Tougher penalties for HIPAA breaches

Earlier this year, Congress enacted amendments to the Health Insurance Portability and Accountability Act that require health care providers and other covered entities to notify affected individuals when there has been a breach of the privacy or security of their protected health information. The Department of Health and Human Services has recently issued regulations implementing those statutory provisions. Providers need to be aware of the new requirements to avoid potentially large civil monetary penalties for violations.

HIPAA requires a covered entity to notify affected individuals when there has been an unauthorized use or disclosure of “unsecured protected health information” that “compromises the security or privacy of such information.” “Unsecured protected health information” is defined as protected health information (PHI) that is not secured by a method that renders the PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” The Secretary of HHS is authorized to determine what methods of securing PHI meet this standard. The Secretary has issued guidance to the effect that the only methods that will be considered to meet this standard are encryption and destruction. Many of those commenting on the regulations believed that this guidance was too restrictive, and that other methods, particularly firewalls and other access controls, should be considered to meet the statutory requirement. HHS rejected those comments, saying that making information difficult to obtain is not the same as making it unreadable. The guidance does not mean, however, that covered entities are required to encrypt all protected health information. It means only that the breach notification provisions do not apply if the information is encrypted by an approved method.

The statute provides that when a covered entity discovers that an unauthorized use or disclosure of unsecured PHI has occurred, it is required to notify each individual whose unsecured PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach. The notifications must be sent by first-class mail, unless an individual has consented to be contacted by e-mail, and must be provided “without unreasonable delay” and no later than 60 days after the discovery of the breach. The notification must include (i) a description of the breach, including the date of the breach and the date when the covered entity discovered it; (ii) a description of the types of PHI used, disclosed, or accessed in the breach; (iii) a description of the steps the covered entity is taking to investigate the breach, to mitigate harm resulting from the breach, and to protect against further breaches; (iv) the steps that affected individuals should take to protect themselves from harm resulting from the breach; and (v) procedures by which individuals may contact the covered entity to ask questions or obtain additional information.

If an individual affected by a breach is deceased, the covered entity must send notification to the individual’s next of kin or personal representative. In cases where the covered entity cannot contact an individual because its contact information is insufficient or out of date, some substitute form of notice “reasonably calculated to reach the individual” must be provided. If the breach affects ten or more individuals for whom the covered entity has insufficient or outof- date contact information, the substitute notice must include either a conspicuous posting on the home page of the covered entity’s website or conspicuous notice in major print or broadcast media in geographic areas where affected individuals are likely to reside.

The covered entity is also required to notify the Secretary of HHS of unauthorized uses or disclosures of unsecured PHI. If PHI of more than 500 residents of a particular state or jurisdiction is involved in a breach, prominent media outlets must be notified as well. When a business associate of a covered entity discovers a breach of unsecured PHI, it is required to notify the covered entity. The requirements for timeliness and content of notification by a business associate are the same as the requirements for covered entities.

The statute requires covered entities to implement policies and procedures and to provide education to their employees about the breach notification requirements. The regulations implementing the statutory provisions were published in the Federal Register on August 24, 2009. For the most part, the regulations simply repeat the language of the statute, with minor clarifying changes. Their publication is significant, though, because it starts the clock running toward the effective date of the statute. The statute provides that the regulations are to be effective with respect to breaches that are discovered 30 or more days after publication. However, HHS has announced that although covered entities are expected to comply with the rules as of the effective date, the agency will not impose sanctions for failure to provide notification of breaches that are discovered before February 22, 2010.

One of the clarifications in the regulations is particularly significant because it may lessen the notification burden somewhat. The regulations arguably reduce the number of required notifications by providing that an unauthorized use or disclosure will be considered to compromise the security or privacy of PHI, and therefore will be reportable, only if the breach “poses a significant risk of financial, reputational, or other harm to the individual.” The regulations also clarify the meaning of “unauthorized,” stating that a use or disclosure is considered unauthorized if it is an impermissible use or disclosure under the HIPAA privacy standards. Violations of the breach notification rules, like many HIPAA violations, can lead to the imposition of civil monetary penalties.

The statute amended HIPAA’s sanction provisions to increase the civil monetary penalties and to make the amount of the monetary penalties dependent on the knowledge and willfulness of the violation. A person who commits a violation, including a violation of the breach notification provisions, but does not know and by exercising reasonable diligence would not have known that the statute was violated, is subject to penalty of not less than $100 for each violation. If the person knew or should have known that the statute was violated, but there is reasonable cause for the violation and the violation is not attributable to willful neglect, the minimum penalty is $1,000 per violation. If a violation is due to willful neglect, the penalties start at $10,000 per violation if the violation is corrected within 30 days and at $50,000 per violation otherwise, up to a maximum of $1,500,000 per calendar year for all violations of the same requirement.

Although the new regulations apply only to covered entities, other sections of the statute impose very similar requirements on many non-covered entities. The Federal Trade Commission is responsible for enforcing the law with respect to non-covered entities. The FTC published regulations implementing those provisions one day after the publication of the HHS rules.

Before the recent amendments, civil monetary penalties for violations were limited to $100 per violation and a maximum of $25,000 per year. As a result, many covered entities tended to focus their compliance efforts in other areas in which the potential financial exposure was greater. The new sanction provisions have raised the stakes. Providers should review their privacy and security policies and procedures to minimize the likelihood of a breach, and should develop clear and specific policies on notification of individuals when a breach occurs