December 31, 2009
By: Trisha A. Olson
The Department of Health and Human Services (“HHS”) issued a new regulation requiring entities covered by the Health Insurance and Portability and Accountability Act (“HIPAA”) to notify individuals when their protected health information is breached and the breach violates an individual’s right to protected health information. School districts that self-insure in whole or part, or process Medicaid and/or other claims, may be HIPAA covered entities.
In general, “protected health information” is the individually identifiable health information held or transmitted in any form or medium by a HIPAA-covered entity. A “breach” of this information is the acquisition, access, use or disclosure of unsecured protected health information in a manner not permitted by HIPAA, and which compromises the security or privacy of the protected health information. A breach violates an individual’s right to protected health information only when it poses a significant risk of financial, reputational or other harm to the individual.
Following a breach that poses a significant risk, covered entities must notify affected individuals in writing within 60 calendar days after the discovery of the breach. Notification must include:
(1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
(2) A description of the unsecured protected health information that was involved; (3) The steps an individual should take to protect him/herself from potential harm;
(4) A brief description of how the covered entity is investigating the breach, mitigating losses, and protecting against any further breach; and
(5) Contact information for individuals who have questions or concerns.
When a breach impacts more than 500 individuals, notice is required to the HHS Secretary and prominent media outlets.
The Act provides three narrow exceptions to the breach notification requirement: (1) An unintentional acquisition, access or use of information by an employee who acts in good faith and in the scope of his/her employment is not considered a breach and does not trigger the notification requirement of the Act; (2) An inadvertent disclosure from one authorized person to another authorized person does not trigger the notification requirement; and (3) An unauthorized disclosure to an individual who would not reasonably be able to retain the information does not trigger the notification requirement.
Covered entities should develop policies and procedures and train employees regarding the above notification requirements for breaches of protected health information. All policies, procedures and trainings must reflect that not every violation is a “breach” that triggers notification requirements.
Please do not hesitate to contact your attorney at Scariano, Himes, and Petrarca, Chtd., with any questions that you may have related to the new HIPAA regulation.