Thursday, July 22, 2010

Q. What are my HIPAA obligations when patient information has been breached or improperly disclosed?

A. The Department of Health and Human Services Department (HHS) is implementing significant changes to the HIPAA medical privacy and security rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA covered entities now need to notify patients if and when certain security breaches or HIPAA privacy violations occur. The HHS breach notice rule also applies to business associates that receive protected health information (PHI) from, or create or maintain PHI for an HME while providing services on their behalf.

Under the rule, HMEs must provide detailed notices no later than 60 days from the date of discovering a breach of unsecured PHI. The rule requires notice of what and how it happened, the types of PHI involved, and steps being taken to investigate the breach and mitigate harm. HMEs also must notify HHS, either immediately or annually depending on the size of the breach, and for certain breaches, provide public notice via prominent media outlets and the HME’s website.

HMEs can manage some of these risks through encryption, using limited data sets, and good procedures and training on breach detection and mitigation. The HITECH breach notice requirement applies only to unsecured PHI, that is, PHI not secured through encryption standards endorsed by HHS or stripped of certain identifiers. Many covered entities are now adopting encryption as a method for securing and transmitting PHI especially with regard to laptops and other remote devices. Often, using and disclosing PHI through a limited data set that strips out certain elements meets the need of the HME and reduces the potential for exposure.

Notice is not required in certain instances where there is no significant risk of financial, reputation or other harm to the individual and mitigation would not require reporting. In our experience, those companies that identify and immediately respond to a breach are often in a position to manage the risk in a way to mitigate harm and avoid a reporting obligation under the rule.

Amy S. Leopard heads the health care practice group at the law firm of Walter & Haverfield LLP and may be reached at