HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element

After a few days unable to make time to post to the blog, or technical difficulties preventing me when I did make time, I’m happy to resume my posting!
Today I want to offer a few thoughts about the breach notice rules that were released last week by the HHS and the FTC in compliance with the HITECH Act requirements…


The FTC’s “Health Breach Notification Rule” is very interesting and applies to personal health records vendors, many to most of which (e.g., Microsoft and Google) will not be Covered Entities (CEs) under HIPAA. However, many to most may very well be Business Associates (BAs) under HIPAA. The FTC rule will catch those who fall outside of the CE and BA realm and who still are the custodians for (NOT owners of! Individuals own their health information!) personal health records. There is much to say about this, but I will focus on those thoughts in a near future post.
Here are a few of my quick thoughts about the HHS’s “Breach Notification for Unsecured Protected Health Information; Interim Final Rule;” I will plan to go into more depth for the specific issues here, and others I didn’t touch upon, in future posts…

  • It is interesting to note that, under these new rules, breach notification does not need to occur if the information has been de-identified according to HIPAA’s definition. However, notification is required for limited data sets.
  • The many notes and comments are quite interesting!
  • Accidental acquisitions within the same organization (CE or BA) do not require notification. This happens a lot! I provided some discussion of three types of situations at http://www.realtime-itcompliance.com/laws_regulations/2009/07/is_this_a_breach_under_the_hit.htm I need to go back and see if my analysis would now be different.
  • It is important for CEs and BAs to read closely and understand ยง 164.402 Definitions, especially the definition of a breach. The exclusions listed are commonly the cause of much confusion!
  • Also important to note and understand is that CEs should provide the notification to individuals. When BAs discover a breach they must, under this rule, contact the applicable CE(s) as soon as possible, and then work with the CEs so that they can make the best notification decisions possible. This is a good idea because the CE typically has the direct relationship with the patient, not the BA. Great confusion and harm could resultif a BA notified individuals and provided inaccureate, incomplete or otherwise inappropriate information. Most individuals wouldn’t know who the BA was anyhow; how many people know of all the business associats of the companis where we do business, or where we get healthcare?
  • Note the limit on how quickly notice must be provided; “without reasonable delay” and no later than 60 days after discovery of the breach.
  • As with most other breach notice laws there is notice timeline exception if law enforcement requires it.
  • The contact procedures must include “a toll-free telephone number, an e-mail address, Web site, or postal address” Even though the postal address appears to be an option to a Web site, providing both is a good practice and something I would recommend.
  • Another important requirement is that notification must be made for breaches of those the CE knows to be deceased. Many organizations will not think of this, because this is not a stipulation within many/most of the other 48 state and territory laws. Notification for individuals known to be deceased must be made to the “next of kin or personal representative.”
  • Breaches of more than 500 individuals must be made to “prominent media outlets.” This is another significant difference to many of the existing breach notice laws.
  • It is a bit odd that breaches involving less than 500 individuals do not require notification in a timely manner, but only within 60 days after the end of the calendar year. Anyone would want to know if their PHI was breached. In fact, some of the most costly and damaging impacts to individuals have been when the records and PHI of just one or a few individuals have been breached. Just look at the HIPAA felony convictions in a paper I wrote earlier this year to see some examples.
  • Here is something very important… >”(b)(1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
  • Training and ongoing awareness communications are very important key elements of information security and privacy programs in general. Training is also required by this new rule, along with many other laws and regulations. When providing training, make sure you are providing effective training! Effective training is a comparatively low-cost activity, but can provide the greatest impacts for improving information security and privacy.

Of course there is much more to review, say and discuss about this new rule, and also the new FTC rule! These are just some quick thoughts to pass along.

Tags: , , , , , , , , , , , , , , , ,

Leave a Reply