Timeline of Upcoming ARRA Related HIPAA Changes, Rules and Guidance

Transcription

1 Timeline f Upcming ARRA Related HIPAA Changes, Rules and Guidance By December 31, 2009 HHS t issue additinal guidelines regarding accunting fr disclsures Due within ne year f enactment (by February 17, 2010) HHS t prvide guidance and rules n de-identificatin, pting ut f fundraising slicitatins HHS and the Federal Trade Cmmissin will reprt n privacy and security requirements fr Persnal Health Recrd (PHR) vendrs and applicatins February 17, 2010 HHS t issue rules n which entities are required t be business assciates Individuals right t restrict disclsures t health plans fr services paid fr ut f pcket Right f electrnic access f recrds by patients takes effect Business Assciates directly subject t HIPAA regulatin HHS required t cnduct peridic audits f entities cvered by HIPAA Within 18 mnths f enactment (by August 17, 2010) HHS t issue guidance n HIPAA minimum necessary rules HHS t release regulatins regarding prhibitin f sale f data January 1, 2011 Initial Deadline fr cmplying with new accunting and disclsure rules fr infrmatin kept in EHRs acquired after January 1, 2009 January 1, 2014 Initial deadline fr cmplying with new accunting and disclsure rules fr infrmatin kept in EHRs acquired befre January 1, W.J. Flynn and Assciates, LLC

2 Summary f the HHS interim final rule t require ntificatin f breaches f unsecured prtected health infrmatin Editrs Nte: This summary cnsists principally f edited text taken directly frm the discussin sectin f the HHS interim final regulatins published August 24 th in the Federal Register. The editrs have remved sme f the discussin (fr example, discussin f cmments received) in an attempt t simplify the review and fcus n cntent and HHS cmments mst helpful in assisting a Cvered Entity r Business Assciate in implementing the plicies and prcedures necessary t cmply with these regulatins. Statutry and Regulatry references have, fr the mst part, been remved and replace by generic terms (i.e. as defined by HIPAA ) fr the sake f clarity. Full regulatry and statutry references and additinal cmmentary is included in the full text f the HHS interim final rule. Exclusin f sme text frm this summary in n way implies that the infrmatin is nt relevant r imprtant. A link t the full text can be fund n ur website at -The Editrs While every effrt has been taken in cmpiling this infrmatin t ensure that its cntents are ttally accurate, neither the publisher nr the authr can accept any liability whatsever fr any inaccuracies r changed circumstances f any infrmatin herein r fr the cnsequences f any reliance placed upn it. This publicatin is distributed n the understanding that the publisher is nt engaged in rendering legal, accunting r ther prfessinal advice r services. Readers shuld always and withut exceptin seek prfessinal advice befre entering int any cmmitments. Backgrund The Health Infrmatin Technlgy fr Ecnmic and Clinical Health (HITECH) Act was enacted n February 17, Subtitle D f Divisin A f the HITECH Act (the Act), entitled Privacy, amng ther prvisins, requires the Department f Health and Human Services (HHS r the Department) t issue interim final regulatins fr breach ntificatin by cvered entities subject t the Administrative Simplificatin prvisins f HIPAA and their business assciates. These breach ntificatin prvisins are fund in f the Act and apply t HIPAA cvered entities and their business assciates that access, maintain, retain, mdify, recrd, stre, destry, r therwise hld, use, r disclse unsecured prtected health infrmatin. The Act incrprates the definitins f cvered entity, business assciate, and prtected health infrmatin used in the HIPAA regulatins. The Act requires HIPAA cvered entities t prvide ntificatin t affected individuals and t the Secretary f HHS fllwing the discvery f a breach f unsecured prtected health infrmatin. In additin, in sme cases, the Act requires cvered entities t prvide ntificatin t the media f breaches. In the case f a breach f unsecured prtected health infrmatin at r by a business assciate f a cvered entity, the Act requires the business assciate t ntify the cvered entity f the breach. Finally, the Act requires the Secretary t pst n an HHS web site a list f cvered entities that experience breaches f unsecured prtected health infrmatin invlving mre than 500 individuals. Sectin-by-Sectin Descriptin f Interim Final Rule A. Applicability Sectin Sectin f the interim final rule prvides that this breach ntificatin rule is applicable t breaches ccurring n r after 30 days frm the date f publicatin f this interim final rule. The interim final rule was published in the Federal Register n Mnday August 24 th, making the effective date f these regulatins September 23 rd, W.J. Flynn and Assciates, LLC

3 B. Definitins Sectin Sectin B cntains regulatry definitins f the tw principal definitins related t the requirements; 1. What is a Breach 2. What is Unsecured Prtected Health Infrmatin 1 Breach The interim final rule defines breach as the acquisitin, access, use, r disclsure f prtected health infrmatin in a manner nt permitted under HIPAA which cmprmises the security r privacy f the prtected health infrmatin. Prtected Health Infrmatin The definitin f breach is limited t prtected health infrmatin. If infrmatin is de-identified in accrdance with HIPAA regulatins, it is nt prtected health infrmatin, and thus, any inadvertent r unauthrized use r disclsure f such infrmatin will nt be cnsidered a breach fr purpses f this subpart. Cvered entities and business assciates are required t prvide the breach ntificatins nly upn a breach f unsecured prtected health infrmatin (see sectin 2 belw). Unauthrized Acquisitin, Access, Use, r Disclsure The interim final rule interprets the unauthrized acquisitin, access, use, r disclsure f prtected health infrmatin as the acquisitin, access, use, r disclsure f prtected health infrmatin in a manner nt permitted under HIPAA. Fr an acquisitin, access, use, r disclsure f prtected health infrmatin t cnstitute a breach, it must cnstitute a vilatin f the Privacy Rule. Therefre, ne f the first steps in determining whether ntificatin is necessary is t determine whether a use r disclsure vilates the Privacy Rule. Nt all vilatins f the Privacy Rule will be breaches, and therefre, cvered entities and business assciates need nt prvide breach ntificatin in all cases f impermissible uses and disclsures. Vilatins f administrative requirements, such as a lack f reasnable safeguards r a lack f training, d nt themselves qualify as ptential breaches under this subpart (althugh such vilatins certainly may lead t impermissible uses r disclsures that qualify as breaches). Cmprmises the Security r Privacy f Prtected Health Infrmatin The Act and regulatin limit the definitin f breach t a use r disclsure that cmprmises the security r privacy f the prtected health infrmatin. Accrdingly, nce it is established that a use r disclsure vilates the Privacy Rule, the cvered entity must determine whether the vilatin cmprmises the security r privacy f the prtected health infrmatin. Cmprmises the security r privacy f the prtected health infrmatin means the breach pses a significant risk f financial, reputatinal, r ther harm t the individual. T determine if an impermissible use r disclsure f prtected health infrmatin cnstitutes a breach, cvered entities and business assciates will need t perfrm a risk assessment t determine if there is a significant risk f harm t the individual as a result f the impermissible use r disclsure. In perfrming the risk assessment, cvered entities and business assciates may need t cnsider a number r cmbinatin f factrs. Cvered entities and business assciates shuld cnsider wh impermissibly used r t whm the infrmatin was impermissibly disclsed when evaluating the risk f harm t individuals. 3 W.J. Flynn and Assciates, LLC

4 If, fr example, prtected health infrmatin is impermissibly disclsed t anther entity gverned by the HIPAA Privacy and Security Rules r t a Federal agency that is bligated t cmply with the Privacy Act f 1974 and the Federal Infrmatin Security Management Act f 2002, there may be less risk f harm t the individual, since the recipient entity is bligated t prtect the privacy and security f the infrmatin it received in the same r similar manner as the entity that disclsed the infrmatin. In cntrast, if prtected health infrmatin is impermissibly disclsed t any entity r persn that des nt have similar bligatins t maintain the privacy and security f the infrmatin, the risk f harm t the individual is much greater. There may be circumstances where a cvered entity takes immediate steps t mitigate an impermissible use r disclsure. Fr example, by btaining the recipient s satisfactry assurances that the infrmatin will nt be further used r disclsed (thrugh a cnfidentiality agreement r similar means) r will be destryed. If such steps eliminate r reduce the risk f harm t the individual t a less than significant risk, then the security and privacy f the infrmatin has nt been cmprmised and, therefre, n breach has ccurred. There may be circumstances where impermissibly disclsed prtected health infrmatin is returned prir t it being accessed fr an imprper purpse. Fr example, if a laptp is lst r stlen and then recvered, and a frensic analysis f the cmputer shws that its infrmatin was nt pened, altered, transferred, r therwise cmprmised, such a breach may nt pse a significant risk f harm t the individuals whse infrmatin was n the laptp. Nte, hwever, that if a cmputer is lst r stlen, we d nt cnsider it reasnable t delay breach ntificatin based n the hpe that the cmputer will be recvered. In perfrming a risk assessment, cvered entities and business assciates shuld als cnsider the type and amunt f prtected health infrmatin invlved in the impermissible use r disclsure. If the nature f the prtected health infrmatin des nt pse a significant risk f financial, reputatinal, r ther harm, then the vilatin is nt a breach. Fr example, if a cvered entity imprperly disclses prtected health infrmatin that merely included the name f an individual and the fact that he received services frm a hspital, then this wuld cnstitute a vilatin f the Privacy Rule, but it may nt cnstitute a significant risk f financial r reputatinal harm t the individual. In cntrast, if the infrmatin indicates the type f services that the individual received (such as nclgy services), that the individual received services frm a specialized facility (such as a substance abuse treatment prgram), r if the prtected health infrmatin includes infrmatin that increases the risk f identity theft (such as a scial security number, accunt number, r mther s maiden name), then there is a higher likelihd that the impermissible use r disclsure cmprmised the security and privacy f the infrmatin. The risk assessment shuld be fact specific, and the cvered entity r business assciate shuld keep in mind that many frms f health infrmatin, nt just infrmatin abut sexually transmitted diseases r mental health, shuld be cnsidered sensitive fr purpses f the risk f reputatinal harm especially in light f fears abut emplyment discriminatin. Exceptins t Breach A cvered entity r business assciate is nt respnsible fr a breach by a third party t whm it permissibly disclsed prtected health infrmatin unless the third party received the infrmatin in its rle as an agent f the cvered entity r business assciate. The Act als includes three exceptins t the definitin f breach that encmpass situatins Cngress clearly intended t nt cnstitute breaches: (1) Unintentinal acquisitin, access, r use f prtected health infrmatin by an emplyee r individual acting under the authrity f a cvered entity r business assciate; 4 W.J. Flynn and Assciates, LLC

5 Example - A billing emplyee receives and pens an cntaining prtected health infrmatin abut a patient which a nurse mistakenly sent t the billing emplyee. The billing emplyee ntices that he is nt the intended recipient, alerts the nurse f the misdirected , and then deletes it. The billing emplyee unintentinally accessed prtected health infrmatin t which he was nt authrized t have access. Hwever, the billing emplyee s use f the infrmatin was dne in gd faith and within the scpe f authrity, and therefre, wuld nt cnstitute a breach and ntificatin wuld nt be required, prvided the emplyee did nt further use r disclse the infrmatin accessed in a manner nt permitted by the Privacy Rule. In cntrast, a receptinist at a cvered entity wh is nt authrized t access prtected health infrmatin decides t lk thrugh patient files in rder t learn f a friend s treatment. In this case, the impermissible access t prtected health infrmatin wuld nt fall within this exceptin t breach because such access was neither unintentinal, dne in gd faith, nr within the scpe f authrity. (2) Inadvertent disclsure f prtected health infrmatin frm ne persn authrized t access prtected health infrmatin at a cvered entity r business assciate t anther similarly situated persn authrized t access prtected health infrmatin at the cvered entity r business assciate; Fr example, a physician wh has authrity t use r disclse prtected health infrmatin at a hspital by virtue f participating in an rganized health care arrangement with the hspital imprperly disclses PHI t a t a nurse r billing emplyee at the hspital. In cntrast, the physician is nt similarly situated t an emplyee at the hspital wh is nt authrized t access prtected health infrmatin, thus an imprper disclsure t a security wrker nt authrized t access the PHI wuld be a breach subject t these regulatins. (3) Unauthrized disclsures in which an unauthrized persn t whm prtected health infrmatin is disclsed wuld nt reasnably have been able t retain the infrmatin. Fr example, a cvered entity, due t a lack f reasnable safeguards, sends a number f explanatins f benefits (EOBs) t the wrng individuals. A few f the EOBs are returned by the pst ffice, unpened, as undeliverable. In these circumstances, the cvered entity can cnclude that the imprper addressees culd nt reasnably have retained the infrmatin. The EOBs that were nt returned as undeliverable, hwever, and that the cvered entity knws were sent t the wrng individuals, shuld be treated as ptential breaches. As anther example, a nurse mistakenly hands a patient the discharge papers belnging t anther patient, but she quickly realizes her mistake and recvers the prtected health infrmatin frm the patient. If the nurse can reasnably cnclude that the patient culd nt have read r therwise retained the infrmatin, then this wuld nt cnstitute a breach. Determining if a Breach Has Occurred Cvered entities and business assciates will need t d the fllwing t determine whether a breach ccurred. First, the cvered entity r business assciate must determine whether there has been an impermissible use r disclsure f prtected health infrmatin under the Privacy Rule. Secnd, the cvered entity r business assciate must determine, and dcument, whether the impermissible use r disclsure cmprmises the security r privacy f the prtected health infrmatin. This ccurs when there is a significant risk f financial, reputatinal, r ther harm t the individual. Lastly, the cvered entity r business assciate may need t determine whether the incident falls under ne f the exceptins t the breach definitin. 5 W.J. Flynn and Assciates, LLC

6 2. Unsecured Prtected Health Infrmatin Guidance Specifying the Technlgies and Methdlgies That Render Prtected Health Infrmatin Unusable, Unreadable, r Indecipherable t Unauthrized Individuals Backgrund The Act defines unsecured prtected health infrmatin as prtected health infrmatin that is nt secured thrugh the use f a technlgy r methdlgy specified by the Secretary in guidance and requires the Secretary t specify in the guidance the technlgies and methdlgies that render prtected health infrmatin unusable, unreadable, r indecipherable t unauthrized individuals. This guidance was issued n April 17, 2009, and later published in the Federal Register n April 27, 2009 (74 FR 19006). The guidance specified encryptin and destructin as the technlgies and methdlgies fr rendering prtected health infrmatin, unusable, unreadable, r indecipherable t unauthrized individuals such that breach ntificatin is nt required. Future guidance (n specified technlgy and methds) will be published n the HHS web site. Methds t Render PHI Unusable Prtected health infrmatin (PHI) is rendered unusable, unreadable, r indecipherable t unauthrized individuals if ne r mre f the fllwing applies: (a) Electrnic PHI has been encrypted as specified in the HIPAA Security Rule by the use f an algrithmic prcess t transfrm data int a frm in which there is a lw prbability f assigning meaning withut use f a cnfidential prcess r key and such cnfidential prcess r key that might enable decryptin has nt been breached. T avid a breach f the cnfidential prcess r key, these decryptin tls shuld be stred n a device r at a lcatin separate frm the data they are used t encrypt r decrypt. (b) The media n which the PHI is stred r recrded has been destryed in ne f the fllwing ways: (i) Paper, film, r ther hard cpy media have been shredded r destryed such that the PHI cannt be read r therwise cannt be recnstructed. Redactin is specifically excluded as a means f data destructin. (ii) Electrnic media have been cleared, purged, r destryed cnsistent with NIST Special Publicatin , Guidelines fr Media Sanitizatin, 6 such that the PHI cannt be retrieved. C. Ntificatin t Individuals Sectin General Rule A cvered entity shall, fllwing the discvery f a breach f unsecured prtected health infrmatin, ntify each individual whse unsecured prtected health infrmatin has been, r is reasnably believed by the cvered entity t have been, accessed, acquired, used, r disclsed as a result f such breach. Breaches Treated as Discvered A breach shall be treated as discvered by a cvered entity as f the first day the breach is knwn t the cvered entity, r by exercising reasnable diligence wuld have been knwn t the cvered entity. A cvered entity is deemed t have knwledge f a breach if such breach is knwn, r by exercising reasnable diligence wuld have been knwn, t any persn (ther than the persn cmmitting the breach) wh is a wrkfrce member r agent f the cvered entity. 6 W.J. Flynn and Assciates, LLC

7 it is imprtant fr such cvered entities t implement reasnable systems fr discvery f breaches. These prvisins attribute knwledge f a breach by a wrkfrce member r ther agent, such as certain business assciates, t the cvered entity itself. Timeliness This is imprtant, as knwledge f a breach, i.e., when a breach is treated as discvered, starts the clck in terms f the perid f time a cvered entity has t make the ntificatins required by the interim final rule. Cvered entities shuld ensure their wrkfrce members and ther agents are adequately trained and aware f the imprtance f timely reprting f privacy and security incidents and f the cnsequences f failing t d s. A cvered entity shall send the required ntificatin withut unreasnable delay and in n case later than 60 calendar days after the date the breach was discvered Cntent The cvered entity may take a reasnable time t investigate the circumstances surrunding the breach, in rder t cllect and develp the infrmatin required t be included in the ntice t the individual. It may be an unreasnable delay t wait until the 60th day t prvide ntificatin. Fr example, if a cvered entity has cmpiled the infrmatin necessary t prvide ntificatin t individuals n day 10 but waits until day 60 t send the ntificatins, it wuld cnstitute an unreasnable delay despite the fact that the cvered entity has prvided ntificatin within 60 days. The Act requires the ntificatin t include, t the extent pssible, the fllwing elements: (1) a brief descriptin f what happened, including the date f the breach and the date f the discvery f the breach, if knwn; (2) A descriptin f the types f unsecured prtected health infrmatin that were invlved in the breach (such as whether full name, scial security number, date f birth, hme address, accunt number, diagnsis, disability cde, r ther types f infrmatin were invlved); (3) any steps individuals shuld take t prtect themselves frm ptential harm resulting frm the breach; (4) a brief descriptin f what the cvered entity invlved is ding t investigate the breach, t mitigate harm t individuals, and t prtect against any further breaches; and (5) cntact prcedures fr individuals t ask questins r learn additinal infrmatin, which must include a tll-free telephne number, an address, web site, r pstal address. With respect t indicating in the ntificatin the types f prtected health infrmatin invlved in a breach, this prvisin requires cvered entities t describe nly the types f infrmatin invlved. Cvered entities shuld nt include a listing f the actual prtected health infrmatin that was breached (e.g., list in the ntice the individual s scial security number r credit card number that was breached) and generally shuld avid including any sensitive infrmatin in the ntificatin itself. Frm f Ntice The Act requires a cvered entity t prvide breach ntice t the individual in written frm by first-class mail at the last knwn address f the individual. The interim final rule als prvides that written ntice may be in the frm f electrnic mail, prvided the individual agrees t receive electrnic ntice and such agreement has nt been withdrawn. 7 W.J. Flynn and Assciates, LLC

8 Where the individual affected by a breach is a minr r therwise lacks legal capacity due t a physical r mental cnditin, ntice t the parent r ther persn wh is the persnal representative f the individual will satisfy the requirements The statute als requires that, if the individual is deceased, ntice must be sent t the last knwn address f the next f kin r persnal representative. Substitute Ntice If a cvered entity des nt have sufficient cntact infrmatin fr sme r all f the affected individuals, r if sme ntices are returned as undeliverable, the cvered entity must prvide substitute ntice fr the unreachable individuals. Substitute ntice shuld be prvided as sn as reasnably pssible after the cvered entity is aware that it has insufficient r ut-f-date cntact infrmatin fr affected individuals. Whatever frm f substitute ntice is prvided, the ntice must cntain all the elements that are required t be included in the direct written ntice t individuals. If there are fewer than 10 individuals fr whm the cvered entity has insufficient r ut-f-date cntact infrmatin t prvide the written ntice, The Act permits the cvered entity t prvide substitute ntice t such individuals thrugh an alternative frm f written ntice, by telephne, r ther means. Fr example, if the cvered entity learns that the hme address it has fr ne f its patients is ut-f-date but it has the patient s address, it may prvide substitute ntice by even if the patient has nt agreed t electrnic ntice. Alternatively, psting a ntice n the web site f the cvered entity r at anther lcatin may be apprpriate if the cvered entity lacks any current cntact infrmatin fr the patients, s lng as the psting is dne in a manner that is reasnably calculated t reach the individuals. If a cvered entity has insufficient r ut-f-date cntact infrmatin fr 10 r mre individuals, The cvered entity t prvide substitute ntice thrugh either a cnspicuus psting fr a perid f 90 days n the hme page f its web site r cnspicuus ntice in majr print r bradcast media in gegraphic areas where the individuals affected by the breach likely reside. Substitute ntice thrugh the website r media fr 10 r mre individuals requires the cvered entity t have a tll-free phne number, active fr 90 days, where an individual can learn whether the individual s unsecured PHI may be included in the breach and t include the number in the ntice. If the cvered entity chses t prvide substitute ntice n the hme page f its web site, the ntice must be cnspicuus and psted fr at least 90 days. A cvered entity may prvide all the infrmatin directly n its hme page r may prvide a hyperlink t the ntice cntaining such infrmatin. If a cvered entity uses a hyperlink n the hme page t cnvey the substitute ntice, the hyperlink shuld be prminent s that it is nticeable given its size, clr, and graphic treatment in relatin t ther parts f the page, and it shuld be wrded t cnvey the nature and imprtance f the infrmatin t which it leads. D. Ntificatin t the Media The Act requires that ntice be prvided t prminent media utlets serving a State r jurisdictin, fllwing the discvery f a breach if the unsecured prtected health infrmatin f mre than 500 residents f such State r jurisdictin is, r is reasnably believed t have been, accessed, acquired, r disclsed during such breach. 8 W.J. Flynn and Assciates, LLC

9 The Act requires that ntificatin t the media under this prvisin be prvided within the same timeframe as ntice is t be prvided t the individual. Ntificatin t the media under this prvisin must include the same infrmatin required t be included in the ntificatin t the individual. T illustrate hw these prvisins apply, HHS prvided the fllwing examples: If laptps cntaining the unsecured prtected health infrmatin f mre than 500 residents f a particular city were stlen frm a cvered entity, ntificatin under this sectin shuld be prvided t prminent media utlets serving that city. In this case, the prminent media utlet may be a majr televisin statin r newspaper (r ther media utlet) serving primarily the residents f that city r a prminent media utlet serving the entire state. Alternatively, fr a breach invlving 500 r mre residents acrss a State and nt within any ne particular cunty r city f the State, the prminent media utlet chsen must serve the entire State. If a cvered entity discvers a breach f 600 individuals, 200 f which reside in Virginia, 200 f which reside in Maryland, and 200 f which reside in the District f Clumbia, such a breach did nt affect mre than 500 residents f any ne State r jurisdictin, and as such, ntificatin is nt required t be prvided t the media. E. Ntificatin t the Secretary Fr breaches invlving 500 r mre individuals, the Act requires cvered entities t ntify the Secretary (HHS) immediately. Fr breaches invlving less than 500 individuals, the Act prvides that a cvered entity may maintain a lg f such breaches and annually submit such lg t the Secretary dcumenting the breaches ccurring during the year invlved. Breaches invlving mre than 500 individuals The term immediately requires ntificatin be sent t the Secretary cncurrently with the ntificatin sent t the individual. HHS will pst instructins n its web site fr submitting bth this ntificatin as well as the annual ntificatin described belw. The Secretary will pst n the HHS web site a list f cvered entities that submit reprts f breaches f unsecured prtected health infrmatin invlving mre than 500 individuals. Cvered entities must ntify the Secretary f discvered breaches invlving mre than 500 individuals generally, withut regard t whether the breach invlved mre than 500 residents f a particular State r jurisdictin Breaches invlving less than 500 individuals The Act requires a cvered entity t maintain a lg r ther dcumentatin f such breaches and t submit infrmatin annually t the Secretary fr breaches ccurring during the preceding calendar year. The interim final rule requires the submissin f this infrmatin t the Secretary n later than 60 days after the end f each calendar year. Infrmatin abut breaches invlving less than 500 individuals is t be prvided t the Secretary in the manner specified n the HHS web site. HHS will specify n its web site the infrmatin t be submitted and hw t submit such infrmatin. Fr calendar year 2009, the cvered entity is nly required t submit infrmatin t the Secretary fr breaches ccurring after the effective date f this regulatin. F. Ntificatin by a Business Assciate The Act requires a business assciate f a cvered entity t ntify the cvered entity when it discvers a breach f PHI. 9 W.J. Flynn and Assciates, LLC

10 A business assciate that maintains the prtected health infrmatin f multiple cvered entities need ntify nly the cvered entity(s) t which the breached infrmatin relates. Hwever, in cases in which a breach invlves the unsecured prtected health infrmatin f multiple cvered entities and it is unclear t whm the breached infrmatin relates, it may be necessary t ntify all ptential affected cvered entities. A business assciate must prvide ntice f a breach f unsecured prtected health infrmatin t a cvered entity withut unreasnable delay and in n case later than 60 days fllwing the discvery f a breach. If a business assciate is acting as an agent (based n the principles f the federal cmmn law f agency) f a cvered entity, then, the business assciate s discvery f the breach will be imputed t the cvered entity. Accrdingly, in such circumstances, the cvered entity must prvide ntificatins based n the time the business assciate discvers the breach, nt frm the time the business assciate ntifies the cvered entity. In cntrast, if the business assciate is an independent cntractr f the cvered entity (i.e., nt an agent), then the cvered entity must prvide ntificatin based n the time the business assciate ntifies the cvered entity f the breach. Cvered entities may wish t address the timing f the ntificatin in their business assciate cntracts. The Act requires business assciates, t the extent pssible, t prvide cvered entities with the identity f each individual whse unsecured prtected health infrmatin has been, r is reasnably believed t have been, breached. G. Law Enfrcement Delay The Act prvides that if a law enfrcement fficial determines that a ntificatin, ntice, r psting required under this sectin wuld impede a criminal investigatin r cause damage t natinal security, such ntificatin, ntice, r psting shall be delayed in the same manner as prvided under the HIPAA Privacy Rule. The Act prvides fr a temprary delay f ntificatin in situatins in which a law enfrcement fficial prvides a statement in writing that the delay is necessary because ntificatin wuld impede a criminal investigatin r cause damage t natinal security, and specifies the time fr which a delay is required. In these instances, the cvered entity is required t delay the ntificatin, ntice, r psting fr the time perid specified by the fficial. The Act als requires a cvered entity r business assciate t temprarily delay a ntificatin, ntice, r psting if a law enfrcement fficial states rally that a ntificatin wuld impede a criminal investigatin r cause damage t natinal security. In this case, the cvered entity r business assciate is required t dcument the statement and the identity f the fficial and delay ntificatin fr n lnger than 30 days. H. Administrative Requirements and Burden f Prf The regulatins require cvered entities and business assciates t develp and dcument plicies and prcedures related t these breach ntificatin rules cnsistent with HIPAA s administrative requirements including but nt limited t: Train wrkfrce members n, and have sanctins fr failure t cmply with these plicies and prcedures Permit individuals t file cmplaints regarding these plicies and prcedures r a failure t cmply with them Refrain frm intimidating r retaliatry acts 10 W.J. Flynn and Assciates, LLC

11 Thus, a cvered entity is required t cnsider and incrprate the requirements f this subpart with respect t its HIPAA administrative cmpliance and ther bligatins. Burden f Prf Fllwing an impermissible use r disclsure under the Privacy Rule, cvered entities and business assciates have the burden f demnstrating that all ntificatins were made as required. As part f demnstrating that all required ntificatins were made, a cvered entity r business assciate als must be able t demnstrate that an impermissible use r disclsure did nt cnstitute a breach, in cases where it is determined that ntificatins were nt required. When a cvered entity r business assciate knws f an impermissible use r disclsure f prtected health infrmatin, it shuld maintain dcumentatin that all required ntificatins were made, r, alternatively, f its risk assessment r the applicatin f any exceptins t the definitin f breach t demnstrate that ntificatin was nt required. Fr mre infrmatin r fr assistance with HIPAA cmpliance cntact: Bb Radecki Principal W.J. Flynn and Assciates, LLC bb.radecki@wjflynnandassciates.cm 11 W.J. Flynn and Assciates, LLC