In February 2009, Congress modified the Health Insurance Portability and Accountability Act (HIPAA), as part of the American Recovery and Reinvestment Act. The change requires you and your business associates to tell patients about any “breach” of their health information.
Specifically, the 2009 modification directed the Department of Health and Human Services (HHS) to require HIPAA-covered entities, including health care providers and their business associates, to provide notification of any breach of unsecured protected health information (PHI).
A breach is defined as the acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA that compromises the security or privacy of PHI. In other words, the breach poses a significant risk of financial, reputational or other harm to the individual, though there are some limited exceptions to the definition.
Unsecured PHI has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through technology or a method specified by the HHS.
You must take extra steps to minimize and protect unsecured patient information. This rule requires you to be diligent in discovering not only your own breaches, but also breaches by your business associates.
Update your agreements with business associates to reflect their obligations to identify and report breaches. Consider adding language to protect your practice from business associates’ noncompliance and providing training and education for employees and business associates.
When a breach occurs
Following a breach of unsecured PHI, a covered entity must notify affected individuals and the HHS. A business associate who causes a breach must notify you, and you must then notify affected individuals promptly –within no more than 60 days in written form via first class mail. Alternative communication is allowed in certain circumstances.
Notification must include your contact information, a description of the breach, steps affected individuals should take to protect themselves and a description of what you are doing to investigate the breach, rectify harm and prevent future occurrences.
Notice of a breach must be sent to the HHS through its Web site no later than 60 days after the end of the calendar year in which the breach occurred. If the breach affected more than 500 individuals, a notice must be provided within 60 days of the breach and media must be notified.
The rule took effect Sept. 23, although HHS sanctions will not be imposed for unintentional violations until March 2010. Penalties for noncompliance are severe. Indiana also has a security breach law.
Learn more here or call ISMA’s Legal Department with questions.