Bradley & Riley PC - Attorneys & Counselors

Please Read Before Selecting Attorney

Choose Attorney Kelly R. Baier Kimberly H. Blankenship F. James Bradley Paul D. Burns Patrick M. Courtney Michael K. Denney Natalie K. Ditmars Jessica A. Doro Jeremy B. P. Hagan Bradley G. Hart Timothy J. Hill Maureen G. Kenney Janice J. Kerkove William T. McCartan Laura C. Mueller William J. Neppl Kevin C. Papp Michael J. Pugh Byron G. Riley Raymond R. Rinkol, Jr. Joseph E. Schmall Gregory J. Seyfer Charles W. Showalter Dean A. Spina Vernon P. Squires Adam S. Tarr Donald G. Thompson Nancy A. Wood Joseph W. Younker

Increased HIPAA Privacy Rules

by Vernon Squires, Attorney

In February 2010, Congress began enforcing heightened security breach notification laws. The HIPAA Privacy Rule amendments require businesses and organizations to report all security breaches to both the Department of Health and Human Services ("HHS") and the individuals whose protected health information was put at risk of breach. In some cases, businesses must also notify local media outlets. Any business or organization that uses, stores, or has access to protected health information should carefully review its current HIPAA compliance procedures, including employee training. In the event of a breach, businesses must conduct a risk assessment to determine their federal reporting requirements.

To navigate the enhanced breach-notification rules, businesses and organizations should ask the following questions:

• Do we possess, store or control protected health information?
• Who possesses, stores and controls the protected health information of our employees?
• If unauthorized access occurs, should it be considered a “breach”?
• Must we report the breach to any regulatory authorities?
• How can we avoid a breach?

Protected Health Information

Protected health information includes any individually identifiable health information. This generally includes all medical records and any health information held by an employer in its capacity as the administrator of a self-insured health plan. Employment records—i.e., medical leave requests—fall outside of this scope.

As a result, healthcare facilities, insurance companies, and businesses that administer their own self-insurance plans are all likely responsible for protected health information and are subject to the heightened HIPAA reporting requirements. Additionally, businesses may be subject to HIPAA reporting requirements even if they do not have any protected health information on site.

Business Associate Reporting Requirements

Businesses can be liable for breaches even if the breach does not occur under the business’ watch.

Many businesses do not house protected health information on site. For example, a telecommunications company might not house its employees’ health insurance documents in its office but instead has a third party administer its self-insured health plan. Nonetheless, the employer is still liable for breaches of its employees’ protected health information occurring at the plan administrator’s facilities. Employers are liable because the plan administrator is a "business associate."

Businesses and organizations using third-party administrators should review and potentially modify their existing agreements with these third parties. The parties’ agreement should require the business associate to notify the employer in the event of a breach. Notification allows the employer to fulfill its enhanced federal reporting obligations.

Conducting a Risk Assessment

After learning of a potential security breach – e.g. a curious employee browsing medical records without authority to do so or documents being inadvertently emailed to an incorrect recipient – businesses must determine whether a “breach” has occurred.

HIPAA’s enhanced breach notification laws define a breach as an impermissible use or disclosure posing a significant risk of harm to the individual. Businesses therefore must conduct a risk assessment considering who impermissibly accessed or used the information and the type and amount of information involved, among other things. Businesses must conduct risk assessments promptly and thoroughly. Businesses should also document their risk assessments because they bear the burden of proving that no breach occurred.

As part of the risk assessment, businesses should determine if their situation is entirely excepted from reporting. The new breach notification law provides several exceptions from the definition of “breach,” all of which involve either inadvertent or unintentional disclosure to individuals or entities authorized to access protected health information.

Notifying Affected Individuals, Federal Authorities, and Local Media Outlets

If a risk assessment concludes that a breach has occurred, businesses must comply with the new HIPAA breach notification rules.

Businesses must report all security breaches to the affected individuals. The notification must include:

1. a description of the incident, including the date and content involved;
2. steps the individual should take to protect themselves;
3. steps the business is taking to protect the individual and to prevent future breaches; and
4. contact information for the individual to learn more information.

Businesses must also report all security breaches to HHS, either immediately or annually. If the breach involves more than 500 individuals, the business must notify HHS within 60 days after the business knew, or reasonably should have known, of the breach. If the breach involves fewer than 500 individuals, the business must maintain a breach log and report all breaches to HHS at the end of the calendar year.

Businesses must report breaches involving 500 or more individuals to local media outlets. Reports to the local media must contain information similar to that required to be disclosed to individuals.

Compliance Programs and Employee Training

Given the reporting requirements, businesses will be well served to take a preventative approach to the new breach notification laws. Businesses should review their existing compliance programs to determine how they can prevent breaches from occurring. Businesses should also evaluate their procedures for discovering breaches because the breach notification law requires reporting if the businesses "reasonably should have known."

As part of an enhanced compliance program, businesses should conduct employee training regarding the new HIPAA breach notification rules. Employees must know what protected health information is, what constitutes a breach, and how to handle a situation involving a suspected breach. Even if revamped compliance programs and employee training cannot prevent all potential breaches, they will likely factor into any HHS review of a business’ breach log.

Conclusion

Overall, the heightened HIPAA reporting requirements mean that businesses with protected health information should reevaluate their internal controls and employee training programs. Businesses or organizations that learn of a potential breach must take immediate remedial action to determine whether a breach has occurred and to comply with the federal reporting requirements.

The author acknowledges the assistance of Charles Showalter, a third-year law student at the University of Iowa.