or other electronic applications, Congress mandated under the HITECH Act that the FTC adopt data breach regulations for these non-HIPAA Covered Entities dealing with personal health records (PHRs) on a temporary basis pending further study.  The HITECH Act also ordered the FTC and HHS to study these concerns and develop more specific recommendations about the protections necessary for this data.  The FTC and HHS must complete this study and report their joint findings and recommendations to Congress by February 17, 2010.  In the meantime, the HITECH Act directs the FTC to issue and enforce rules providing interim safeguards and data breach notification requirements for non-HIPAA Covered Entities dealing with PHRs.  

The FTC Rules are the rules that the FTC proposes to us to implement these required interim rules defining when vendors and other entities maintaining or interfacing with personal health records must notify individuals when the security of their individually identifiable health information is breached enacted as part of ARRA.  The FTC Regulation will apply to entities that currently are not HIPAA Covered Entities subject HIPAA.  Interested persons have until June 1, 2009 to review and submit comments on the FTC Regulation.  To review a copy of the FTC Regulation, see http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf. 

Other HIPAA Changes & Developments

The enactment of the new data breach requirements are only one of a series of new developments that have significantly increased the risks and responsibilities of covered entities and others who handle PHI and other personal health information.  Recent enforcement actions by HHS and the FTC make clear that HIPAA Covered Entities and other businesses handling PHI or other personal information already face significant liability if they fail to adequately protect PHI or other personal information.  On February 18, 2009, for instance, HHS and the FTC jointly announced that CVS Pharmacy, Inc., the nation’s largest retail pharmacy chain, must pay the U.S. government a $2.25 million settlement and implement other required corrective actions to resolve charges it violated HIPAA and other laws by disposing of pill bottles, prescriptions and other non-electronic records in dumpsters.  Meanwhile, HHS and the FTC also announced that CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order with the FTC to settle potential violations of the FTC Act.  In announcing these CVS settlements, the agencies made clear that they construed HIPAA as requiring covered entities to apply adequate safeguards to protect PHI and electronic PHI even before the enactment of the HITECH Act data breach rules.  The HITECH Act requirements affirm and clarify the scope and applicability of these obligations as applied to HIPAA Covered Entities dealing with PHI and other non-HIPAA Covered Entities dealing with PHRs.  These developments make it imperative that these entities act promptly to update their policies and procedures in response to the HITECH Act requirements and these other developments.

In addition to responding to these data breach requirements, HIPAA Covered Entities also must address other changes to their HIPAA responsibilities enacted as part of the HITECH Act.  In addition to adding the data breach rules, the HITECH Act also tightened the HIPAA privacy and security mandates HIPAA Covered Entities in several other respects.  For instance, the HITECH Act.

• Broadens the applicability of the HIPAA’s Privacy Rules and penalties to include business associates;
• Adds business associates of HIPAA Covered Entities to the list of persons who are subject responsibility to comply with and liable for failing to comply with HIPAA’s privacy and security rules;
• Clarifies that HIPAA’s criminal sanctions apply to employees or other individuals that wrongfully use or access PHI held by a covered entity;
• Increases criminal and civil penalties applicable to HIPAA Covered Entities and members of their workforce who violate the HIPAA privacy or security requirements
• Allows State Attorneys General to bring civil damages actions;
•  Modifies certain HIPAA use and disclosure and accounting requirements and risks;
• Prohibits sales of PHI without prior consent;
• Tightens certain other HIPAA restrictions on uses or disclosures;
• Tightens certain HIPAA accounting for disclosure requirements;
• Clarifies the definition of health care operations to excludes certain promotional communications; and
• Expands the Business Associates Agreement Requirements.

These and other developments make it imperative HIPAA Covered Entities and non-HIPAA Covered Entities handling or dealing with PHRs immediately review and update their data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws. Covered entities must update policies and practices to avoid these growing liabilities. Business associates that have not already done so also must appoint privacy officers and adopt and implement privacy and data security policies and procedures fully compliant with HIPAA and other applicable federal and state rules, including amendments enacted as part of the American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009.

More Information

We hope you found this information helpful.  If you are interested in more details about the changes to the HIPAA privacy and security rules enacted under the HITECH Act, the CVS settlement actions and other developments affecting the responsibilities of HIPAA Covered Entities and others to protect PHI or other personal health care information, you may want to consider registering to participate in an online replay of the “2009 HIPAA Privacy & Security Update Webinar” presented by Cynthia Marcotte Stamer on March 25, 2009 at http://www.cynthiastamer.com/products_select_multiple.asp or review some of the many other resourcess addressing these topics available under the Breaking News, Articles and Training materials available online at CynthiaStamer.com. 

If your organization needs assistance with understanding or managing its responsibilities or liabilities under HIPAA or other health care or other data security or privacy matters or wishes to inquire about HIPAA training or other services and experience of Cynthia Marcotte Stamer, please Ms. Stamer at Cstamer@CTTLegal.com or telephone her at 214.270.2402.  

If you or some that you know would like to register to receive these updates and other helpful information on HIPAA and other health care and human resources risk management matters, please be sure that we have your current contact information including your preferred e-mail by registering at and/or sign up to receive the Solutions Law Press Health Care & IT Updates at https://solutionslaw.wordpress.com.   To learn more about Cynthia Marcotte Stamer and/or access some of her many HIPAA and other publications, go to CynthiaStamer.com.  For important information concerning this communication, review the About page.

Advertisement