[Med-privacy] Breach Notification Rules

[peter marshall]

New Health Care Breach Notification Rules Issued
By Kirk J. Nahra
September 2009 | Privacy in Focus

With two important new security breach notification rules issued in =20
recent days, the health care industry and its business partners now =20
face an entirely new federal environment for disclosure of security =20
breaches. Through these two rules, the Federal Trade Commission (FTC) =20=

and the Department of Health and Human Services (HHS) have reshaped =20
requirements for disclosure of information=97to individuals, the =20
government and even the media=97related to security breaches in an =20
enormous range of settings. While these rules postpone for a short =20
time enforcement against those who fail to meet fully these new =20
notification obligations, health care entities and the wide range of =20
companies providing services to these entities need to use this time =20
wisely=97to begin to meet their compliance obligations, to evaluate how =20=

they will meet the substantial challenges presented by these rules and =20=

to determine how they can take steps to improve overall security for =20
the protection of health care information.

HITECH Act Provisions
These new rules stem from the substantial new privacy and security =20
provisions of the Health Information Technology for Economic and =20
Clinical Health Act (the HITECH Act), as incorporated in the American =20=

Recovery and Reinvestment Act of 2009 (Pub. L. 111-5). As a component =20=

of the wide-ranging "economic stimulus" provisions, Congress =20
determined that, because of its interest in providing economic =20
incentives to health care providers to implement electronic medical =20
records, it needed to establish "improved" privacy and security rules =20=

for the health care industry, where most rules have nothing to do with =20=

electronic health records. For a general description of these HITECH =20
changes, see Nahra, "A New HIPAA Era Emerges," Privacy In Focus (March =20=

2009), available here.

One of the most significant provisions of the HITECH Act focuses on =20
notification to individuals in the event of information security =20
breaches. Expanding on the wide range of state laws addressing =20
security breach notification, Congress, for the first time, enacted a =20=

national provision on breach notification for the health care industry =20=

alone. This new breach reporting requirement is the first significant =20=

national security breach reporting statute. While following the lead =20
of the state notice laws, the federal HITECH provision is much =20
broader, because it: (1) applies to breaches involving any kind of =20
personal information held by health care companies (rather than only =20
specific categories=97such as Social Security numbers), and (2) does not =
=20
include a clear and explicit "risk of harm" threshold.

The breach notification legislation includes specified "exceptions"=97=20=

potentially significant but very limited. Critically, the breach =20
notification obligation applies only where information is "unsecured." =20=

The term "unsecured protected health information" in the new notice =20
provisions means "protected health information that is not secured =20
through the use of a technology or methodology specified by the =20
Secretary" and "protected health information that is not secured by a =20=

technology standard that renders protected health information =20
unusable, unreadable, or indecipherable to unauthorized individuals =20
and is developed or endorsed by a standards developing organization =20
that is accredited by the American National Standards Institute." The =20=

HHS implementing regulations confirm that the idea of "secured" =20
information includes both "encrypted" information, meeting certain =20
technical standards, and "destroyed" information. This exception =20
should motivate companies to pursue new and expanded means of =20
encrypting their customer information.

The HITECH Act includes several additional exceptions, which serve =20
mainly to emphasize the breadth of the breach notification =20
requirements. For example, the statute creates an exception where the =20=

unauthorized recipient "would not reasonably have been able to retain =20=

the information." Stakeholders have been struggling to identify =20
situations where this exception would apply.

The HITECH breach notification provisions have triggered substantial =20
concern in the health care industry. They also have created additional =20=

(and perhaps unanticipated) burdens to revise Health Insurance =20
Portability and Accountability Act (HIPAA) business associate =20
agreements on a faster timetable than the law otherwise envisioned. =20
Specifically, because business associates are required to report =20
breaches to covered entities and the law on breaches are to be =20
applicable for breaches that occur 30 days or more after the =20
implementing regulation is issued, while the rest of the law is not =20
effective until February 2010, many companies feel compelled to revise =20=

their business associate agreements on an accelerated timetable to =20
establish specific reporting frameworks.

The HITECH Act required promulgation of the two new regulations. =20
First, Congress required HHS to adopt a specific rule for HIPAA-=20
covered entities and their business associates, defining and =20
explaining the requirements related to breach notification. Second, =20
Congress required the FTC to promulgate a breach notification rule for =20=

entities in the "personal health records" marketplace, many of which =20
are not otherwise covered by HIPAA.

The FTC Rule
The FTC was the first out of the box, issuing its regulation on August =20=

17, 2009. This regulation is available here. The FTC regulation =20
focuses on two kinds of entities: (1) vendors of personal health =20
records (companies that provide online repositories that people can =20
use to keep track of their health information) and (2) entities that =20
offer third-party applications for personal health records (the FTC's =20=

examples included devices such as blood pressure cuffs or pedometers =20
whose readings consumers can upload to their personal health records).

Much of the FTC's rule addresses jurisdiction. The FTC made clear that =20=

its focus was on companies that are outside of HIPAA coverage. In =20
fact, the FTC rule made clear that (with very limited exceptions) the =20=

FTC's jurisdiction extends only to entities that are not subject to =20
HHS jurisdiction, so that companies only face one regulator for these =20=

issues and consumers will receive only one notice in the event of a =20
security breach.

What Are the Other Key Components of the FTC's Rule?

Clear Jurisdictional Separation from HHS
The FTC's rule applies only to a limited class of entities=97those =20
participating in the personal health records marketplace and not =20
covered by HIPAA. This breach notification rule represents the first =20
step in the regulation of these entities=97with a future study by the =20=

FTC and HHS required to consider a broader set of restrictions on =20
their activities.

No Help on Preemption
The FTC discussed the potential confusion arising from state security =20=

breach notification laws, but made no effort to preempt these laws. =20
Accordingly, entities covered by the FTC rule must comply with both =20
that rule and any relevant state breach laws. Given the web-based =20
business model of most personal health record vendors, this dual =20
compliance obligation seems likely to remain a substantial source of =20
complications when breaches occur.

A Distinction between "Access" and "Acquisition"
The FTC's rule creates a rebuttable presumption that unauthorized =20
access to personal health record information leads to the unauthorized =20=

acquisition of that information, but provides the opportunity for =20
regulated entities to demonstrate that the unauthorized access did not =20=

in fact lead to improper acquisition (e.g., a laptop is stolen but a =20
forensic analysis indicates that the laptop password was not breached =20=

and no information was viewed).

No Additional "Risk of Harm" Threshold
Other than this "access/acquisition" distinction, the FTC did not read =20=

into the legislation any additional "risk of harm" threshold. Instead, =20=

in the context of web-based personal health record vendors, the FTC =20
rule requires notice in any situation where there has been =20
unauthorized access and the entity cannot demonstrate that no =20
acquisition took place.

Enforcement Hiatus
The FTC rule is effective for breaches that take place 30 days after =20
publication in the Federal Register. That publication occurred on =20
August 25 (74 Fed. Reg. 42,962 et seq.), and the rule's stated =20
effective date is September 24, 2009. However, the FTC was sympathetic =20=

to industry concerns about the effects of this rule. Accordingly, =20
while it expects full compliance with the rule after 30 days, it has =20
indicated that it will use its enforcement discretion not to seek =20
penalties for compliance failures until a period that is 180 days =20
after the publication of the rule=97or five additional months from the =20=

compliance date. The stated full enforcement date is February 22, 2010.
The HHS Rule
The HHS regulation (developed by the HHS Office of Civil Rights (OCR), =20=

the enforcement agency for the HIPAA Privacy and Security Rules) was =20
issued on August 19, 2009, as an "Interim Final Rule." The rule is =20
available here. It was published in the August 24 Federal Register (74 =20=

Fed. Reg. 42,740 et seq.). The stated effective date is September 23, =20=

2009. HHS will be accepting comments on this rule for a 60-day period =20=

ending October 23, 2009.

According to Robinsue Frohboese, Acting Director and Principal Deputy =20=

Director of OCR, "[t]his new federal law ensures that covered entities =20=

and business associates are accountable to the Department and to =20
individuals for proper safeguarding of the private information =20
entrusted to their care. These protections will be a cornerstone of =20
maintaining consumer trust as we move forward with meaningful use of =20
electronic health records and electronic exchange of health =20
information."

While the FTC rule applies to a relatively limited set of entities, =20
the HHS rule applies across the health care industry, to all HIPAA-=20
covered entities and their business associates. The bulk of the rule =20
deals with the details of notice=97relating to timing, the content of =20=

the notice and communication to HHS and media about breaches. Beyond =20
these points=97which are important but are relatively "technical" once =20=

breaches occur=97what are the most significant elements of the HHS rule?

While companies will be parsing the details of the HHS rule (and the =20
extensive commentary that accompanies the rule), there are several =20
components that stand out as critical issues for the near future.

No Expansion of the "Secured" Concept
Under HITECH, breach notification is required only for breaches =20
involving "unsecured" information. In its proposed rule, HHS =20
identified encryption and "destruction" of information as appropriate =20=

means of securing information such that the notification "safe harbor" =20=

would not require reporting. In the final regulation, HHS reviewed and =20=

then rejected various additional means of securing information. =20
Accordingly, to take advantage of this safe harbor, companies must =20
encrypt or destroy information. While other security measures may be =20
effective to reduce any risk of a breach in the first place, they will =20=

not, by themselves, result in application of this safe harbor.

HHS Implemented a "Risk of Harm" Threshold
One of the biggest concerns stemming from the HITECH provision was =20
that companies would be required to provide notice in situations where =20=

there was no risk of any harm actually resulting from a disclosure. =20
There was concern both from the covered entity perspective, about the =20=

costs and potential concerns stemming from disclosures about breaches =20=

with no effects, as well as concerns that recipients of these notices =20=

would be concerned, confused or scared by receiving a notice that =20
seemed to describe a "no impact" situation.

Relying on the HITECH language concerning notification in situations =20
where a breach "compromised" the privacy or security of health =20
information, and taking a different approach from the FTC, HHS =20
implemented a realistic and responsible "risk of harm" threshold, =20
requiring notice in situations where the incident "poses a significant =20=

risk of financial, reputational, or other harm to the individual." The =20=

burden of determining that there is no significant risk falls on the =20
covered entity, which otherwise is responsible for notifying the =20
affected individual.

Compliance Is Required Promptly, but Enforcement Is Postponed for 180 =20=

Days
Like the FTC, HHS also has recognized many of the concerns about the =20
reporting timetable. Accordingly, while HHS is requiring compliance =20
with this provision on the statutory timetable (30 days after =20
publication of the rule in the Federal Register), it also will utilize =20=

its enforcement discretion not to issue penalties for failure to meet =20=

these standards until February 22, 2010. This gives covered entities =20
and business partners an additional five months to prepare for full =20
enforcement of this rule.

[....]

Copyright =A9 2009 WILEY REIN LLP=20=