New HIPAA requirements target unsecured protected health information

November 20, 2009

HITECH has new requirements regarding business associates and notification of patients regarding breaches of unsecured protected health information.

Key Points

Before HITECH, a covered entity, that is, a physician's office, hospital, clinic, etc.-only was required to mitigate the effects of an unauthorized disclosure, which may or may not have included notifying the patient Now, except for certain limited exceptions, a covered entity is required to notify a patient of an unauthorized disclosure of unsecured protected health information if a significant risk of "financial, reputational, or other" harm exists.

It is important to note that notification is only required for unsecured protected health information, not secured protected health information. The Department of Health and Human Services (HHS) issued guidance on what constitutes "secured" protected health information in April, stating that information is deemed secured if rendered "unusable, unreadable, or indecipherable" to unauthorized individuals.

Any notification to the patient must include a brief description of what happened and the type of protected health information disclosed, any steps the patient should take to protect himself or herself, what the covered entity is doing to investigate and mitigate the breach, and information concerning who to contact for additional information. Any required notification must occur without unreasonable delay but no more than 60 days after the breach is discovered or should have been discovered with the exercise of reasonable diligence.

Notification must be in writing by mail (or by phone in urgent cases) or electronic means if the patient has consented to electronic notification. Also, specific rules exist regarding what to do if patients cannot be located. If a breach involves more than 500 patients-for instance, the loss of a laptop containing unsecured protected health information, then local media outlets must be notified. In addition, the HHS secretary must be notified-immediately for breaches involving more than 500 patients and annually for others.

With the new regulations, the knowledge of a covered entity's agents, including business associates, is imputed to the covered entity. Therefore, the clock for notifying patients could begin to run before the covered entity actually is aware of the disclosure. New agreements may be required, and education of business associates is important, to ensure that they are aware of these requirements and that they indemnify your practice if they fail to comply with the new rules and notify you promptly of any breach of protected health information.

The burden to disclose the breach or establish that no risk of harm to the patient exists is on the covered entity, even if the breach was the fault of one of its agents. A decision not to notify a patient because the covered entity does not believe that a significant risk of harm exists should be carefully investigated and documented.

The author is a health law attorney with Adelman, Sheff & Smith in Annapolis, Maryland, and Washington, D.C. He can be reached at aadelman@hospitallaw.com
. Malpractice Consult deals with questions on common professional liability issues. Unfortunately, we cannot offer specific legal advice. If you have a general question or a topic you'd like to see covered here, please send it to memalp@advanstar.com
.