[Federal Register Volume 74, Number 162 (Monday, August 24, 2009)]
[Rules and Regulations]
[Pages 42740-42770]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-20169]
[[Page 42739]]
-----------------------------------------------------------------------
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
Breach Notification for Unsecured Protected Health Information; Interim
Final Rule
��Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules
and Regulations��
[[Page 42740]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB56
Breach Notification for Unsecured Protected Health Information
AGENCY: Office for Civil Rights, Department of Health and Human
Services.
ACTION: Interim final rule with request for comments.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS) is issuing
this interim final rule with a request for comments to require
notification of breaches of unsecured protected health information.
Section 13402 of the Health Information Technology for Economic and
Clinical Health (HITECH) Act, part of the American Recovery and
Reinvestment Act of 2009 (ARRA) that was enacted on February 17, 2009,
requires HHS to issue interim final regulations within 180 days to
require covered entities under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and their business associates to
provide notification in the case of breaches of unsecured protected
health information. For purposes of determining what information is
``unsecured protected health information,'' in this document HHS is
also issuing an update to its guidance specifying the technologies and
methodologies that render protected health information unusable,
unreadable, or indecipherable to unauthorized individuals.
DATES: Effective Date: This interim final rule is effective September
23, 2009.
Comment Date: Comments on the provisions of this interim final rule
are due on or before October 23, 2009. Comments on the information
collection requirements associated with this rule are due on or before
September 8, 2009.
ADDRESSES: You may submit comments, identified by RIN 0991-AB56, by any
of the following methods (please do not submit duplicate comments):
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments. Attachments should be
in Microsoft Word, WordPerfect, or Excel; however, we prefer Microsoft
Word.
Regular, Express, or Overnight Mail: U.S. Department of
Health and Human Services, Office for Civil Rights, Attention: HITECH
Breach Notification, Hubert H. Humphrey Building, Room 509F, 200
Independence Avenue, SW., Washington, DC 20201. Please submit one
original and two copies.
Hand Delivery or Courier: Office for Civil Rights,
Attention: HITECH Breach Notification, Hubert H. Humphrey Building,
Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. Please
submit one original and two copies. (Because access to the interior of
the Hubert H. Humphrey Building is not readily available to persons
without federal government identification, commenters are encouraged to
leave their comments in the mail drop slots located in the main lobby
of the building.)
Inspection of Public Comments: All comments received before the
close of the comment period will be available for public inspection,
including any personally identifiable or confidential business
information that is included in a comment. We will post all comments
received before the close of the comment period at http://www.regulations.gov. Because comments will be made public, they should
not include any sensitive personal information, such as a person's
social security number; date of birth; driver's license number, state
identification number or foreign country equivalent; passport number;
financial account number; or credit or debit card number. Comments also
should not include any sensitive health information, such as medical
records or other individually identifiable health information.
Docket: For access to the docket to read background documents or
comments received, go to http://www.regulations.gov or U.S. Department
of Health and Human Services, Office for Civil Rights, 200 Independence
Avenue, SW., Washington, DC 20201 (call ahead to the contact listed
below to arrange for inspection).
FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.
SUPPLEMENTARY INFORMATION:
I. Background
The Health Information Technology for Economic and Clinical Health
(HITECH) Act, Title XIII of Division A and Title IV of Division B of
the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-
5), was enacted on February 17, 2009. Subtitle D of Division A of the
HITECH Act (the Act), entitled ``Privacy,'' among other provisions,
requires the Department of Health and Human Services (HHS or the
Department) to issue interim final regulations for breach notification
by covered entities subject to the Administrative Simplification
provisions of the Health Insurance Portability and Accountability Act
of 1996 (HIPAA) (Pub. L. 104-191) and their business associates.
These breach notification provisions are found in section 13402 of
the Act and apply to HIPAA covered entities and their business
associates that access, maintain, retain, modify, record, store,
destroy, or otherwise hold, use, or disclose unsecured protected health
information. The Act incorporates the definitions of ``covered
entity,'' ``business associate,'' and ``protected health information''
used in the HIPAA Administrative Simplification regulations (45 CFR
parts 160, 162, and 164) (HIPAA Rules) at Sec. 160.103. Under the
HIPAA Rules, a covered entity is a health plan, health care
clearinghouse, or health care provider that transmits any health
information electronically in connection with a covered transaction,
such as submitting health care claims to a health plan. Business
associate, as defined in the HIPAA Rules, means a person who performs
functions or activities on behalf of, or certain services for, a
covered entity that involve the use or disclosure of individually
identifiable health information. Examples of business associates
include third party administrators or pharmacy benefit managers for
health plans, claims processing or billing companies, transcription
companies, and persons who perform legal, actuarial, accounting,
management, or administrative services for covered entities and who
require access to protected health information. The HIPAA Rules define
``protected health information'' as the individually identifiable
health information held or transmitted in any form or medium by these
HIPAA covered entities and business associates, subject to certain
limited exceptions.
The Act requires HIPAA covered entities to provide notification to
affected individuals and to the Secretary of HHS following the
discovery of a breach of unsecured protected health information. In
addition, in some cases, the Act requires covered entities to provide
notification to the media of breaches. In the case of a breach of
unsecured protected health information at or by a business associate of
a covered entity, the Act requires the business associate to notify the
covered entity of the breach. Finally, the Act requires the Secretary
to post on an HHS Web site a list of covered entities that experience
breaches of unsecured protected health information involving more than
500 individuals.
[[Page 42741]]
Section 13400(1) of the Act defines ``breach'' to mean, generally,
the unauthorized acquisition, access, use, or disclosure of protected
health information which compromises the security or privacy of such
information. The Act provides exceptions to this definition to
encompass disclosures where the recipient of the information would not
reasonably have been able to retain the information, certain
unintentional acquisition, access, or use of information by employees
or persons acting under the authority of a covered entity or business
associate, as well as certain inadvertent disclosures among persons
similarly authorized to access protected health information at a
business associate or covered entity.
Further, section 13402(h) of the Act defines ``unsecured protected
health information'' as ``protected health information that is not
secured through the use of a technology or methodology specified by the
Secretary in guidance'' and provides that the guidance specify the
technologies and methodologies that render protected health information
unusable, unreadable, or indecipherable to unauthorized individuals.
Covered entities and business associates that implement the specified
technologies and methodologies with respect to protected health
information are not required to provide notifications in the event of a
breach of such information--that is, the information is not considered
``unsecured'' in such cases. As required by the Act, the Secretary
initially issued this guidance on April 17, 2009 (it was subsequently
published in the Federal Register at 74 FR 19006 on April 27, 2009).
The guidance listed and described encryption and destruction as the two
technologies and methodologies for rendering protected health
information unusable, unreadable, or indecipherable to unauthorized
individuals.
In cases in which notification is required, the Act at section
13402 prescribes the timeliness, content, and methods of providing the
breach notifications. We discuss these and the above statutory
provisions in more detail below where we describe section-by-section
how these new regulations implement the breach notification provisions
at section 13402 of the Act.
In addition to the breach notification provisions for HIPAA covered
entities and business associates at section 13402, section 13407 of the
Act, which is to be implemented and enforced by the Federal Trade
Commission (FTC), imposes similar breach notification requirements upon
vendors of personal health records (PHRs) and their third party service
providers following the discovery of a breach of security of unsecured
PHR identifiable health information.\1\ As with the definition of
``unsecured protected health information,'' the provisions at section
13407(f)(3) define ``unsecured PHR identifiable health information'' as
PHR identifiable health information that is not protected through the
use of a technology or methodology specified by the Secretary of HHS in
guidance. Thus, entities subject to the FTC breach notification rules
must also use the Secretary's guidance to determine whether the
information subject to a breach was ``unsecured'' and, therefore,
whether breach notification is required.
---------------------------------------------------------------------------
\1\ The FTC issued a notice of proposed rulemaking to implement
section 13407 of the Act on April 20, 2009 (74 FR 17914).
---------------------------------------------------------------------------
When HHS issued the guidance, HHS also published in the same
document a request for information (RFI), inviting public comment both
on the guidance itself, as well as on the breach provisions of section
13402 of the Act generally. After considering the public comment, we
are issuing an updated version of the guidance in Section II below. In
addition, we discuss public comment received on the Act's breach
notification provisions where relevant below in the section-by-section
description of the interim final rule.
We have concluded that we have good cause, under 5 U.S.C.
553(b)(B), to waive the notice-and-comment requirements of the
Administrative Procedure Act and to proceed with this interim final
rule. Section 13402(j) explicitly required us to issue these
regulations as ``interim final regulations'' and to do so within 180
days. Based on this statutory directive and limited time frame, we
concluded that notice-and-comment rulemaking was impracticable and
contrary to public policy. Nevertheless, we sought comments in the RFI
referenced above and considered those comments when drafting this rule.
In addition, we provide the public with a 60-day period following
publication of this document to submit comments on the interim final
rule.
II. Guidance Specifying the Technologies and Methodologies That Render
Protected Health Information Unusable, Unreadable, or Indecipherable to
Unauthorized Individuals
A. Background
As discussed above, section 13402 of the Act requires breach
notification following the discovery of a breach of unsecured protected
health information. Section 13402(h) of the Act defines ``unsecured
protected health information'' as ``protected health information that
is not secured through the use of a technology or methodology specified
by the Secretary in guidance'' and requires the Secretary to specify in
the guidance the technologies and methodologies that render protected
health information unusable, unreadable, or indecipherable to
unauthorized individuals. As required by the Act, this guidance was
issued on April 17, 2009, and later published in the Federal Register
on April 27, 2009 (74 FR 19006). The guidance specified encryption and
destruction as the technologies and methodologies for rendering
protected health information, as well as PHR identifiable health
information under section 13407 of the Act and the FTC's implementing
regulation, unusable, unreadable, or indecipherable to unauthorized
individuals such that breach notification is not required. The RFI
asked for general comment on this guidance as well as for specific
comment on the technologies and methodologies to render protected
health information unusable, unreadable, or indecipherable to
unauthorized individuals.
Many commenters expressed concern and confusion regarding the
purpose of the guidance and its impact on a covered entity's
responsibilities under the HIPAA Security Rule (45 CFR part 164,
subparts A and C). We emphasize that this guidance does nothing to
modify a covered entity's responsibilities with respect to the Security
Rule nor does it impose any new requirements upon covered entities to
encrypt all protected health information. The Security Rule requires
covered entities to safeguard electronic protected health information
and permits covered entities to use any security measures that allow
them to reasonably and appropriately implement all safeguard
requirements. Under 45 CFR 164.312(a)(2)(iv) and (e)(2)(ii), a covered
entity must consider implementing encryption as a method for
safeguarding electronic protected health information; however, because
these are addressable implementation specifications, a covered entity
may be in compliance with the Security Rule even if it reasonably
decides not to encrypt electronic protected health information and
instead uses a comparable method to safeguard the information.
Therefore, if a covered entity chooses to encrypt protected health
information to comply with the Security Rule, does so pursuant to this
guidance, and subsequently discovers a breach of that
[[Page 42742]]
encrypted information, the covered entity will not be required to
provide breach notification because the information is not considered
``unsecured protected health information'' as it has been rendered
unusable, unreadable, or indecipherable to unauthorized individuals. On
the other hand, if a covered entity has decided to use a method other
than encryption or an encryption algorithm that is not specified in
this guidance to safeguard protected health information, then although
that covered entity may be in compliance with the Security Rule,
following a breach of this information, the covered entity would have
to provide breach notification to affected individuals. For example, a
covered entity that has a large database of protected health
information may choose, based on their risk assessment under the
Security Rule, to rely on firewalls and other access controls to make
the information inaccessible, as opposed to encrypting the information.
While the Security Rule permits the use of firewalls and access
controls as reasonable and appropriate safeguards, a covered entity
that seeks to ensure breach notification is not required in the event
of a breach of the information in the database would need to encrypt
the information pursuant to the guidance.
We also received several comments asking for clarification and
additional detail regarding the forms of information and the specific
devices and protocols described in the guidance. As a result, we
provide clarification regarding the forms of information addressed in
the National Institute of Standards and Technology (NIST) publications
referenced in the guidance. We clarify that ``data in motion'' includes
data that is moving through a network, including wireless transmission,
whether by e-mail or structured electronic interchange, while ``data at
rest'' includes data that resides in databases, file systems, flash
drives, memory, and any other structured storage method. ``Data in
use'' includes data in the process of being created, retrieved,
updated, or deleted, and ``data disposed'' includes discarded paper
records or recycled electronic media.
Additionally, many commenters suggested that access controls be
included in the guidance as a method for rendering protected health
information unusable, unreadable, or indecipherable to unauthorized
individuals. We recognize that access controls, as well as other
security methods such as firewalls, are important tools for
safeguarding protected health information. While we believe access
controls may render information inaccessible to unauthorized
individuals, we do not believe that access controls meet the statutory
standard of rendering protected health information unusable,
unreadable, or indecipherable to unauthorized individuals. If access
controls are compromised, the underlying information may still be
usable, readable, or decipherable to an unauthorized individual, and
thus, constitute unsecured protected health information for which
breach notification is required. Therefore, we have not included access
controls in the guidance; however, we do emphasize the benefit of
strong access controls, which may function to prevent breaches of
unsecured protected health information from occurring in the first
place.
Other commenters suggested that the guidance include redaction of
paper records as an alternative to destruction. Because redaction is
not a standardized methodology with proven capabilities to destroy or
render the underlying information unusable, unreadable or
indecipherable, we do not believe that redaction is an accepted
alternative method to secure paper-based protected health information.
Therefore, we have clarified in this guidance that only destruction of
paper protected health information, and not redaction, will satisfy the
requirements to relieve a covered entity or business associate from
breach notification. We note, however, that covered entities and
business associates may continue to create limited data sets or de-
identify protected health information through redaction if the removal
of identifiers results in the information satisfying the criteria of 45
CFR 164.514(e)(2) or 164.514(b), respectively. Further, a loss or theft
of information that has been redacted appropriately may not require
notification under these rules either because the information is not
protected health information (as in the case of de-identified
information) or because the unredacted information does not compromise
the security or privacy of the information and thus, does not
constitute a breach as described in Section IV below.
In response to comments received, we also make two additional
clarifications in the guidance. First, for purposes of the guidance
below and ensuring encryption keys are not breached, we clarify that
covered entities and business associates should keep encryption keys on
a separate device from the data that they encrypt or decrypt. Second,
we also include in the guidance below a note regarding roadmap guidance
activities on the part of the NIST pertaining to data storage on
enterprise-level storage devices, such as RAID (redundant array of
inexpensive disks), or SAN (storage-attached network) systems.
For ease of reference, we have published this updated guidance in
this document below; however, it will also be available on the HHS Web
site at http://www.hhs.gov/ocr/privacy/. Any further comments regarding
this guidance received in response to the interim final rule will be
addressed in the first annual update to the guidance, to be issued in
April 2010.
B. Guidance Specifying the Technologies and Methodologies that Render
Protected Health Information Unusable, Unreadable, or Indecipherable to
Unauthorized Individuals
Protected health information (PHI) is rendered unusable,
unreadable, or indecipherable to unauthorized individuals if one or
more of the following applies:
(a) Electronic PHI has been encrypted as specified in the HIPAA
Security Rule by ``the use of an algorithmic process to transform data
into a form in which there is a low probability of assigning meaning
without use of a confidential process or key'' \2\ and such
confidential process or key that might enable decryption has not been
breached. To avoid a breach of the confidential process or key, these
decryption tools should be stored on a device or at a location separate
from the data they are used to encrypt or decrypt. The encryption
processes identified below have been tested by the National Institute
of Standards and Technology (NIST) and judged to meet this standard.
---------------------------------------------------------------------------
\2\ 45 CFR 164.304, definition of ``encryption.''
---------------------------------------------------------------------------
(i) Valid encryption processes for data at rest are consistent with
NIST Special Publication 800-111, Guide to Storage Encryption
Technologies for End User Devices.3 4
---------------------------------------------------------------------------
\3\ NIST Roadmap plans include the development of security
guidelines for enterprise-level storage devices, and such guidelines
will be considered in updates to this guidance, when available.
\4\ Available at http://www.csrc.nist.gov/.
---------------------------------------------------------------------------
(ii) Valid encryption processes for data in motion are those which
comply, as appropriate, with NIST Special Publications 800-52,
Guidelines for the Selection and Use of Transport Layer Security (TLS)
Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL
VPNs, or others which are Federal Information Processing Standards
(FIPS) 140-2 validated.\5\
---------------------------------------------------------------------------
\5\ Available at http://www.csrc.nist.gov/.
---------------------------------------------------------------------------
[[Page 42743]]
(b) The media on which the PHI is stored or recorded have been
destroyed in one of the following ways:
(i) Paper, film, or other hard copy media have been shredded or
destroyed such that the PHI cannot be read or otherwise cannot be
reconstructed. Redaction is specifically excluded as a means of data
destruction.
(ii) Electronic media have been cleared, purged, or destroyed
consistent with NIST Special Publication 800-88, Guidelines for Media
Sanitization,\6\ such that the PHI cannot be retrieved.
---------------------------------------------------------------------------
\6\ Available at http://www.csrc.nist.gov/.
---------------------------------------------------------------------------
III. Overview of Interim Final Rule
We are adding a new subpart D to part 164 of title 45 of the Code
of Federal Regulations (CFR) to implement the breach notification
provisions in section 13402 of the Act. These provisions apply to HIPAA
covered entities and their business associates and set forth the
requirements for notification to affected individuals, the media, and
the Secretary of HHS following a breach of unsecured protected health
information. In drafting this interim final regulation, we considered
the public comments received in response to the RFI described above.
In addition, we consulted closely with the FTC in the development
of these regulations. Commenters in response to both the RFI as well as
the FTC's notice of proposed rulemaking urged HHS and the FTC to work
together to ensure that the regulated entities know with which rule
they must comply and that those entities that are subject to both rules
because they may operate in different roles are not subject to two
completely different and inconsistent regulatory schemes. In addition,
commenters were concerned that individuals could receive multiple
notices of the same breach if the HHS and the FTC regulations
overlapped. Thus, HHS coordinated with the FTC to ensure these issues
were addressed in the respective rulemakings. First, the rules make
clear that entities operating as HIPAA covered entities and business
associates are subject to HHS', and not the FTC's, breach notification
rule. Second, in those limited cases where an entity may be subject to
both HHS' and the FTC's rules, such as a vendor that offers PHRs to
customers of a HIPAA covered entity as a business associate and also
offers PHRs directly to the public, we worked with the FTC to ensure
both sets of regulations were harmonized by including the same or
similar requirements, within the constraints of the statutory language.
See Section IV.F. below for a more detailed discussion and an example
of our harmonization efforts.
IV. Section-by-Section Description of Interim Final Rule
The following discussion describes the provisions of the interim
final rule section by section. Those interested in commenting on the
interim final rule can assist the Department by preceding discussion of
any particular provision or topic with a citation to the section of the
interim final rule being discussed.
A. Applicability--Section 164.400
Section 164.400 of the interim final rule provides that this breach
notification rule is applicable to breaches occurring on or after 30
days from the date of publication of this interim final rule. See
Section IV.K. Effective/Compliance Date of this rule for further
discussion.
B. Definitions--Section 164.402
Section 164.402 of the interim final rule adopts definitions for
the terms ``breach'' and ``unsecured protected health information.''
1. Breach
Section 13402 of the Act and this interim final rule require
covered entities and business associates to provide notification
following a breach of unsecured protected health information. Section
13400(1)(A) of the Act defines ``breach'' as the ``unauthorized
acquisition, access, use, or disclosure of protected health information
which compromises the security or privacy of the protected health
information, except where an unauthorized person to whom such
information is disclosed would not reasonably have been able to retain
such information.'' Section 13400(1)(B) of the Act provides several
exceptions to the definition of ``breach.'' Based on section
13400(1)(A), we have defined ``breach'' at Sec. 164.402 of the interim
final rule as ``the acquisition, access, use, or disclosure of
protected health information in a manner not permitted under subpart E
of this part which compromises the security or privacy of the protected
health information.'' We have added paragraph (1) to the definition to
clarify when the security or privacy of information is considered to be
compromised. Paragraph (2) of the definition then includes the
statutory exceptions, including the exception within section
13400(1)(A) that refers to whether the recipient would reasonably have
been able to retain the information.
Protected Health Information
We note that the definition of ``breach'' is limited to protected
health information. With respect to a covered entity or business
associate of a covered entity, protected health information is
individually identifiable health information that is transmitted or
maintained in any form or medium, including electronic information. 45
CFR 160.103. If information is de-identified in accordance with 45 CFR
164.514(b), it is not protected health information, and thus, any
inadvertent or unauthorized use or disclosure of such information will
not be considered a breach for purposes of this subpart. Additionally,
Sec. 160.103 excludes certain types of individually identifiable
health information from the definition of ``protected health
information,'' such as employment records held by a covered entity in
its role as employer. If individually identifiable health information
that is not protected health information is used or disclosed in an
unauthorized manner, it would not qualify as a breach for purposes of
this subpart--although the covered entity should consider whether it
has notification requirements under other laws. Further, we note that
although the definition of ``breach'' applies to protected health
information generally, covered entities and business associates are
required to provide the breach notifications required by the Act and
this interim final rule (discussed below) only upon a breach of
unsecured protected health information. See also Section II of this
document for a list of the technologies and methodologies that render
protected health information secure such that notification is not
required in the event of a breach.
Unauthorized Acquisition, Access, Use, or Disclosure
The statute defines a ``breach'' as the ``unauthorized''
acquisition, access, use, or disclosure of protected health
information. Several commenters asked that we define ``unauthorized''
or that we clarify its meaning. We clarify that ``unauthorized'' is an
impermissible use or disclosure of protected health information under
the HIPAA Privacy Rule (subpart E of 45 CFR part 164). Accordingly, the
definition of ``breach'' at Sec. 160.402 of the interim final rule
interprets the ``unauthorized acquisition, access, use, or disclosure
of protected health information'' as ``the acquisition, access, use, or
disclosure of protected health information in a manner not permitted
under subpart E of this part.'' We emphasize that not all violations of
the Privacy Rule will be
[[Page 42744]]
breaches under this subpart, and therefore, covered entities and
business associates need not provide breach notification in all cases
of impermissible uses and disclosures. We also note that the HIPAA
Security Rule provides for administrative, physical, and technical
safeguards and organizational requirements for electronic protected
health information, but does not govern uses and disclosures of
protected health information. Accordingly, a violation of the Security
Rule does not itself constitute a potential breach under this subpart,
although such a violation may lead to a use or disclosure of protected
health information that is not permitted under the Privacy Rule and
thus, may potentially be a breach under this subpart.
The Act does not define the terms ``acquisition'' and ``access.''
Several commenters asked that we define or identify the differences
between acquisition, access, use, and disclosure of protected health
information, for purposes of the definition of ``breach.'' We interpret
``acquisition'' and ``access'' to information based on their plain
meanings and believe that both terms are encompassed within the current
definitions of ``use'' and ``disclosure'' in the HIPAA Rules.
Accordingly, we have not added separate definitions for these terms. We
have retained the statutory terms in the regulation in order to
maintain consistency with the statute. In addition, we note that while
the HIPAA Security Rule at Sec. 164.304 includes a definition of the
term ``access,'' such definition is limited to the ability to use
``system resources'' and not to access to information more generally
and thus, we have revised that definition to make clear that it does
not apply for purposes of these breach notification rules.
For an acquisition, access, use, or disclosure of protected health
information to constitute a breach, it must constitute a violation of
the Privacy Rule. Therefore, one of the first steps in determining
whether notification is necessary under this subpart is to determine
whether a use or disclosure violates the Privacy Rule. We note that
uses or disclosures that impermissibly involve more than the minimum
necessary information, in violation of Sec. Sec. 164.502(b) and
164.514(d), may qualify as breaches under this subpart. In contrast, a
use or disclosure of protected health information that is incident to
an otherwise permissible use or disclosure and occurs despite
reasonable safeguards and proper minimum necessary procedures would not
be a violation of the Privacy Rule pursuant to 45 CFR
164.502(a)(1)(iii) and, therefore, would not qualify as a potential
breach. Finally, violations of administrative requirements, such as a
lack of reasonable safeguards or a lack of training, do not themselves
qualify as potential breaches under this subpart (although such
violations certainly may lead to impermissible uses or disclosures that
qualify as breaches).
Compromises the Security or Privacy of Protected Health Information
The Act and regulation next limit the definition of ``breach'' to a
use or disclosure that ``compromises the security or privacy'' of the
protected health information. Accordingly, once it is established that
a use or disclosure violates the Privacy Rule, the covered entity must
determine whether the violation compromises the security or privacy of
the protected health information.
For the purposes of the definition of ``breach,'' many commenters
suggested that we add a harm threshold such that an unauthorized use or
disclosure of protected health information is considered a breach only
if the use or disclosure poses some harm to the individual. These
commenters noted that the ``compromises the security or privacy''
language in section 13400(1)(A) of the Act contemplates that covered
entities will perform some type of risk assessment to determine if
there is a risk of harm to the individual, and therefore, if a breach
has occurred. Commenters urged that the addition of a harm threshold to
the definition would also align this regulation with many State breach
notification laws that require entities to reach similar harm
thresholds before providing notification. Finally, some commenters
noted that failure to include a harm threshold for requiring breach
notification may diminish the impact of notifications received by
individuals, as individuals may be flooded with notifications for
breaches that pose no threat to the security or privacy of their
protected health information or, alternatively, may cause unwarranted
panic in individuals, and the expenditure of undue costs and other
resources by individuals in remedial action.
We agree that the statutory language encompasses a harm threshold
and have clarified in paragraph (1) of the definition that
``compromises the security or privacy of the protected health
information'' means ``poses a significant risk of financial,
reputational, or other harm to the individual.'' This ensures better
consistency and alignment with State breach notification laws, as well
as existing obligations on Federal agencies (some of which also must
comply with these rules as HIPAA covered entities) pursuant to OMB
Memorandum M-07-16 to have in place breach notification policies for
personally identifiable information that take into account the likely
risk of harm caused by a breach in determining whether breach
notification is required. Thus, to determine if an impermissible use or
disclosure of protected health information constitutes a breach,
covered entities and business associates will need to perform a risk
assessment to determine if there is a significant risk of harm to the
individual as a result of the impermissible use or disclosure. In
performing the risk assessment, covered entities and business
associates may need to consider a number or combination of factors,
some of which are described below.\7\
---------------------------------------------------------------------------
\7\ Covered entities may also wish to review OMB Memorandum M-
07-16 for examples of the types of factors that may need to be taken
into account in determining whether an impermissible use or
disclosure presents a significant risk of harm to the individual.
---------------------------------------------------------------------------
Covered entities and business associates should consider who
impermissibly used or to whom the information was impermissibly
disclosed when evaluating the risk of harm to individuals. If, for
example, protected health information is impermissibly disclosed to
another entity governed by the HIPAA Privacy and Security Rules or to a
Federal agency that is obligated to comply with the Privacy Act of 1974
(5 U.S.C. 552a) and the Federal Information Security Management Act of
2002 (44 U.S.C. 3541 et seq.), there may be less risk of harm to the
individual, since the recipient entity is obligated to protect the
privacy and security of the information it received in the same or
similar manner as the entity that disclosed the information. In
contrast, if protected health information is impermissibly disclosed to
any entity or person that does not have similar obligations to maintain
the privacy and security of the information, the risk of harm to the
individual is much greater.
We expect that there may be circumstances where a covered entity
takes immediate steps to mitigate an impermissible use or disclosure,
such as by obtaining the recipient's satisfactory assurances that the
information will not be further used or disclosed (through a
confidentiality agreement or similar means) or will be destroyed. If
such steps eliminate or reduce the risk of harm to the individual to a
less than ``significant risk,'' then we interpret that the security and
privacy of the
[[Page 42745]]
information has not been compromised and, therefore, no breach has
occurred.
In addition, there may be circumstances where impermissibly
disclosed protected health information is returned prior to it being
accessed for an improper purpose. For example, if a laptop is lost or
stolen and then recovered, and a forensic analysis of the computer
shows that its information was not opened, altered, transferred, or
otherwise compromised, such a breach may not pose a significant risk of
harm to the individuals whose information was on the laptop. Note,
however, that if a computer is lost or stolen, we do not consider it
reasonable to delay breach notification based on the hope that the
computer will be recovered.
In performing a risk assessment, covered entities and business
associates should also consider the type and amount of protected health
information involved in the impermissible use or disclosure. If the
nature of the protected health information does not pose a significant
risk of financial, reputational, or other harm, then the violation is
not a breach. For example, if a covered entity improperly discloses
protected health information that merely included the name of an
individual and the fact that he received services from a hospital, then
this would constitute a violation of the Privacy Rule, but it may not
constitute a significant risk of financial or reputational harm to the
individual. In contrast, if the information indicates the type of
services that the individual received (such as oncology services), that
the individual received services from a specialized facility (such as a
substance abuse treatment program \8\), or if the protected health
information includes information that increases the risk of identity
theft (such as a social security number, account number, or mother's
maiden name), then there is a higher likelihood that the impermissible
use or disclosure compromised the security and privacy of the
information. The risk assessment should be fact specific, and the
covered entity or business associate should keep in mind that many
forms of health information, not just information about sexually
transmitted diseases or mental health, should be considered sensitive
for purposes of the risk of reputational harm--especially in light of
fears about employment discrimination.
---------------------------------------------------------------------------
\8\ Note that an impermissible disclosure that indicates that an
individual has received services from a substance abuse treatment
program may also constitute a violation of 42 U.S.C. 290dd-2 and the
implementing regulations at 42 CFR part 2. These provisions require
the confidentiality of substance abuse patient records.
---------------------------------------------------------------------------
We also address impermissible uses and disclosures involving
limited data sets (as the term is used at 45 CFR 164.514(e) of the
Privacy Rule), in paragraph (1) of the definition of ``breach'' at
Sec. 164.402 of the interim final rule. In the RFI discussed above, we
asked for public comment on whether limited data sets should be
considered unusable, unreadable, or indecipherable and included as a
methodology in the guidance. A limited data set is created by removing
the 16 direct identifiers listed in Sec. 164.514(e)(2) from the
protected health information.\9\ These direct identifiers include the
name, address, social security number, and account number of an
individual or the individual's relative, employer, or household member.
When these 16 direct identifiers are removed from the protected health
information, the information is not completely de-identified pursuant
to 45 CFR 164.514(b). In particular, the elements of dates, such as
dates of birth, and zip codes, are allowed to remain within the limited
data set, which increase the potential for re-identification of the
information. Because there is a risk of re-identification of the
information within a limited data set, the Privacy Rule treats this
information as protected health information that may only be used or
disclosed as permitted by the Privacy Rule.
---------------------------------------------------------------------------
\9\ A limited data set is protected health information that
excludes the following direct identifiers of the individual or of
relatives, employers, or household members of the individual: (1)
Names; (2) postal address information, other than town or city,
State, and zip code; (3) telephone numbers; (4) fax numbers; (5) e-
mail addresses; (6) social security numbers; (7) medical record
numbers; (8) health plan beneficiary numbers; (9) account numbers;
(10) certificate/license plate numbers; (11) vehicle identifiers and
serial numbers; (12) device identifiers and serial numbers; (13) Web
URLs; (14) Internet Protocol (IP) address numbers; (15) biometric
identifiers, including finger and voice prints; and (16) full face
photographic images and any comparable images.
---------------------------------------------------------------------------
Several commenters suggested that the limited data set should not
be included in the guidance as a method to render protected health
information unusable, unreadable, or indecipherable to unauthorized
individuals such that breach notification is not required. These
commenters cited concerns about the risk of re-identification of
protected health information in a limited data set and noted that, as
more data exists in electronic form and as more data becomes public, it
will be easier to combine these various sources to re-establish the
identity of the individual. Furthermore, due to the risk of re-
identification, these commenters stated that creating a limited data
set was not comparable to encrypting information, and therefore, should
not be included as a method to render protected health information
unusable, unreadable, or indecipherable to unauthorized individuals.
The majority of commenters, however, did support the inclusion of
the limited data set in the guidance. These commenters stated that it
would be impractical to require covered entities and business
associates to notify individuals of a breach of information within a
limited data set because, by definition, such information excludes the
very identifiers that would enable covered entities and business
associates, without undue burden, to identify the affected individuals
and comply with the breach notification requirements. Additionally,
these commenters cited contractual concerns regarding the data use
agreement, which prohibits the recipient of a limited data set from re-
identifying the information and therefore, may pose problems with
complying with the notification requirements of section 13402(b) of the
Act.
These commenters also noted that the decision to exclude the
limited data set from the guidance, such that a breach of a limited
data set would require breach notification, would reduce the likelihood
that covered entities would continue to create and share limited data
sets. This, in turn, would have a chilling effect on the research and
public health communities, which rely on receiving information from
covered entities in limited data set form.
Finally, commenters noted that the removal of the 16 direct
identifiers in the limited data set presents a minimal risk of serious
harm to the individual by limiting the possibility that the information
could be used for an illicit purpose if breached. These commenters also
suggested that the inclusion of the limited data set in the guidance
would align with most state breach notification laws, which, as a
general matter, only require notification when certain identifiers are
exposed and when there is a likelihood that the breach will result in
harm to the individual.
We also asked commenters if they believed that the removal of an
individual's date of birth or zip code, in addition to the 16 direct
identifiers in 45 CFR 164.514(e)(2), would reduce the risk of re-
identification of the information such that it could be included in the
guidance. Several commenters responded to this question. While some
stated that the removal of these data elements would render the
[[Page 42746]]
information useless to the research and public health communities,
which may, for example, require zip codes for many population based
studies, many commenters did acknowledge that the removal of these
additional identifiers would reduce the risk of re-identification of
the information.
After considering these comments, we decided against including the
limited data set in the guidance as a method for rendering protected
health information unusable, unreadable, or indecipherable to
unauthorized individuals due to the potential risk of re-identification
of this information. However, we address breaches of limited data sets
in the definition of ``breach'' as follows.
Under the definition of ``breach'' at Sec. 164.402, in order to
determine whether a covered entity's or business associate's
impermissible use or disclosure of protected health information
constitutes a breach, the covered entity or business associate will
need to perform the risk assessment discussed above. This applies to
impermissible uses or disclosures of protected health information that
constitute a limited data set, unless, as discussed below, the
protected health information also does not include zip codes or dates
of birth. In performing the risk assessment to determine the likely
risk of harm caused by an impermissible use or disclosure of a limited
data set, the covered entity or business associate should take into
consideration the risk of re-identification of the protected health
information contained in the limited data set.
Through a risk assessment, a covered entity or business associate
may determine that the risk of identifying a particular individual is
so small that the use or disclosure poses no significant risk of harm
to any individuals. For example, it may be determined that an
impermissible use or disclosures of a limited data set that includes
zip codes, based on the population features of those zip codes, does
not create a significant risk that a particular individual can be
identified. Therefore, there would be no significant risk of harm to
the individual. If there is no significant risk of harm to the
individual, then no breach has occurred and no notification is
required. If, however, the covered entity or business associate
determines that the individual can be identified based on the
information disclosed, and there is otherwise a significant risk of
harm to the individual, then breach notification is required, unless
one of the other exceptions discussed below applies.
We have provided a narrow, explicit exception to what compromises
the privacy or security of protected health information for a use or
disclosure of protected health information that excludes the 16 direct
identifiers listed at 45 CFR 164.514(e)(2) as well as dates of birth
and zip codes. Thus, we deem an impermissible use or disclosure of this
information to not compromise the security or privacy of the protected
health information, because we believe that impermissible uses or
disclosures of this information--if subjected to the type of risk
assessment described above--would pose a low level of risk. We
emphasize that this is a narrow exception. If, for example, the
information does not contain birth dates but does contain zip code
information or contains both birth dates and zip code information, then
this narrow exception would not apply, and the covered entity or
business associate would be required to perform a risk assessment to
determine if the risk of re-identification poses a significant risk of
harm to the individual. We invite comments on this narrow exception. We
do not believe that this narrow exception will have the unintended
consequence of discouraging the use of encryption and other methods for
rendering protected health information unusable, unreadable, or
indecipherable; however, we invite comments on this issue as well.
Finally, we note that this narrow exception should not be construed as
encouraging or permitting the use or disclosure of more than the
minimum necessary information, in violation of Sec. Sec. 164.502(b)
and 164.514(d).
We do not intend to interfere with research or public health
activities that rely on dates of birth or zip codes. Uses and
disclosures of limited data sets that include this information continue
to be permissible under the Privacy Rule if the applicable
requirements, such as a data use agreement, are satisfied. Further, we
note that a covered entity or business associate is not responsible for
a breach by a third party to whom it permissibly disclosed protected
health information, including limited data sets, unless the third party
received the information in its role as an agent of the covered entity
or business associate. To the extent that a third party recipient of
the information is itself a covered entity, and the information is
breached while at the third party (i.e., used or disclosed in an
impermissible manner and in a manner determined to compromise the
privacy or security of the information), then the third party will be
responsible for complying with the provisions of this interim final
rule. In cases where a covered entity is the recipient of a limited
data set pursuant to Sec. 164.514(e) of the Privacy Rule and it is
unable to re-identify the individuals after a breach occurs, it may
satisfy the requirements of Sec. 164.404 without re-identifying the
information, by providing substitute notice to the individuals as
required by paragraph (d)(2) of that section.
We note that the discussion above regarding ``limited data sets''
applies to any protected health information that excludes the 16 direct
identifiers listed at Sec. 164.514(e)(2), regardless of whether the
information is used for health care operations, public health, or
research purposes (see Sec. 164.514(e)(3)(i)), and is subject to a
data use agreement under Sec. 164.514(e) of the Privacy Rule. Thus,
for example, a covered entity that impermissibly uses or discloses data
that is stripped of the 16 direct identifiers described above, zip
codes, and dates of birth, may take advantage of the exception to what
is a breach, regardless of the intended purpose of the use or
disclosure or whether a data use agreement was in place.
With respect to any type of protected health information, we note
that Sec. 164.414, discussed below, gives covered entities and
business associates the burden of demonstrating that no breach has
occurred because the impermissible use or disclosure did not pose a
significant risk of harm to the individual. Covered entities and
business associates must document their risk assessments, so that they
can demonstrate, if necessary, that no breach notification was required
following an impermissible use or disclosure of protected health
information. For impermissible uses or disclosures of protected health
information that fall under the narrow exception at paragraph (1)(ii)
of this definition, which do not qualify as breaches because the
protected health information is a limited data set that does not
include zip codes or dates of birth, documentation that demonstrates
that the lost information did not include these identifiers will
suffice.
Exceptions to Breach
Section 13400(1) of the Act also includes three exceptions to the
definition of ``breach'' that encompass situations Congress clearly
intended to not constitute breaches: (1) Unintentional acquisition,
access, or use of protected health information by an employee or
individual acting under the authority of a covered entity or business
associate (section 13400(1)(B)(i)); (2) inadvertent disclosure of
protected health information from one person
[[Page 42747]]
authorized to access protected health information at a covered entity
or business associate to another person authorized to access protected
health information at the covered entity or business associate (section
13400(1)(B)(ii) and (iii)); and (3) unauthorized disclosures in which
an unauthorized person to whom protected health information is
disclosed would not reasonably have been able to retain the information
(section 13400(1)(A)). We have included these three exceptions as
paragraphs (2)(i), (ii), and (iii), respectively.
The first regulatory exception at paragraph (2)(i) of this
definition, for unintentional acquisition, access, or use of protected
health information, generally mirrors the exception in section
13400(1)(B)(i) of the Act. This statutory section excepts from the
definition of ``breach'' the unintentional acquisition, access, or use
of protected health information by an employee or individual acting
under the authority of a covered entity or a business associate, if the
acquisition, access, or use was made in good faith, within the course
and scope of employment or other professional relationship, and does
not result in further use or disclosure.
We modified the statutory language to use ``workforce members''
instead of employees. Workforce member is a defined term in 45 CFR
160.103 and means ``employees, volunteers, trainees, and other persons
whose conduct, in the performance of work for a covered entity, is
under the direct control of such entity, whether or not they are paid
by the covered entity.''
A person is acting under the authority of a covered entity or
business associate if he or she is acting on its behalf. This may
include a workforce member of a covered entity, an employee of a
business associate, or even a business associate of a covered entity.
Similarly, to determine whether the access, acquisition, or use was
made ``within the scope of authority,'' the covered entity or business
associate should consider whether the person was acting on its behalf
at the time of the inadvertent acquisition, access, or use.
Additionally, while the statutory language provides that this
exception applies where the recipient does not further use or disclose
the information, we have interpreted this exception as encompassing
circumstances where the recipient does not further use or disclose the
information in a manner not permitted under the Privacy Rule. In
circumstances where any further use or disclosure of the information is
permissible under the Privacy Rule, we interpret that there is no
breach because the security and privacy of the information has not been
compromised by any such permissible use or disclosure.
To illustrate this exception, we offer the following example. A
billing employee receives and opens an e-mail containing protected
health information about a patient which a nurse mistakenly sent to the
billing employee. The billing employee notices that he is not the
intended recipient, alerts the nurse of the misdirected e-mail, and
then deletes it. The billing employee unintentionally accessed
protected health information to which he was not authorized to have
access. However, the billing employee's use of the information was done
in good faith and within the scope of authority, and therefore, would
not constitute a breach and notification would not be required,
provided the employee did not further use or disclose the information
accessed in a manner not permitted by the Privacy Rule.
In contrast, a receptionist at a covered entity who is not
authorized to access protected health information decides to look
through patient files in order to learn of a friend's treatment. In
this case, the impermissible access to protected health information
would not fall within this exception to breach because such access was
neither unintentional, done in good faith, nor within the scope of
authority.
The second regulatory exception, at paragraph (2)(ii) of this
definition, covers inadvertent disclosures and generally mirrors the
exception provided in section 13400(1)(B)(ii) and (iii) of the Act,
with slight modifications. The statute excepts from the definition of
``breach'' inadvertent disclosures from an individual who is otherwise
authorized to access protected health information at a facility
operated by a covered entity or business associate to another similarly
situated individual at the same facility if the information is not
further used or disclosed without authorization. We have modified the
statutory language slightly to except from breach inadvertent
disclosures of protected health information from a person who is
authorized to access protected health information at a covered entity
or business associate to another person authorized to access protected
health information at the same covered entity, business associate, or
organized health care arrangement in which the covered entity
participates. Organized health care arrangement is defined by the HIPAA
Rules to mean, among other things, a clinically integrated care setting
in which individuals typically receive health care from more than one
health care provider.\10\ See 45 CFR 160.103. This includes, for
example, a covered entity, such as a hospital, and the health care
providers who have staff privileges at the hospital.
---------------------------------------------------------------------------
\10\ 45 CFR 160.103 also defines ``organized health care
arrangement'' to include ``an organized system of health care in
which more than one covered entity participates'' and in which the
participating covered entities engage in certain joint utilization
review, quality assessment and improvement, or payment activities.
In addition, the definition encompasses certain relationships
between group health plans and health insurance issuers or health
maintenance organizations (HMO), as well as relationships among
group health plans which are maintained by the same plan sponsor.
---------------------------------------------------------------------------
We received several comments with respect to this exception, and
many commenters asked that we clarify and explain the statutory
language regarding what it means to be a ``similarly situated
individual'' and what constitutes the ``same facility'' for purposes of
this exception. We believe that a ``similarly situated individual,''
for purposes of the statute, means an individual who is authorized to
access protected health information, and thus, for clarity, we have
substituted this language for the statutory language in the regulation.
Thus, a person who is authorized to access protected health information
is similarly situated, for purposes of this regulation, to another
person at the covered entity, business associate of the covered entity,
or organized health care arrangement in which the covered entity
participates, who is also authorized to access protected health
information (even if the two persons may not be authorized to access
the same types of protected health information). For example, a
physician who has authority to use or disclose protected health
information at a hospital by virtue of participating in an organized
health care arrangement with the hospital is similarly situated to a
nurse or billing employee at the hospital. In contrast, the physician
is not similarly situated to an employee at the hospital who is not
authorized to access protected health information.
Additionally, we have interpreted ``same facility'' to mean the
same covered entity, business associate, or organized health care
arrangement in which the covered entity participates and have
substituted this language in the regulation. By focusing on the legal
entity or status of the entities as an organized health care
arrangement when interpreting ``same facility,'' we believe we have
more clearly captured the intent of the statute and have also
alleviated commenter concerns that the term ``facility'' was too
narrow. Therefore, the size of the covered entity,
[[Page 42748]]
business associate, or organized health care arrangement will dictate
the scope of this exception. If a covered entity has a single location,
then the exception will apply to disclosures between a workforce member
and, e.g., a physician with staff privileges at that single location.
However, if a covered entity has multiple locations across the country,
the same exception will apply even if the workforce member makes the
disclosure to a physician with staff privileges at a facility located
in another state.
We interpret the statutory limitation that the information not be
``further acquired, accessed, used, or disclosed without
authorization'' as meaning that the information is not further used or
disclosed in a manner not permitted by the Privacy Rule. Thus, this
exception encompasses circumstances in which a person who is authorized
to use or disclose protected health information within a covered
entity, business associate, or organized health care arrangement
inadvertently discloses that information to another person who is
authorized to use or disclose protected health information within the
same covered entity, business associate, or organized health care
arrangement, as long as the recipient does not further use or disclose
the information in violation of the Privacy Rule.
The final regulatory exception to breach at paragraph (2)(iii) of
this definition mirrors the exception found in section 13400(1)(A) of
the Act. The statute excepts from the definition of ``breach''
situations in which the unauthorized person to whom protected health
information has been disclosed would not reasonably have been able to
retain the information. We have slightly modified this language to
except from ``breach'' situations where a covered entity or business
associate has a good faith belief that the unauthorized person to whom
the disclosure of protected health information was made would not
reasonably have been able to retain the information.
For example, a covered entity, due to a lack of reasonable
safeguards, sends a number of explanations of benefits (EOBs) to the
wrong individuals. A few of the EOBs are returned by the post office,
unopened, as undeliverable. In these circumstances, the covered entity
can conclude that the improper addressees could not reasonably have
retained the information. The EOBs that were not returned as
undeliverable, however, and that the covered entity knows were sent to
the wrong individuals, should be treated as potential breaches.
As another example, a nurse mistakenly hands a patient the
discharge papers belonging to another patient, but she quickly realizes
her mistake and recovers the protected health information from the
patient. If the nurse can reasonably conclude that the patient could
not have read or otherwise retained the information, then this would
not constitute a breach.
With respect to any of the three exceptions discussed above, a
covered entity or business associate has the burden of proof, pursuant
to Sec. 164.414(b) (discussed below), for showing why breach
notification was not required. Accordingly, the covered entity or
business associate must document why the impermissible use or
disclosure falls under one of the above exceptions.
Based on the above, we envision that covered entities and business
associates will need to do the following to determine whether a breach
occurred. First, the covered entity or business associate must
determine whether there has been an impermissible use or disclosure of
protected health information under the Privacy Rule. Second, the
covered entity or business associate must determine, and document,
whether the impermissible use or disclosure compromises the security or
privacy of the protected health information. This occurs when there is
a significant risk of financial, reputational, or other harm to the
individual. Lastly, the covered entity or business associate may need
to determine whether the incident falls under one of the exceptions in
paragraph (2) of the breach definition.
We treat the breach as having occurred at the time of the
impermissible use or disclosure (or in the case of the exceptions
listed at paragraphs (2)(i) and (ii) of the definition of ``breach,''
at the time of the ``further'' impermissible use or disclosure), but
recognize that a covered entity or business associate may require a
reasonable amount of time to confirm whether the incident qualifies as
a breach. As discussed below, a breach is considered discovered when
the incident becomes known, not when the covered entity or business
associate concludes the above analysis of whether the facts constitute
a breach.
2. Unsecured Protected Health Information
The interim final rule adopts a definition of ``unsecured protected
health information'' to identify to what information the breach
notification provisions apply. Section 13402(h)(1)(A) of the Act
defines ``unsecured protected health information'' as ``protected
health information that is not secured through the use of a technology
or methodology specified by the Secretary in guidance issued under
[section 13402(h)(2)].'' Further, the Act at section 13402(h)(2)
requires that the Secretary specify in the guidance the technologies
and methodologies that render protected health information unusable,
unreadable, or indecipherable to unauthorized individuals. Accordingly,
the interim final rule defines ``unsecured protected health
information'' to mean protected health information that is not rendered
unusable, unreadable, or indecipherable to unauthorized individuals
through the use of a technology or methodology specified by the
Secretary in guidance. We also provide in the regulation that the
guidance will be published on the HHS Web site.
Section 13402(h)(2) of the Act required that the Secretary
initially issue such guidance, after consultation with stakeholders, no
later than 60 days after enactment, or April 17, 2009. As discussed
above, the Secretary issued the guidance along with a request for
information on April 17, 2009, on the HHS Web site at http://www.hhs.gov/ocr/privacy/ and the guidance was later published in the
Federal Register on April 27, 2009 (74 FR 19006). The Department has
reviewed the public comment received in response to the request for
information and provides an update to the guidance in Section II of
this document. As provided in this interim final rule, this updated
guidance is also (and any future updates will be) available on the HHS
Web site at http://www.hhs.gov/ocr/privacy/.
We note that the definition of ``unsecured protected health
information'' in the Act and this interim final rule incorporates
generally the term ``protected health information,'' as defined at 45
CFR 160.103 of the HIPAA Rules, which includes information in any form
or medium. Accordingly, the term ``unsecured protected health
information'' can include information in any form or medium, including
electronic, paper, or oral form.
C. Notification to Individuals--Section 164.404
Section 164.404 of the interim final rule provides the requirements
for the notifications covered entities are to provide to individuals
affected by a breach of unsecured protected health information. This
section includes implementation specifications regarding timeliness,
content, and methods of the notice.
[[Page 42749]]
General Rule
Section 164.404(a)(1) provides the general rule that a covered
entity shall, following the discovery of a breach of unsecured
protected health information, notify each individual whose unsecured
protected health information has been, or is reasonably believed by the
covered entity to have been, accessed, acquired, used, or disclosed as
a result of such breach. This regulatory provision implements section
13402(a) of the Act, but does not include the phrase ``that accesses,
maintains, retains, modifies, records, stores, destroys, or otherwise
holds, uses, or discloses'' used in the statute to describe a covered
entity's actions with respect to unsecured protected health information
because inclusion of such terms was deemed unnecessary. In addition,
the statute refers to protected health information that has been
``accessed, acquired, or disclosed''; it does not include ``used.'' In
contrast, the statutory definition of ``breach'' refers to the
``acquisition, access, use, or disclosure'' of protected health
information. For consistency with the definition, therefore, we have
added ``used'' to the list of actions for which notification is
required in Sec. 164.404(a)(1).
Breaches Treated as Discovered
Section 164.404(a)(2) states that a breach shall be treated as
discovered by a covered entity as of the first day the breach is known
to the covered entity, or by exercising reasonable diligence would have
been known to the covered entity. Thus, a covered entity is not liable
for failing to provide notification in cases in which it is not aware
of a breach unless the covered entity would have been aware of the
breach had it exercised reasonable diligence. Section 164.404(a)(2)
further provides that a covered entity is deemed to have knowledge of a
breach if such breach is known, or by exercising reasonable diligence
would have been known, to any person, other than the person committing
the breach, who is a workforce member or agent of the covered entity
(determined in accordance with the federal common law of agency). These
provisions implement section 13402(c) of the Act but clarify that the
federal common law of agency is to control in determining who is an
agent of the covered entity. This approach is consistent with the HIPAA
Enforcement Rule (45 CFR part 160, subparts C through E), which
provides that the federal common law of agency applies in determining
agency liability under the HIPAA Rules.
We have also modified the statutory language slightly to better
conform to existing language in the HIPAA Enforcement Rule by
incorporating the term ``by exercising reasonable diligence.'' The term
``reasonable diligence'' means the ``business care and prudence
expected from a person seeking to satisfy a legal requirement under
similar circumstances.'' We have made these clarifications for
consistency and uniformity across the regulations.
Because a covered entity or business associate is liable for
failing to provide notice of a breach when the covered entity or
business associate did not know--but by exercising reasonable diligence
would have known--of a breach, it is important for such entities to
implement reasonable systems for discovery of breaches. We also note
that these provisions attribute knowledge of a breach by a workforce
member or other agent (other than the person committing the breach),
such as certain business associates, to the covered entity itself. This
is important, as knowledge of a breach, i.e., when a breach is treated
as ``discovered,'' starts the clock in terms of the period of time a
covered entity has to make the notifications required by the interim
final rule. Thus, covered entities should ensure their workforce
members and other agents are adequately trained and aware of the
importance of timely reporting of privacy and security incidents and of
the consequences of failing to do so.
Timeliness
Regarding timeliness of individual notifications, Sec. 164.404(b)
mirrors the statutory requirement in section 13402(d) of the Act and
requires that, except when law enforcement requests a delay in
accordance with Sec. 164.412 (provision discussed below), a covered
entity shall send the required notification without unreasonable delay
and in no case later than 60 calendar days after the date the breach
was discovered by the covered entity. Thus, provisions for timeliness
should be read together with the above provisions for when a breach is
treated as discovered. We expect a covered entity to make the
individual notifications as soon as reasonably possible. The covered
entity may take a reasonable time to investigate the circumstances
surrounding the breach, in order to collect and develop the information
that Sec. 164.404(c) requires to be included in the notice to the
individual. As discussed below, covered entities are also permitted to
provide the required information to individuals within the required
time period in multiple mailings as the information becomes available.
In response to the RFI, some commenters suggested that suspected
but unconfirmed breaches should not be treated as discovered until all
the facts of the breach could be confirmed. Others suggested that 60
days was an insufficient amount of time to conduct a complete
investigation and send the required notifications. We disagree. Waiting
longer than 60 days to notify individuals of breaches of their
unsecured protected health information could substantially increase the
risk of harm to individuals as a result of the breach and decrease the
ability of the individuals to effectively protect themselves from such
harm. The statute and interim final rule provide that the notification
must be provided without unreasonable delay and in no case later than
60 calendar days. The purpose of this period is to give covered
entities and business associates time to conduct a prompt investigation
into the incident to identify and collect the information needed to
provide meaningful notice to the individual about what happened. Thus,
the time period for breach notification begins when the incident is
first known, not when the investigation of the incident is complete,
even if it is initially unclear whether the incident constitutes a
breach as defined in this rule.
Further, the duration of an investigation is limited by the statute
and interim final rule's requirement that any delay be reasonable--the
investigation cannot take an unreasonable amount of time. Thus, if a
covered entity learns of an impermissible use or disclosure but
unreasonably allows the investigation to lag for 30 days, this would
constitute an unreasonable delay. Further, the 60 days is an outer
limit and therefore, in some cases, it may be an ``unreasonable delay''
to wait until the 60th day to provide notification. For example, if a
covered entity has compiled the information necessary to provide
notification to individuals on day 10 but waits until day 60 to send
the notifications, it would constitute an unreasonable delay despite
the fact that the covered entity has provided notification within 60
days.
We also note that if a covered entity promptly investigates a
reported breach and can swiftly conclude that there was no breach, then
the covered entity need not send out breach notifications. For example,
where a laptop with unsecured protected health information is initially
reported by an employee to be stolen but is discovered the next day in
another secure office within the
[[Page 42750]]
covered entity, then the covered entity need not send out breach
notifications.
Content
Section 13402(f) of the Act sets forth the content requirements for
the breach notice to the individual. Section 164.404(c) of the interim
final rule implements section 13402(f) of the Act and requires the
notification to include, to the extent possible, the following
elements: (1) A brief description of what happened, including the date
of the breach and the date of the discovery of the breach, if known;
(2) A description of the types of unsecured protected health
information that were involved in the breach (such as whether full
name, social security number, date of birth, home address, account
number, diagnosis, disability code, or other types of information were
involved); (3) any steps individuals should take to protect themselves
from potential harm resulting from the breach; (4) a brief description
of what the covered entity involved is doing to investigate the breach,
to mitigate harm to individuals, and to protect against any further
breaches; and (5) contact procedures for individuals to ask questions
or learn additional information, which must include a toll-free
telephone number, an e-mail address, Web site, or postal address. With
respect to indicating in the notification the types of protected health
information involved in a breach, we emphasize that this provision
requires covered entities to describe only the types of information
involved. Thus, covered entities should not include a listing of the
actual protected health information that was breached (e.g., list in
the notice the individual's social security number or credit card
number that was breached) and generally should avoid including any
sensitive information in the notification itself. Further, in the
interim final rule at Sec. 164.404(c)(1)(B), we add the term
``diagnosis'' in the parenthetical listing of examples of types of
protected health information to make clear that, where appropriate, a
covered entity may need to indicate in the notification to the
individual whether and what types of treatment information were
involved in a breach. In addition, at Sec. 164.404(c)(1)(D), we
replace the statutory term ``mitigate losses'' with ``mitigate harm to
the individual'' to make clear that the notification should describe
the steps the covered entity is taking to mitigate potential harm to
the individual resulting from the breach and that such harm is not
limited to economic loss.
Under these content requirements, for example, and depending on the
circumstances, the notice to the individual may include recommendations
that the individual contact his or her credit card company and
information about how to contact the credit bureaus and obtain credit
monitoring services (if credit card information was breached);
information about steps the covered entity is taking to retrieve the
breached information, such as filing a police report (if a suspected
theft of unsecured protected health information occurred); information
about steps the covered entity is taking to improve security to prevent
future similar breaches; and information about sanctions the covered
entity imposed on workforce members involved in the breach.
Some commenters recommended that we impose a page limitation on the
length of the notice (e.g., one page in length) and ensure the content
of the notice is non-technical and non-complex so individuals can
easily understand the information being provided. We agree that it is
important for individuals to be able to understand the information
being provided to them in the breach notifications and thus, at Sec.
164.404(c)(2) of the interim final rule, include a requirement that
such notifications be written in plain language. To satisfy this
requirement, the covered entity should write the notice at an
appropriate reading level, using clear language and syntax, and not
include any extraneous material that might diminish the message it is
trying to convey. We do not impose a page limitation, however, so as
not to constrain covered entities in including in the notifications the
information they believe could be helpful to individuals.
Further, we note that some covered entities may have obligations
under other laws with respect to their communication with affected
individuals. For example, to the extent a covered entity is obligated
to comply with Title VI of the Civil Rights Act of 1964, the covered
entity must take reasonable steps to ensure meaningful access for
Limited English Proficient persons to the services of the covered
entity, which could include translating the notice into frequently
encountered languages. Similarly, to the extent that a covered entity
is obligated to comply with Section 504 of the Rehabilitation Act of
1973 or the Americans with Disabilities Act of 1990, the covered entity
has an obligation to take steps that may be necessary to ensure
effective communication with individuals with disabilities, which could
include making the notice available in alternate formats, such as
Braille, large print, or audio.
Methods of Notification
Section 13402(e)(1) of the Act provides for both actual written
notice to the individual, as well as substitute notice to the
individual if contact information is insufficient or out-of-date.
Accordingly, the interim final rule at Sec. 164.404(d) adopts the
statutory provisions for actual and substitute breach notification to
the individual.
Section 164.404(d)(1)(i) requires a covered entity to provide
breach notice to the individual in written form by first-class mail at
the last known address of the individual. Consistent with the statute,
the interim final rule also provides that written notice may be in the
form of electronic mail, provided the individual agrees to receive
electronic notice and such agreement has not been withdrawn. We note
that, consistent with Sec. 164.502(g) of the Privacy Rule, where the
individual affected by a breach is a minor or otherwise lacks legal
capacity due to a physical or mental condition, notice to the parent or
other person who is the personal representative of the individual will
satisfy the requirements of Sec. 164.404(d)(1). The statute also
requires that, if the individual is deceased, notice must be sent to
the last known address of the next of kin. The interim final rule
adopts this provision at Sec. 164.404(d)(1)(ii), but provides that
such notice be sent to either the individual's next of kin or personal
representative, as such term is used for purposes of the Privacy Rule,
recognizing that in some cases, a covered entity may have contact
information for a personal representative of a deceased individual
rather than the next of kin. We believe this conforms to the intent of
the statute and improves consistency between this subpart and the
Privacy Rule. Under 45 CFR 164.502(g), a ``personal representative'' of
a deceased individual is a person who has authority to act on behalf of
the decedent or the decedent's estate. The interim final rule also
clarifies that a covered entity is only required to provide notice to
next of kin or the personal representative if the covered entity both
knows the individual is deceased and has the address of the next of kin
or personal representative of the decedent. This clarification should
address some of the comments which raised both administrative and
privacy concerns with a covered entity being required to obtain contact
information for next of kin of a deceased patient, if the individual
did not otherwise provide the information while alive.
[[Page 42751]]
If a covered entity does not have sufficient contact information
for some or all of the affected individuals, or if some notices are
returned as undeliverable, the covered entity must provide substitute
notice for the unreachable individuals in accordance with Sec.
164.404(d)(2) of the interim final rule. Substitute notice should be
provided as soon as reasonably possible after the covered entity is
aware that it has insufficient or out-of-date contact information for
one or more affected individuals. Whatever form of substitute notice is
provided, the notice must contain all the elements that Sec.
164.404(c) requires be included in the direct written notice to
individuals. With respect to decedents, however, the rule provides that
a covered entity is not required to provide substitute notice for the
next of kin or personal representative in cases where the covered
entity either does not have contact information or has out-of-date
contact information for the next of kin or personal representative.
Section 164.404(d)(2) requires that the substitute form of notice
be reasonably calculated to reach the individuals for whom it is being
provided. If there are fewer than 10 individuals for whom the covered
entity has insufficient or out-of-date contact information to provide
the written notice, Sec. 164.404(d)(2)(i) permits the covered entity
to provide substitute notice to such individuals through an alternative
form of written notice, by telephone, or other means. For example, if
the covered entity learns that the home address it has for one of its
patients is out-of-date but it has the patient's e-mail address, it may
provide substitute notice by e-mail even if the patient has not agreed
to electronic notice. Similarly, in the above example, if the covered
entity has a current telephone number rather than e-mail address for
the patient, then the covered entity may telephone the patient and
provide the information required by the notice over the phone. We note,
however, that the covered entity should be sensitive to not
unnecessarily disclose protected health information in the process of
providing substitute notice, such as where the covered entity leaves an
answering machine message that could be picked up by other household
members. In such cases, the covered entity should take care to limit
the amount of information disclosed on an answering machine message,
such as, for example, by leaving only its name and number and
indicating it has a very important message for the individual.
Alternatively, posting a notice on the Web site of the covered entity
or at another location may be appropriate if the covered entity lacks
any current contact information for the patients, so long as the
posting is done in a manner that is reasonably calculated to reach the
individuals.
If a covered entity has insufficient or out-of-date contact
information for 10 or more individuals, then Sec. 164.404(d)(2)(ii)
requires the covered entity to provide substitute notice through either
a conspicuous posting for a period of 90 days on the home page of its
Web site or conspicuous notice in major print or broadcast media in
geographic areas where the individuals affected by the breach likely
reside. As described above, these substitute notifications must be
provided in a manner that is reasonably calculated to reach the
affected individuals. In addition, substitute notice through the Web
site or media for 10 or more individuals requires the covered entity to
have a toll-free phone number, active for 90 days, where an individual
can learn whether the individual's unsecured protected health
information may be included in the breach and to include the number in
the notice.
If the covered entity chooses to provide substitute notice on the
home page of its Web site, the notice must be conspicuous and posted
for at least 90 days. A covered entity may provide all the information
described at Sec. 164.404(c) directly on its home page or may provide
a hyperlink to the notice containing such information. We interpret
``home page'' to include the home page for visitors to the covered
entity's Web site and the landing page or login page for existing
account holders. If a covered entity uses a hyperlink on the home page
to convey the substitute notice, the hyperlink should be prominent so
that it is noticeable given its size, color, and graphic treatment in
relation to other parts of the page, and it should be worded to convey
the nature and importance of the information to which it leads.
Alternatively, or if the covered entity does not have or does not
wish to use a Web site for the substitute notice, the covered entity
may provide substitute notice of the breach in major print or broadcast
media in geographic areas where the individuals affected by the breach
likely reside. What constitutes major print or broadcast media for a
particular area will depend on the geographic area where the affected
individuals are likely to reside and what is reasonably calculated to
reach the affected individuals. We emphasize that what is considered
major print or broadcast media for a metropolitan area may be very
different from what is considered major print or broadcast media in a
rural area. For example, if the affected individuals are reasonably
likely to reside in a rural area, then a local newspaper could be the
major newspaper serving that area and most likely to reach the
individuals affected. For affected individuals in a metropolitan area,
then a newspaper serving the entire metropolitan area or the entire
State would be more likely to reach the individuals affected. If the
affected individuals likely reside in different regions or States, then
the covered entity may need to utilize multiple media outlets to
reasonably reach these individuals.
Also, we clarify in this interim final rule that any notice in
print or broadcast media under this section must be conspicuous,
similar to the posting on the Web site. Thus, for example, for notice
in print media, thought should be given to what location and duration
of the notice is reasonably calculated to reach the affected
individuals.
Some commenters were concerned that providing substitute notice in
major media would be costly and onerous. Covered entities that are
concerned with the cost of providing substitute notice in this manner
have the option of instead posting the substitute notice on their Web
sites. For smaller covered entities that do not have Web sites, we
would expect those covered entities generally serve a patient
population located in a relatively compact and discrete area. In such
cases, the geographic area in which the affected individuals reside
would be comparably small, and, therefore, we do not believe that
providing substitute notice in the appropriate local newspaper or
television station would be excessively costly or onerous. Finally, we
note that covered entities with out-of-date or insufficient contact
information for some individuals can attempt to update the contact
information so that they can provide direct written notification, in
order to limit the number of individuals for whom substitute notice is
required and, thus, potentially avoid the obligation to provide
substitute notice through a Web site or major print or broadcast media
under Sec. 164.404(d)(2)(ii).
Other commenters were concerned that the requirement to include a
toll-free phone number in the substitute media notice would overly
burden a covered entity with calls from individuals unaffected by the
breach. We note that the statute requires that covered entities include
a toll-free phone number in cases where substitute notice is required
for 10 or more individuals. Covered entities concerned
[[Page 42752]]
with the number of calls they may receive from unaffected individuals
may wish to include sufficient information in the notice itself or a
Web address in the notice for more information (or other means) as a
way for individuals to determine whether their information may have
been included in the breach.
Additional Notice in Urgent Situations
Finally, Sec. 164.404(d)(3) of the interim final rule implements
the provision in the statute at section 13402(e)(1)(c), which makes
clear that notice by telephone or other means may be made, in addition
to written notice, in cases deemed by the covered entity to require
urgency because of possible imminent misuse of unsecured protected
health information. We emphasize, however, that such notice, if
utilized, is in addition to, and not in lieu of, the direct written
notice required by Sec. 164.404(d)(1).
D. Notification to the Media--164.406
Section 164.406 implements section 13402(e)(2) of the Act, which
requires that notice be provided to prominent media outlets serving a
State or jurisdiction, following the discovery of a breach if the
unsecured protected health information of more than 500 residents of
such State or jurisdiction is, or is reasonably believed to have been,
accessed, acquired, or disclosed during such breach. This media notice
differs from the substitute media notice described in Sec.
164.404(d)(1)(2) in that it is directed ``to'' the media and is
intended to supplement, but not substitute for, individual notice. The
Act requires that notification to the media under this provision be
provided within the same timeframe as notice is to be provided to the
individual. See section 13402(d)(1) of the Act. Accordingly, Sec.
164.406(b) of the interim final rule requires a covered entity to
notify prominent media outlets without unreasonable delay and in no
case later than 60 calendar days after discovery of the breach. In
paragraph (c) of this section, we require that notification to the
media under this provision include the same information required to be
included in the notification to the individual under Sec. 164.404(c).
We expect that most covered entities will provide notification to the
media under this section in the form of a press release.
Commenters asked that we define what constitutes a ``prominent
media outlet.'' We do not define ``prominent media outlet'' in this
regulation because what constitutes a prominent media outlet will
differ depending upon the State or jurisdiction affected. For example,
for a breach affecting 500 or more individuals across a particular
state, a prominent media outlet may be a major, general-interest
newspaper with a daily circulation throughout the entire state. In
contrast, a newspaper serving only one town and distributed on a
monthly basis, or a daily newspaper of specialized interest (such as
sport, politics) would not be viewed as a prominent media outlet. If a
breach affects 500 or more individuals in a limited jurisdiction, such
as a city, then a prominent media outlet may be a major, general-
interest newspaper with daily circulation throughout the city, even
though the newspaper does not serve the whole State.
Commenters also asked HHS to clarify what is meant by ``State or
jurisdiction'' for purposes of notice to the media under this
provision. We note that ``State'' is already defined at Sec. 160.103
of the HIPAA Rules to mean ``any of the several States, the District of
Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, and
Guam.'' That definition applies to this new provision. We also note
that the Act includes a definition of ``State'' which applies for
purposes of this provision and defines ``State'' to include, in
addition to what is included at Sec. 160.103, American Samoa and the
Northern Mariana Islands. Thus, we provide at Sec. 164.406(a) that,
for purposes of this provision, ``State'' also includes American Samoa
and the Northern Mariana Islands. With respect to jurisdiction, we
clarify that, for purposes of this provision, jurisdiction is a
geographic area smaller than a state, such as a county, city, or town.
To illustrate how these provisions apply, we provide the following
example. If laptops containing the unsecured protected health
information of more than 500 residents of a particular city were stolen
from a covered entity, notification under this section should be
provided to prominent media outlets serving that city. In this case,
the prominent media outlet may be a major television station or
newspaper (or other media outlet) serving primarily the residents of
that city or a prominent media outlet serving the entire state.
Alternatively, for a breach involving 500 or more residents across a
State and not within any one particular county or city of the State,
the prominent media outlet chosen must serve the entire State.
In response to comments received, we also offer clarification on
how to address a breach involving residents in multiple States or
jurisdictions. For example, if a covered entity discovers a breach of
600 individuals, 200 of which reside in Virginia, 200 of which reside
in Maryland, and 200 of which reside in the District of Columbia, such
a breach did not affect more than 500 residents of any one State or
jurisdiction, and as such, notification is not required to be provided
to the media pursuant to Sec. 164.406. However, individual
notification under Sec. 164.404 would be required, as would
notification to the Secretary under Sec. 164.408 because the breach
involved 500 or more individuals. Conversely, if a covered entity
discovered a breach of unsecured protected health information involving
600 residents within the state of Maryland and 600 residents of the
District of Columbia, notification must be provided to a prominent
media outlet serving the state of Maryland and to a prominent media
outlet serving the District of Columbia.
We also recognize that in some cases a breach may occur at a
business associate and involve the protected health information of
multiple covered entities. In that case, a covered entity involved
would only be required to provide notification to the media if the
information breached included the protected health information of 500
or more individuals located in any one State or jurisdiction. For
example, if a business associate discovers a breach affecting 800
individuals, the business associate must notify the appropriate covered
entity (or covered entities) subject to Sec. 164.410 (discussed
below). If 450 of the affected individuals are patients of one covered
entity and the remaining 350 are patients of another covered entity,
because the breach has not affected more than 500 individuals at either
covered entity, there is no obligation to provide notification to the
media under this section. Additionally, neither covered entity has the
obligation of notifying the Secretary under Sec. 164.408(b)
concurrently with notice to the affected individuals; however, both
covered entities must include this breach in their annual submission to
the Secretary pursuant to Sec. 164.408(c). In cases where the entities
involved are unable to determine which entity's protected health
information was involved, the covered entities may consider having the
business associate provide the notification to the media on behalf of
all of the covered entities.
Section 164.406(c) sets forth the content requirement for covered
entities notifying the media. In this section, we require that the
notice to the media include the same content as that required for
notification to the individual under Sec. 164.404(c). We emphasize
that this provision does not replace either direct written or
[[Page 42753]]
substitute notice to the individual under Sec. 164.404. If a covered
entity is required to provide substitute notice under Sec.
164.404(d)(2)(ii)(A) and chooses to do so through major print or
broadcast media, notification to the media under this section would
only satisfy such substitute notice if the prominent media outlet ran a
notification reasonably calculated to reach the individuals for which
substitute notice was required and included all the information
required be provided in the individual notice, including the toll-free
number required by Sec. 164.404(d)(2)(ii)(B).
E. Notification to the Secretary--164.408
Section 164.408 of the interim final rule implements section
13402(e)(3) of the Act, which requires covered entities to notify the
Secretary of breaches of unsecured protected health information. For
breaches involving 500 or more individuals, the Act requires covered
entities to notify the Secretary immediately. For breaches involving
less than 500 individuals, the Act provides that a covered entity may
maintain a log of such breaches and annually submit such log to the
Secretary documenting the breaches occurring during the year involved.
Section 164.408(a) of the interim final rule contains the general
rule that requires a covered entity to notify the Secretary following
the discovery of a breach of unsecured protected health information.
Section 164.408(b) provides the implementation specification for
breaches involving 500 or more individuals. Section 164.408(c) provides
the implementation specification for breaches involving fewer than 500
individuals.
With respect to breaches involving 500 or more individuals, we
interpret the term ``immediately'' in the statute to require
notification be sent to the Secretary in the case of these larger
breaches concurrently with the notification sent to the individual
under Sec. 164.404, which must be sent without unreasonable delay but
in no case later than 60 calendar days following discovery of a breach.
Many commenters were concerned that covered entities would be required
to provide notification to the Secretary in a much shorter time frame
than the other notifications required by the Act, making it difficult
for covered entities to comply. This interpretation thus allows the
notice to the Secretary to include all of the information provided in
the notice to the individual and better avoids the situation where a
covered entity reports information to the Secretary that later turns
out to be incorrect because the entity did not have sufficient time to
conduct an investigation into the facts surrounding the breach. In
addition, this interpretation satisfies the statutory requirement that
notifications of larger breaches be provided to the Secretary
immediately as compared to the reports of smaller breaches the statute
allows be reported annually to the Secretary. The interim final rule
also provides that the notification be provided in a manner to be
specified on the HHS Web site. The Department will post instructions on
its Web site for submitting both this notification as well as the
annual notification described below. In addition, as required by
section 13402(e)(4) of the Act, the Secretary will post on the HHS Web
site a list of covered entities that submit reports of breaches of
unsecured protected health information involving more than 500
individuals.
Covered entities must notify the Secretary of discovered breaches
involving more than 500 individuals generally, without regard to
whether the breach involved more than 500 residents of a particular
State or jurisdiction (the threshold for triggering notification to the
media under Sec. 164.406 of the interim final rule). Thus, where a
covered entity has discovered a breach of 600 individuals, 300 of which
reside in Maryland and 300 of which reside in the District of Columbia,
notification of the breach must be provided to the Secretary
concurrently with notification to the affected individuals. However,
the breach in this example would not trigger the requirement to notify
the media under Sec. 164.406 because the breach did not involve more
than 500 residents of any one State or jurisdiction.
For breaches involving less than 500 individuals, Sec. 164.408(c)
requires a covered entity to maintain a log or other documentation of
such breaches and to submit information annually to the Secretary for
breaches occurring during the preceding calendar year. As recommended
by several commenters, we have designated a date for submission of the
information to the Secretary. The interim final rule requires the
submission of this information to the Secretary no later than 60 days
after the end of each calendar year. As with notification of the larger
breaches above, the interim final rule provides that information about
breaches involving less than 500 individuals is to be provided to the
Secretary in the manner specified on the HHS Web site. HHS will specify
on its Web site the information to be submitted and how to submit such
information.
For calendar year 2009, the covered entity is only required to
submit information to the Secretary for breaches occurring after the
effective date of this regulation, i.e., on or after September 23,
2009. Information about breaches occurring prior to that date need not
be submitted. This is because, pursuant to Sec. 164.400, this subpart
only applies to breaches occurring on or after that date.
We emphasize that although covered entities need only provide
notification to the Secretary of breaches involving less than 500
individuals annually, they must still provide notification of such
breaches to affected individuals without unreasonable delay and not
later than 60 days after discovery of the breach pursuant to Sec.
164.404. In addition, we note that pursuant to Sec. 164.414(a), a
covered entity must follow the documentation requirements that
otherwise apply to the HIPAA Privacy Rule under Sec. 164.530 with
respect to the requirements of this rule. Thus, pursuant to Sec.
164.530(j)(2), covered entities must maintain the internal log or other
documentation for six years. Further, as with other required
documentation, a covered entity must make such information available to
the Secretary upon request in accordance with Sec. 160.310.
F. Notification by a Business Associate--164.410
Section 13402(b) of the Act requires a business associate of a
covered entity that accesses, maintains, retains, modifies, records,
destroys, or otherwise holds, uses, or discloses unsecured protected
health information to notify the covered entity when it discovers a
breach of such information. Section 164.410(a) implements section
13402(b) of the Act, but does not include the terms ``that accesses,
maintains, retains, modifies, records, stores, destroys, or otherwise
holds, uses, or discloses'' used in the statute to describe a business
associate's actions with respect to unsecured protected health
information because inclusion of such terms was deemed unnecessary.
Thus, following the discovery of a breach of unsecured protected
health information, a business associate is required to notify the
covered entity of the breach so that the covered entity can notify
affected individuals. We clarify that a business associate that
maintains the protected health information of multiple covered entities
need notify only the covered entity(s) to which the breached
information relates. However, in cases in which a breach involves the
[[Page 42754]]
unsecured protected health information of multiple covered entities and
it is unclear to whom the breached information relates, it may be
necessary to notify all potential affected covered entities.
We received several comments in support of adding a provision to
require business associates to provide notice to a senior official or
privacy official at the covered entity. We do not believe such a
provision is necessary, however. Covered entities and business
associates already have established business relationships and
communication channels, including with respect to privacy and security
matters. For example, the HIPAA Rules already require a business
associate contract to provide that the business associate report to the
covered entity uses or disclosures not provided by the contract as well
as security incidents of which the business associate becomes aware.
See 45 CFR 164.504(e)(2)(ii)(C) and 164.314(a)(2)(i)(C). Thus, we
believe it is appropriate to leave it up to covered entities and
business associates to determine how the required reporting should be
implemented.
Section 164.410(a)(2) implements section 13402(c) of the Act, which
provides when a breach is to be treated as discovered by the business
associate. Accordingly, Sec. 164.410(a)(2) states that a breach shall
be treated as discovered by a business associate as of the first day on
which such breach is known to the business associate or, by exercising
reasonable diligence, would have been known to the business associate.
Section 164.410(a)(2) further provides that a business associate shall
be deemed to have knowledge of a breach if the breach is known, or by
exercising reasonable diligence would have been known, to any person,
other than the person committing the breach, who is an employee,
officer, or other agent of the business associate (determined in
accordance with the federal common law of agency). As with Sec.
164.404(a)(2) with respect to a covered entity's knowledge of a breach,
we clarify in this provision that the federal common law of agency is
to control in determining who is an agent of the covered entity. This
approach is consistent with the HIPAA Enforcement Rule (45 CFR part
160, subparts C through E), which provides that the federal common law
of agency applies in determining agency liability under the HIPAA
Rules. Also, as with Sec. 164.404(a)(2), we have modified the
statutory language slightly to better conform to existing language in
the HIPAA Enforcement Rule at 45 CFR 160.410, by incorporating the term
``reasonable diligence.'' We have made these clarifications for
consistency and uniformity across the regulations.
Section 164.410(b) implements section 13402(d)(1) of the Act and
provides that, with the exception provided in Sec. 164.412, a business
associate must provide notice of a breach of unsecured protected health
information to a covered entity without unreasonable delay and in no
case later than 60 days following the discovery of a breach. With
respect to breaches at the business associate, the covered entity must
provide the required notifications to affected individuals under Sec.
164.404(a) without unreasonable delay, but no later than 60 days.
If a business associate is acting as an agent of a covered entity,
then, pursuant to Sec. 164.404(a)(2), the business associate's
discovery of the breach will be imputed to the covered entity.
Accordingly, in such circumstances, the covered entity must provide
notifications under Sec. 164.404(a) based on the time the business
associate discovers the breach, not from the time the business
associate notifies the covered entity. In contrast, if the business
associate is an independent contractor of the covered entity (i.e., not
an agent), then the covered entity must provide notification based on
the time the business associate notifies the covered entity of the
breach. As reflected in the comments we received in response to the
timing of business associate notification to a covered entity following
a breach, covered entities may wish to address the timing of the
notification in their business associate contracts.
Section 164.410(c) implements the second sentence of section
13402(b) of the Act, which specifies the information that a business
associate must provide to a covered entity following a breach of
unsecured protected health information. Section 164.410(c)(1) requires
business associates, to the extent possible, to provide covered
entities with the identity of each individual whose unsecured protected
health information has been, or is reasonably believed to have been,
breached. Depending on the circumstances, business associates may
provide the covered entity with immediate notification of the breach,
as discussed above and then follow up with the required information in
Sec. 164.410(c) when available but without unreasonable delay and
within 60 days.
Section 164.410(c)(1) departs slightly from the statutory language
by only requiring business associates to provide this information ``to
the extent possible.'' Based on some comments received, we recognize
that there may be situations in which a business associate may be
unaware of the identification of the individuals whose unsecured
protected health information was breached. For example, a business
associate that is a record storage company holds hundreds of boxes of
paper medical records on behalf of a covered entity. The business
associate discovers that several boxes are missing and is unable to
provide the covered entity with a list of the individuals whose
information has been breached. It is not our intent that the business
associate delay notification of the breach to the covered entity, when
the covered entity may be better able to identify the individuals
affected.
Further, we recognize that, depending on the circumstances
surrounding a breach of unsecured protected health information, a
business associate may be in the best position to gather the
information the covered entity is required by Sec. 164.404(c) to
include in the notification to the individual about the breach. Thus,
in addition to the identification of affected individuals, Sec.
164.410(c)(2) requires a business associate to provide the covered
entity with any other available information that the covered entity is
required to include in the notification to the individual under Sec.
164.404(c), either at the time it provides notice to the covered entity
of the breach or promptly thereafter as information becomes available.
Because we allow this information to be provided to a covered entity
after the initial notification of the breach as it becomes available, a
business associate should not delay the initial notification to the
covered entity of the breach in order to collect information needed for
the notification to the individual. To ensure the covered entity is
aware of all the available facts surrounding a breach, we also note
that a business associate should provide this information even if it
becomes available after notifications have been sent to affected
individuals or after the 60-day period specified in Sec. 164.410(b)
has elapsed.
In response to a significant number of commenters who expressed
concern that this requirement would prevent covered entities and their
business associates from addressing these issues in their business
associate contracts, we emphasize that we do not intend for this
section to interfere with the current relationship between covered
entities and their business associates. Business associates and covered
entities will continue to have the flexibility to set forth specific
obligations for each party, such as who will provide notice to
individuals and when the notification from the business associate to
the
[[Page 42755]]
covered entity will be required, following a breach of unsecured
protected health information, so long as all required notifications are
provided and the other requirements of the interim final rule are met.
We encourage the parties to consider which entity is in the best
position to provide notice to the individual, which may depend on
circumstances, such as the functions the business associate performs on
behalf of the covered entity and which entity has the relationship with
the individual. We also encourage the parties to ensure the individual
does not receive notifications from both the covered entity and the
business associate about the same breach, which may be confusing to the
individual.
Finally, we note that where an entity provides PHRs to customers of
a HIPAA covered entity through a business associate arrangement but
also provides PHRs directly to the public and a breach of its records
occurs, in certain cases, as described in its rule, the FTC will deem
compliance with certain provisions of HHS' rule as compliance with
FTC's rule. In particular, in such situations, it may be appropriate
for the vendor to provide the same breach notice to all its PHR
customers since it has a direct relationship with all the affected
individuals. Thus, in those limited circumstances where a vendor of
PHRs (1) provides notice to individuals on behalf of a HIPAA covered
entity, (2) has dealt directly with these individuals in managing their
personal health record accounts, and (3) provides notice to its
customers at the same time, the FTC will deem compliance with HHS
requirements governing the timing, method, and content of notice to be
compliance with the corresponding FTC rule provisions.\11\
---------------------------------------------------------------------------
\11\ We note, however, that with respect to the customers to
whom it provides PHRs directly, the vendor must comply with all
other FTC rule requirements, including the requirement to notify the
FTC within ten business days after discovering the breach.
---------------------------------------------------------------------------
G. Law Enforcement Delay--164.412
Section 13402(g) of the Act provides that if a law enforcement
official determines that a notification, notice, or posting required
under this section would impede a criminal investigation or cause
damage to national security, such notification, notice, or posting
shall be delayed in the same manner as provided under 45 CFR
164.528(a)(2) of the Privacy Rule in the case of a disclosure covered
under such section. Section 164.412 implements section 13402(g) of the
Act and thus, requires a covered entity or business associate to
temporarily delay notification under Sec. Sec. 164.404, 164.406,
164.408, and 164.410 if instructed to do so by a law enforcement
official.
We retain the definition of ``law enforcement official'' currently
used in the Privacy Rule at Sec. 164.501, which defines such person as
``an officer or employee of any state agency or authority of the United
States, a State, a territory, a political subdivision of a State or
territory, or an Indian tribe, who is empowered by law to: (1)
Investigate or conduct an official inquiry into a potential violation
of law; or (2) prosecute or otherwise conduct a criminal, civil, or
administrative proceeding arising from an alleged violation of law.''
However, in this interim final rule, we move the definition up to Sec.
164.103 so that it will apply to this subpart D as well as continue to
apply to subpart E (Privacy Rule).
Section 164.412(a), which is based on the requirements of 45 CFR
164.528(a)(2)(i) of the Privacy Rule, provides for a temporary delay of
notification in situations in which a law enforcement official provides
a statement in writing that the delay is necessary because notification
would impede a criminal investigation or cause damage to national
security, and specifies the time for which a delay is required. In
these instances, the covered entity is required to delay the
notification, notice, or posting for the time period specified by the
official.
Similarly, Sec. 164.412(b), which is based on 45 CFR
164.528(a)(2)(ii) of the Privacy Rule, requires a covered entity or
business associate to temporarily delay a notification, notice, or
posting if a law enforcement official states orally that a notification
would impede a criminal investigation or cause damage to national
security. However, in this case, the covered entity or business
associate is required to document the statement and the identity of the
official and delay notification for no longer than 30 days, unless a
written statement meeting the above requirements is provided during
that time. We interpret these provisions as tolling the time within
which notification is required under Sec. Sec. 164.404, 164.406,
164.408, and 164.410, as applicable.
H. Administrative Requirements and Burden of Proof--164.414
Section 164.414(a) requires covered entities to comply with the
administrative requirements of Sec. 164.530(b), (d), (e), (g), (h),
(i), and (j) of the Privacy Rule with respect to the breach
notification provisions of this subpart. These provisions, for example,
require covered entities and business associates to develop and
document policies and procedures, train workforce members on and have
sanctions for failure to comply with these policies and procedures,
permit individuals to file complaints regarding these policies and
procedures or a failure to comply with them, and require covered
entities to refrain from intimidating or retaliatory acts. Thus, a
covered entity is required to consider and incorporate the requirements
of this subpart with respect to its administrative compliance and other
obligations. In addition to Sec. 164.414(a), to make clear that these
provisions apply to this subpart as well as subpart E, we have made
conforming modifications in each of the above sections of the Privacy
Rule to include a reference to this subpart D.
Consistent with section 13402(d)(2) of the Act, Sec. 164.414(b)
provides that, following an impermissible use or disclosure under the
Privacy Rule, covered entities and business associates have the burden
of demonstrating that all notifications were made as required by this
subpart. Additionally, as part of demonstrating that all required
notifications were made, we clarify in the regulatory text that a
covered entity or business associate, as applicable, also must be able
to demonstrate that an impermissible use or disclosure did not
constitute a breach, as such term is defined at Sec. 164.402, in cases
where the covered entity or business associate determined that
notifications were not required. We also make conforming changes to
Sec. 160.534 of the HIPAA Enforcement Rule to make clear that, during
any administrative hearing, the covered entity has the burden of going
forward and the burden of persuasion with respect to these issues.
Thus, when a covered entity or business associate knows of an
impermissible use or disclosure of protected health information, it
should maintain documentation that all required notifications were
made, or, alternatively, of its risk assessment (discussed above in
Sec. 164.402) or the application of any exceptions to the definition
of ``breach'' to demonstrate that notification was not required.
I. Other Conforming Changes to the HIPAA Rules
In addition to the conforming modifications discussed above, we
make the following changes to align the HIPAA Rules in light of the new
breach notification requirements of this rule. First, we revise the
statutory basis and purpose sections at Sec. Sec. 160.101 and 164.102
to include references to section 13402 of the Act. Second, in Part 160,
for purposes of the preemption of State
[[Page 42756]]
law, we amend Sec. 160.202 to revise the definition of ``contrary'' to
include a reference to section 13402 of the Act. (See below for a
discussion of preemption and these new requirements.) Finally, in Part
164, subpart C, which contains the HIPAA Security Rule requirements, we
revise the definition of ``access'' in Sec. 164.304 to make clear that
the definition does not apply to any use of the term in subpart D.
J. Preemption
We received several public comments regarding the issue of
preemption and the interaction between this regulation and state breach
notification laws. HIPAA (Pub. L. 104-191) added section 1178 of the
Social Security Act, 42 U.S.C. 1320d-7, which sets forth the general
effect of the HIPAA provisions on State law. Section 1178 provides that
HIPAA administrative simplification provisions generally preempt
conflicting State law. This section of the statute is implemented by 45
CFR 160.203, which states that a standard, requirement, or
implementation specification that is adopted as regulation at 45 CFR
parts 160, 162, or 164 and that is ``contrary to a provision of State
law preempts the provision of State law.'' Section 160.203 provides
several exceptions in which State law will not be preempted; however,
we do not believe these exceptions apply to the breach notification
regulations in 45 CFR part 164 subpart D.\12\ Therefore, contrary State
law will be preempted by these breach notification regulations. We
solicit comment in this area.
---------------------------------------------------------------------------
\12\ We do not interpret the preemption exception at Sec.
160.203(b), which addresses more stringent State law related to
privacy, as applying to these breach notification provisions because
that paragraph only applies to the provisions of the Privacy Rule
promulgated under section 264(c) of the HIPAA statute. See section
264(c)(2) of HIPAA.
---------------------------------------------------------------------------
Whether a State law is contrary to these breach notification
regulations is to be determined based on the definition of ``contrary''
at Sec. 160.202. A State law is contrary if ``a covered entity could
find it impossible to comply with both the State and federal
requirements'' or if the State law ``stands as an obstacle to the
accomplishment and execution of the full purposes and objectives'' of
the breach notification provisions in the Act. As discussed above, we
make a conforming change to paragraph (2) of the definition of
``contrary'' in this section to incorporate reference to the breach
notification provisions at section 13402 of the Act. Therefore, covered
entities will need to analyze relevant State laws with respect to this
regulation to understand the interaction and apply this preemption
standard appropriately.
Although we received many comments concerning perceived conflicts
between the interaction of State laws and these breach notification
provisions, based on the ``contrary'' standard for preemption, in
general we believe that covered entities can comply with both the
applicable State laws and this regulation. In addition, based on the
comments received, we believe that, in most cases, a single
notification can satisfy the notification requirements under State laws
and this regulation. For example, if a state breach notification law
requires notification to be sent to the individual within five days
following the detection of a breach, a covered entity that sends that
notice within five days to comply with State law will also be in
compliance with this regulation, as the covered entity must send the
notification ``without unreasonable delay and in no case later than 60
calendar days after the discovery of a breach.'' If covered entities do
not have all the information required by this regulation available to
them within five days, they may send the individual an additional
notification when they have accumulated the appropriate information.
Likewise, if a State law requires a breach notification but
requires additional elements be included in the notice, or requires
that certain elements be described in a certain way, there is no
conflict between the State law and this regulation. As the Act and
interim final rule are flexible in terms of how the elements are to be
described, and do not prohibit additional elements from being included
in the notice, covered entities can develop a notice that satisfies
both laws.
K. Effective/Compliance Date
Section 13402(j) of the Act states that section 13402 applies to
breaches that are discovered by a covered entity or business associate
on or after 30 calendar days from the date of publication of this
interim final rule. Commenters expressed concern that this effective
date did not allow enough time for covered entities to implement the
guidance for rendering protected health information unusable,
unreadable, or indecipherable to unauthorized individuals or have
systems in place to comply with the requirements of the rule and
suggested that compliance with these breach notification provisions not
be required in 30 days.
In response, we note that the guidance on securing protected health
information is not mandatory; it is discretionary. Accordingly, a
covered entity or business associate will not be out of compliance with
this subpart if, after the date set forth at Sec. 164.400, the entity
maintains unsecured protected health information. We recognize, though,
that many covered entities and business associates are voluntarily
choosing to secure their protected health information in accordance
with the guidance in order to avoid the possibility of having to
provide breach notifications pursuant to this subpart. We encourage
covered entities and business associates to take such an approach--
securing their protected health information--and understand that the
process may take more than 30 days from the publication of this interim
final rule.
We also recognize that it will take covered entities and business
associates time to implement the processes and procedures necessary to
comply with this subpart. For example, once compliance with this
subpart is required, a covered entity or business associate will be
held accountable for breaches that, through the exercise of reasonable
diligence, would have been known to the entity. This means that a
covered entity or business associate must have reasonable systems in
place to detect breaches. Putting such systems in place may take some
time.
On the other hand, the majority of states already have breach
notification laws in place. While this interim final rule differs from
any such State laws, we believe that most covered entities or business
associates should already have some form of breach notification
procedures in place. Those covered entities and business associates
should be able to build upon such existing procedures in order to come
into compliance with this interim final rule.
We have decided that, consistent with section 13402(j) of the Act,
the provisions of this subpart are effective, and compliance is
required, for breaches occurring on or after 30 calendar days from the
publication of this rule. However, based on the concerns described
above, and based on some ambiguity within the statute,\13\ we will
[[Page 42757]]
use our enforcement discretion to not impose sanctions for failure to
provide the required notifications for breaches that are discovered
before 180 calendar days from the publication of this rule, or February
22, 2010. During this initial time period--after this rule has taken
effect but before we are imposing sanctions--we expect covered entities
to comply with this subpart and will work with covered entities,
through technical assistance and voluntary corrective action, to
achieve compliance.
---------------------------------------------------------------------------
\13\ While section 13402(j) of the HITECH Act provides that
section 13402 becomes effective 30 calendar days after publication
of this interim final rule, it is section 13410(a)(2) that provides
the Department with authority to impose civil money penalties,
pursuant to Sec. 1176 of the Social Security Act (42 U.S.C. 1320d-
5), on violations by covered entities of the requirements imposed by
the HITECH Act, including those of section 13402. Moreover,
authority to impose civil money penalties on business associates for
violations of the HITECH Act is provided by sections 13401(b) and
13404(c). Sections 13410(a)(2), 13401(b), and 13404(c) do not become
effective until February 18, 2010 (see section 13423 of the Act).
Thus, there is a statutory ambiguity due to the HITECH Act providing
an effective date of 30 days from publication of this rule, but a
later date for when the Department may impose civil money penalties
for violations of section 13402.
---------------------------------------------------------------------------
V. Impact Statement and Other Required Analyses
A. Introduction
Section 13402 of the Act prescribes in specific terms the
obligations and responsibilities on HIPAA covered entities to notify an
affected individual when a breach of his or her unsecured protected
health information occurs, to notify the Secretary, to notify the media
in certain circumstances, and for business associates to notify covered
entities of such breaches. In most instances, the interim final
regulation adheres and conforms to the language of the statute in
defining terms and in prescribing remedies. The rule tracks the
language of the statute with regard to the actions covered entities
must take to notify an affected individual when a reportable breach
occurs, the time frame in which the covered entity must act, the mode
of communicating with an affected individual and the content of the
notice.
The prescriptive language of the statute leaves little discretion
for the Secretary in how to implement the statute. Measures we have
taken to modify the statutory language are minimal and were undertaken
to make certain terms used in the statute conform to other parts of the
HIPAA Rules. We also clarify when a breach of protected health
information compromises the security or privacy of such information.
Yet, because the statutory language is so detailed and specific as to
the requirements and definitions placed on covered entities, and
because we have endeavored to follow the statutory language as closely
as possible, we believe that, in large measure, the economic burden
imposed on covered entities results from the statute and not from the
interim final regulation.
We have examined the impacts of this rule as required by Executive
Order 12866 on Regulatory Planning and Review (September 30, 1993, as
further amended), the Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et
seq.), section 202 of the Unfunded Mandates Reform Act of 1995 (2
U.S.C. 1532), Executive Order 13132 on Federalism (August 4, 1999), and
the Congressional Review Act (5 U.S.C. 804(2)).
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts, and equity). A regulatory impact
analysis (RIA) must be prepared for major rules with economically
significant effects ($100 million or more in any one year). This
interim final rule is not an economically significant rule because we
estimate that the breach notification requirements are not expected to
cost more than $100 million per year. Nevertheless, because of the
public interest in this rule, we have prepared an RIA that to the best
of our ability presents the costs and benefits of the proposed rule. We
request comments on the economic analysis provided in this proposed
rule.
The RFA requires agencies to analyze options for regulatory relief
of small businesses if a rule has a significant impact on a substantial
number of small entities. The scope of the interim final rule will
apply to all HIPAA covered entities and their business associates.
Based on U.S. business census data provided to the Small Business
Administration Office of Advocacy there were 605,845 entities
classified under the North American Industrial Classification System
(NAICS) 62. Code 62 encompasses physicians, dentists, ambulatory care
centers, kidney dialysis centers, family planning clinics, home care
services, mental health and drug rehabilitation centers, medical
laboratories, hospitals and nursing facilities. In addition, based on
data from the Centers for Medicare & Medicaid Services, we estimate
that there are 107,567 suppliers of durable medical equipment and
prosthetics. Almost all of these health providers fall under the RFA's
definition of a small entity by either meeting the Small Business
Administration's (SBA's) size standard of a small business or by being
a non-dominant nonprofit organization. The SBA's size standard for
NAICS 62 ranges between $7 million and $34.5 million in annual
receipts. Also covered under HIPAA are health insurance firms and third
party administrators (NAICS codes 524114 and 524292). The 2006 business
census data show that there are 1,045 insurance firms and 3,522 third
party administrators. Of the combined total of health insurance firms
and third party administrators, we estimate that approximately 71
percent, or 3,266, meet the SBA's definition of a small entity of
annual receipts of $7 million or less. Pharmacies are also considered
covered entities under HIPAA (NAICS code 44611) and based on the 2007
National Association of Chain Drug Stores Industry Profile
approximately 17,500 independent pharmacy drugstores meet the SBA
definition of a small business of $7 million or less in annual
receipts. For more information on SBA's size standards, see the Small
Business Administration's Web site at http://sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf.
Although the RFA only requires an initial regulatory flexibility
analysis (IRFA) when an agency issues a proposed rule, the Department
has a policy of voluntarily conducting an IRFA for interim final
regulations. We examine the burden of the interim final regulation in
section D below.
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any one year of
$100 million in 1995 dollars, updated annually for inflation. In 2009,
that threshold is approximately $133 million. This rule will not impose
an unfunded mandate on States, tribal government or the private sector
of more than $133 million annually.
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct costs of compliance on
State and local governments, preempts State law, or otherwise has
Federalism implications. Section 13421(a) of the Act expressly provides
that provisions or requirements of subtitle D of the Act, which
includes the provisions requiring breach notification, shall preempt
State law in the same respect that the HIPAA Rules preempt State law
pursuant to section 1178 of the Social Security Act. Accordingly, this
rule expressly adopts the preemption provisions that are applicable to
the HIPAA Rules and as discussed in Section IV.J. Preemption above.
B. Why Is This Rule Needed?
This regulation is required to implement section 13402 of the Act.
The purpose of the statute is to establish a uniform requirement on all
HIPAA
[[Page 42758]]
covered entities to inform individuals of when the individual's
unsecured protected health information has been improperly used or
disclosed and the result of the improper use or disclosure may lead to
financial damage, harm to the individual's reputation, or other harm.
Without the statutory requirement for notifying an individual of data
breaches, it would be left to the entity to decide whether to notify an
affected individual or the decision would be subject to significantly
varying State laws (which are generally focused on breaches of
financial information rather than health information).
Because notification requires expenditures and exposes the covered
entity to loss of business and possible legal action, there is little
incentive for the entity to take such action. While individuals whose
protected health information was improperly accessed would be
forewarned and as a result of being notified, could take action to
mitigate financial or personal harm, they may not continue to patronize
the entity which notifies them. If alternative providers in the
individual's community offer similar services, the individual may take
their business to one of the alternative entities. Moreover, if other
individuals, not directly affected by the breach, learn of the event,
they too may seek services from other providers out of fear that their
protected health information may be improperly accessed. The Ponenmon
Institute, LLC report of February 2009, ``2008 Annual Study: Cost of a
Data Breach'' estimates that 69 percent of the cost of a data breach is
the result of lost business (see page 4). The study identifies the
health care industry as experiencing the highest customer turnover rate
directly attributable to data breaches of protected health information.
Moreover, since a health care provider is unlikely to suffer
financially from the direct loss of protected health information, there
is little incentive for the covered entity to notify affected
individuals.
In such situations, the covered entity may perceive that it is more
beneficial to not disclose breaches. The possibility of lawsuits
arising out of a lack of response to the breach represents a risk but
one which is uncertain and lies in the future. This compares to the
more imminent and certain risk of loss of business if the entity
discloses the breach.
By imposing a duty on all covered entities to notify affected
individuals of breaches of protected health information, the statute
and the interim final regulation place a similar burden on all covered
entities to notify affected individuals and run the same risk of losing
business as a result of notification. Moreover, requiring breach
notification creates an incentive on all covered entities to invest in
data security improvements in efforts to minimize the possibility of
reportable data breaches.
At the same time that the statute and interim final regulation
create the incentive to minimize breaches of protected health
information, in the event that a breach occurs, the affected individual
will be notified and thereby be given an opportunity to mitigate any
harm that may result from the breach.
C. Costs and Benefits
1. Summary of Costs and Benefits
Throughout the following analysis we invite comments on specific
portions of our analysis. The public, however, is invited to offer
comments on any and all elements of the analysis and the assumption
underlying the analysis.
Costs: In the analysis that follows, we applied the provisions of
the interim final regulation to the dataset of data breaches found at
DataLossdb.org. The database shows, among other things, the name of the
organization and the type of business, such as finance, medical,
government, education, or business. The field called ``Total Affected''
shows a count of either records or individuals affected by the breach.
Without examining the source reports of the breach, we do not know
which is being reported. For these purposes, we will take the more
conservative approach and assume that the count is of individuals. We
acknowledge the possibility that an individual may have more than one
record housed at a provider, especially if the provider is a multi-unit
facility. An individual may have separate inpatient, outpatient, and
clinic records. Thus, a major breach could involve more than one record
per breach, and to the extent that this is the case, we may overstate
the costs, which we believe is preferable to understating them.
The data we selected covers calendar year 2008 and includes the
subset of breaches from medical firms or containing medical
information. Our analysis, thus, not only includes HIPAA covered
entities found in the dataset but may include business associates of
HIPAA covered entities. In addition, the data may include breaches of
health information that State agencies may hold such as Medicaid State
agencies that also serve as health plans and are also HIPAA covered
entities. Table 1 presents the estimated costs of the interim final
rule based on 2008 breaches presented in the DataLossdb.org tables.
Upon examining the distribution of affected individuals and records
for 2008, we identified one breach involving 2.2 million individuals.
The incident occurred at a major university hospital system and
involved the theft of backup tapes that were being transported to
storage. The next highest breach affected 344,482 individuals.
Including the outlier breach in our analysis, we believe, would
significantly skew the analysis. Removing this case produces a more
homogeneous distribution of affected individuals and improves the
reliability of the analysis. Removing the outlier reduced the number of
affected individuals from 5,087,032 to 2,887,032.
Although the type of data breach that occurred in 2008 was not
unusual, the number of persons affected was six times greater than the
next highest breach and the number of individuals affected is far from
the average number for the year. In 2007, a State mental health agency
reported the loss of records affecting 2.9 million individuals
resulting from the agency's data processor's negligence. The next
largest breach in 2007 involved 375,000 individuals and represents one
eighth the number of individuals in the mental health agency breach.
Without doubt, breaches of the magnitude we see in the university
hospital and State mental health breaches are a serious concern to the
Department. Excluding such disproportionately large breaches from the
cost analysis should not be construed as a lack of interest or concern
in the security of protected health information at these institutions.
We could have included the university hospital breach in our 2008
analysis, but it is clear that the incident does not represent the
average or typical case. Since our purpose is to present and illustrate
the costs of an average breach, we believe that the inclusion of the
one unusually large breach in 2008 would skew the results and present a
distorted picture of the level of costs that a typical covered entity
could expect.
In reviewing the following analysis, one must keep in mind that we
are able to capture only breaches that are either reported to the
DataLoss database or are reported in the media. We suspect that some
percent of breaches in the healthcare sector as well as in other
sectors of the economy go unreported either because they are not
detected or because, in the opinion of the entity, no harm was done. We
cannot determine if the ``no harm'' type of unreported breach would
meet the harm threshold
[[Page 42759]]
in Sec. 164.402 of the interim final rule for a reportable breach. If
some or all of such breaches reach the harm threshold for a breach, as
defined in the interim final rule, then the analysis understates the
cost of the rule to the degree that these breaches are not included in
our analysis.
Table 1 shows the costs of the provisions of the interim final
rule. We also present the costs required for investigating breaches and
the amount of time we anticipate individuals will spend calling the
toll-free number. The total cost estimated for the rule is $17 million
based on the number of breaches and the number of affected individuals.
Table 1--Summary of Compliance Cost for Notifying Affected Individuals *
----------------------------------------------------------------------------------------------------------------
Number of
Cost elements Number of affected Cost/breach Cost/affected Cost
breaches individuals individuals
----------------------------------------------------------------------------------------------------------------
E-mail and 1st Class Mail....... 106 2,888,804 $12,986 $0.477 1,376,528
Alternative Notices Media Notice 70 2,888,804 487 0.012 34,080
Toll-Free Number................ 70 2,888,804 117,676 2.851 8,237,309
Imputed cost to affected 70 2,888,804 103,172 2.500 7,222,010
individuals....................
Notice to Media Breach 500+..... 56 2,887,032 75 0.001 4,200
Report to the Secretary......... 56 2,887,032 75 0.001 4,200
Investigation Costs:
Under 500................... 50 1,772 400 11 20,000
Over 500.................... 56 2,887,032 2,211 0.043 123,800
Annual Report to the Secretary.. 106 2,888,804 30 0.001 3,180
-------------------------------------------------------------------------------
TOTAL COST.................. .............. .............. 160,616 5.89 17,025,306
----------------------------------------------------------------------------------------------------------------
* Source: http://www.datalossdb.org.
Our cost impact for HIPAA covered entities of approximately $17
million is approximately 350 percent of the FTC cost estimate for non-
HIPAA covered entities. The FTC estimate was based on requiring toll-
free lines for six months. Their final rule requires toll-free lines
for only three months, as does this rule. This should reduce the FTC
estimated costs by approximately half to about $5 million; about 30
percent of our cost estimate for HIPAA covered entities of $17 million.
Benefits: Notifying individuals of a breach of their personal
health information as close in time to the breach can benefit the
individuals directly affected, as well as other entities such as credit
card companies and credit agencies. We found little information showing
the monetary benefits of medical data notification, but one study \14\
presents evidence to show that the sooner affected individuals learn of
their personal financial information being compromised, the lower the
risk of financial loss to the individual.
---------------------------------------------------------------------------
\14\ ``Toward a Rational Personal Data Breach Notification
Regime,'' by Michael Turner: Information Policy Institute, June,
2006.
---------------------------------------------------------------------------
We did not find any information regarding the benefits of
notification of breached medical information. However, early
notification of the breach of sensitive medical information may help an
affected individual mitigate the embarrassment that exposure of
sensitive medical information may cause. Notification may permit an
individual to intervene sooner rather than later to forestall the
harmful effects of damaging information. As suggested above, perhaps
the greatest benefit of improved data security accrues to the HIPAA
entity. We believe the cost of notifying affected individuals and loss
of business that may result from a breach of protected health
information provide strong incentives for the entity to improve its
data security so as to prevent future breaches.
2. Costs
In this analysis we rely entirely on historical data from 2008 for
estimating the costs of the interim final rule. We could have attempted
to project future costs but two factors argued against such an effort.
First, the DataLossdb dataset provides only four years of reasonably
good data going back to 2005. Although, in theory, we could use the
four data points to establish a trend, it is not clear whether the
trend presented for the four years represents a trend in the number of
breaches reported, or a trend in the reporting of breaches. In the
first instance, the growth in data breaches would be the result of a
real growth in the number of breaches. If this were the case, we would
have confidence that the data represented a real trend. In the latter
case, however, the growth in the number of breaches may simply reflect
a growth in the reporting of breaches rather than an actual growth in
the number of breaches. Under these circumstances, projecting a future
trend would lead us to erroneous conclusions. More likely, the changes
we see from year to year are a combination of both phenomena, which
still leaves us with the problem of discerning the real change in
breaches from the growth in reporting breaches. Therefore, we decided
to base our estimates on the latest and most complete year of data
available.
The second factor is the Department's implementation of the ARRA
provisions regarding health information and privacy. Implementation of
incentive payments to health care providers and the issuance of health
IT standards provided in the ARRA are likely to stimulate adoption of
health IT systems; and with growth in IT adoption, one may expect the
number of data breaches of protected health information to increase.
At the same time, the Department is taking steps to ensure greater
protection of protected health information, for example, by
promulgating this interim final rule along with the encryption guidance
that the Department issued on April 17, 2009. In the event that
protected health information is compromised, affected individuals will
be notified of breaches.
As a result of the efforts to both stimulate growth in the adoption
of health IT (and the implications that has for increased risk of data
breaches) and the countervailing efforts to reduce the incidences of
breaches by encrypting records, we believe that at the present time
there is no reasonable way to forecast the net effects of both the
change in costs or number of breaches that are likely to occur.
Nevertheless, to the extent that the rate of adoption of encryption
technology out paces health IT adoption, we can predict fewer
[[Page 42760]]
reportable breaches under this rule. Given the state of flux, however,
we believe the most prudent analysis is to simply rely on the
historical data at hand.
a. Affected Entities
Section 13402 of the Act applies to HIPAA covered entities that are
health care providers, health plans, or clearinghouses and their
business associates that access, maintain, retain, modify, record,
store, destroy, or otherwise hold, use, or disclose unsecured protected
health information. Based on 2006 data from the Office of Advocacy,
Small Business Administration there are 605,845 health care entities,
4,567 health insurance plans and third party administrators. The
Centers for Medicare & Medicaid Services report 107,567 durable medical
equipment and prosthetic suppliers, and the National Association of
Chain Drug Stores reports 88,396 pharmacies. In addition, we estimate
that each covered entity has contractual arrangements with three
business associates as defined under our regulations at 45 CFR 160.103.
It should be noted, however, that many of the same business associates
contract or have arrangements with many different HIPAA covered
entities. To the extent that this occurs, the total number of business
associates will be overstated. Since we do not know the extent of
duplication among business associates, we cannot estimate the number of
business associates affected by this rule. However, we can estimate
that approximately 0.9 million HIPAA covered entities will be subject
to the interim final rule. Table 2 presents the number of HIPAA covered
entities. However, as noted, only the number of HIPAA covered entities
is well established. It is possible the number of affected business
associates could be small if a few firms contracted with many HIPAA
entities. In any event, we need not speculate about this relationship
as our cost estimate is not based on the number of affected entities.
Instead, it is based on a unique database of breaches and affected
individuals as described below.
Table 2--Number of HIPAA Covered Entities by NAICS Code \1\
------------------------------------------------------------------------
Number of
NAICS code Providers/suppliers entities
------------------------------------------------------------------------
622........................ Hospitals (General Medical 4,060
and Surgical, Psychiatric
and Drug and Alcohol
Treatment, Other
Specialty).
623........................ Nursing Facilities (Nursing 34,400
care facilities,
Residential mental
retardation, mental health
and substance abuse
facilities, Residential
mental retardation
facilities, Residential
mental health and
substance abuse
facilities, Community care
facilities for the
elderly, Continuing care
retirement communities).
6211-6213.................. Offices of MDs (DOs, Mental 419,286
health, Dentists,
Practitioners, PT, OT, ST,
Audiologists).
6214....................... Outpatient Care Centers 13,962
(Family Planning Centers,
Outpatient Mental Health
and Drug Abuse Centers,
Other Outpatient Health
Centers, HMO Medical
Centers, Kidney Dialysis
Centers, Freestanding
Ambulatory Surgical and
Emergency Centers, All
Other Outpatient Care
Centers).
6215....................... Medical Diagnostic, and 7,879
Imaging Services.
6216....................... Home Health Services....... 15,329
6219....................... Other Ambulatory Care 5,879
Services (Ambulance and
Other).
n/a........................ Durable Medical Equipment 107,567
Supliers \2\.
4611....................... Pharmacies \3\............. 88,396
524114..................... Heath Insurance Carriers... 1,045
524292..................... Third Party Administrators. 3,522
------------------------------------------------------------------------
\1\ Office of Advocacy, Small Business Administration http://www.sba.gov/advo/research/data.html.
\2\ Centers for Medicare and Medicaid Services.
\3\ The Chain Pharmacy Industry http://www.nacds.org/wmspage.cfm?parm1=507.
Healthcare clearinghouses are also considered covered entities. In
the final rule implementing the 5010 standard published in the Federal
Register on January 16, 2009 (74 FR 3318), we estimated that 162
clearinghouses will be affected by the interim final rule.
b. How Many Breaches Will Require Notification?
(1) What Is a Breach of Protected Health Information?
The interim final rule at Sec. 164.402 defines a breach as an
event that ``compromises the security or privacy of the protected
health information,'' which means that it poses a significant risk of
financial, reputational, or other harm to the individual. Events such
as hacking into a database to steal protected health information would
clearly constitute a breach of protected health information. Other
events, however, such as a hospital inadvertently posting protected
health information on a Web site, or the office staff mailing a medical
report to the wrong patient, may constitute a breach. In the case of
posting information on a facility's Web site or mailing the wrong
report, the entity responsible for the inappropriate release of
protected health information may not have to notify the affected person
if the entity has determined (e.g., by performing a risk assessment)
that the release of the protected health information will not result in
financial, reputational, or other harm to the individual. For example,
if a general hospital impermissibly posted protected health information
on its Web site that included only an individual's name and address,
under paragraph (1) of the definition of ``breach'' at Sec.
164.402(1), the facility may not have to notify affected individuals if
it determines that only minimal or no harm could result from such an
inadvertent posting. However, if the same information were posted on
the Web site of a drug rehabilitation facility, a reasonable person may
conclude that the association of a person's name with the facility
could cause damage to their reputation. In that case, the provider
would be required to notify the affected individuals. Therefore, a
covered entity may not assume that these types of breaches do not
require notices to the affected individuals. The entity must undertake
an analysis of the information that was improperly divulged and only
after an investigation may it conclude that the information released
poses no significant harm.
Contrasted with an event that clearly falls into the category of a
data breach and, after investigation requires notice to affected
individuals, paragraph (2) of the definition of ``breach'' at Sec.
164.402 specifies three types of improper uses and disclosures of
protected health information that are excluded from the definition of a
breach. The first is unintentional access to protected health
[[Page 42761]]
information in good faith in the course of performing one's job, and
such access does not result in further impermissible use or disclosure.
For example, a staff person receives and opens an e-mail from a nurse
containing protected health information about a patient that the nurse
mistakenly sent to the staff person, realizes the e-mail is misdirected
and then deletes it.
The second exclusion is an inadvertent disclosure of protected
health information by a person authorized to access protected health
information at a covered entity or business associate to another person
authorized to access protected health information at the same covered
entity or business associate, or organized health care arrangement in
which the covered entity participates. For example, a nurse calls a
doctor who provides medical information on a patient in response to the
inquiry. It turns out the information was for the wrong patient. Such
an event would not be considered a breach under paragraph (2)(ii) of
the definition of ``breach'' at Sec. 164.402, provided the information
received was not further used or disclosed in a manner not permitted by
the Privacy Rule.
The third type of improper disclosure that is excluded from the
definition of a ``breach'' is when protected health information is
improperly disclosed, but the covered entity or business associate
believes, in good faith, that the recipient of the unauthorized
information would not be able to retain the information. For example, a
nurse hands a patient a medical report, but quickly realizes that it
was someone else's report and requests the return of the incorrect
report. In this case, if the nurse can reasonably conclude that the
patient could not have read or otherwise retained the information, then
providing the patient report to the wrong patient does not constitute a
breach.
(2) How Many Breaches Occur and How Many Individuals Are Affected?
The sources for identifying the number of HIPAA covered entity
breaches and the number of individuals are limited to State health
agencies and one database maintained by a nonprofit organization. There
is no national registry of data breaches that captures all data
breaches. Thus, we have to rely on the few sources available to us and
accept that each source has specific limitations. Essentially, we
examined three sources and methods for estimating the number of
breaches and then attempted to apply them to the universe of HIPAA
covered entities and their business associates.
On April 20, 2009, the FTC published a proposed rule that would
implement section 13407 of ARRA (74 FR 17914) and that applies to
entities that are not HIPAA covered entities but which may retain,
accept, and process personal health information in the form of personal
health records. Examples of the kind of entities to which the FTC rule
applies are web-based organizations that will receive, store, and
maintain an individual's health information for that individual. The
FTC estimated there are 900 such entities.
To arrive at an estimate of the number of breaches per year that
would occur to personal health records that these entities retain, the
FTC examined a general database of breaches from 2002 to 2007. They
identified 246 breaches occurring within the 5-year period for
businesses. Averaging the number of breaches over the 5-year period
equals 50 breaches per year. FTC next identified 418,713 retail
businesses with revenues of $1 million or more per year. However,
concerned that applying the annual number of breaches to so large a
number would yield an unrealistically small number of breaches per
entity, the FTC took one percent of the number of retail businesses
(which equals 4,187 entities) on the assumption that only one percent
of the industry had such weak security that they would be attractive
targets for data breaches. The FTC then calculated the breach rate
based on the smaller number. The resulting rate is 1.2 percent which
when applied to the 900 entities the FTC identified as maintainers of
personal health records, equals 11 breaches per year.
To estimate the number of affected individuals, the FTC used a
survey by the Ponemon Institute, ``National Survey on Data Security
Breach Notification,'' 2005 to derive a percent of the number of
individuals notified as a result of a breach. Using 11.6 percent and
applying the value to an estimated 2 million individuals using the
services of the 900 personal health record holders, the FTC estimated
that 232,000 individuals will be notified each year of data breaches.
We believe this methodology has little applicability to the HIPAA
universe of covered entities.
We do not believe these estimates are appropriate for the purposes
of this rule for several reasons. First, the HIPAA covered universe
contains many more, but also much smaller, entities than the FTC web-
based universe. Second, this rule exempts many small breaches from
reporting requirements because they either fall under the exceptions to
the definition of ``breach'' in the regulation or the entity determines
that no harm will occur. Third, although we use historical data for our
impact estimates, it is possible that the provisions of this rule that
exempt from the notification requirements data encrypted pursuant to
the Secretary's guidance may greatly reduce the future number of
reportable breaches; and fourth, as the FTC itself states, their costs
are over-estimated because they apply all cost factors to all estimated
web-based breaches.
Because the interim final regulation specifies different levels of
responses on the part of HIPAA covered entities when unsecured
protected health information is breached, we had to determine the
number of breaches occurring using the size categories contained in our
interim final regulation. The regulation requires increasing levels of
notification for breaches that affect fewer than ten individuals, 10 to
499 individuals and for breaches affecting more than 500 individuals.
Rather than follow the approach the FTC adopted we turned to the
DataLoss database maintained by the Open Security Foundation at http://datalossdb.org/. The database identifies data breaches by type of
business and the number of records or individuals affected. Because
business associates also must comply with provisions of the interim
final rule in addition to HIPAA covered entities, we looked at all
entries that either were identified as a medical entity or identified
medical information as being involved in the data breach. Table 3 is a
summary of the findings from the database for the year 2008,
categorized by the number of individuals affected by each breach. We
chose 2008 because it is the latest year for which we have a full year
of data.
Table 3--Number of Breaches by Number of Affected for 2008
------------------------------------------------------------------------
Affected size Data Year 2008
------------------------------------------------------------------------
Unknown........................... Breaches............ 36
Affected Individuals ..............
[[Page 42762]]
10 to 499......................... Breaches............ 14
Affected Individuals 1,772
500 or More*...................... Breaches............ 56
Affected Individuals 2,887,032
Total Number of Breaches.......... .................... 107
Total Sum of Total Affected....... .................... 2,888,804
------------------------------------------------------------------------
* Data for 2008 is adjusted to remove one outlier breach of 2.2 million
records.
As Table 3 demonstrates, the number of breaches and the number
affected individuals are substantially smaller than the numbers we
would generate using the FTC approach: 2.9 million affected individuals
and 106 breaches. There are nevertheless, shortcomings associated with
the data displayed in the table. As discussed previously, the meaning
of ``Total Affected'' is not clear. Without examining each table data
entry, it is impossible to know precisely if the numbers in the cells
represent individuals, records, or both. In looking at a small sample
of the descriptive detail for actual database entries, we found
evidence for both individuals and records. We assume that in the cases
where the number of records breached was reported, that the number
corresponds roughly to the number of individuals--that each record
represents an individual. Yet, because an individual may have more than
one record in data that was improperly accessed, our estimate of the
affected number of individuals may be overstated. We invite public
comment on this point.
Another concern we have is the table does not show any affected
individuals or records for the ``under ten'' grouping. Because
``Unknown'' in the database is blank, the default value is zero.
However, it would be improper to assume that the actual value of the
reported ``Total Affected'' was zero. There is evidence, on the other
hand, that the ``Total Affected'' in this group is less than 500 based
on information we were able to obtain from the California Department of
Public Health. For the first six months of this year (the first year
that California's law requiring notification of data breaches involving
protected health information went into effect), of the 196 cases that
have been examined to date, none of the cases has involved more than
499 affected individuals. We interpret this fact as pointing to the
likelihood that the number of individuals or records affected where the
number is unknown is likely to be less than 500 and a majority of cases
may fall into the under ten category. Because of the gap in the data
for breaches involving fewer than ten individuals, our estimate for
this group may be understated. We invite public comment on this point.
The third limitation is the way information finds its way into the
database. Since the database is privately maintained and operated and
is not responsible to either a state or federal agency for regulating
its content, the completeness and accuracy of information posted on the
Web site is unknown. Generally, the information posted on the Web site
is gleaned from published sources or individuals with knowledge of the
breaches submitting information. Nevertheless, we cannot be completely
confident in the reliability of the information obtained from this
source. Therefore, as is evident from the lack of affected records or
individuals in the ``under ten'' grouping, it is highly likely that a
certain number of breaches never reach the database, thus resulting in
an undercount of the total number of breaches and the total number of
individuals or records affected. We invite public comment on this
point.
(3) Estimating the Costs
(a) Baseline
Approximately 45 States have laws that to varying degrees contain
breach notification provisions similar to the Act. These 45 States
require notification of individuals whose information was in some
manner compromised as a result of inappropriate access to their
information. Several States also link their requirements to federal
notification requirements. Thus while all the States with breach laws
require some form of notification to affected individuals, those States
whose laws conform to the Federal requirements need only develop
procedures to conform to their State laws in addition to the interim
final rule. The entities in those States, thus, will have a small
compliance burden compared to the entities in other states.
Because not all states have a notification requirement, in our
estimation of the costs of the interim final rule, we will assume that
no State has a notification requirement. Yet, clearly this would
significantly overstate the burden imposed on HIPAA covered entities
because HIPAA covered entities have trained their staffs and have
prepared procedures to follow when a breach occurs to comply with
existing requirements of most of the states. To ameliorate the
overstatement of our cost estimate somewhat, we will assume the costs
for training personnel and for developing procedures have already been
expended and are therefore in the baseline and we did not estimate
these costs in our analysis. We invite public comment on these
assumptions.
(b) Estimation of Costs
In its notice of proposed rulemaking, the FTC identified the cost
elements that an entity will encounter when complying with the interim
final rule. We examine the cost of notifying affected individuals by
first class mail, issuing a substitute notice in major media or on a
Web site along with a toll-free phone number, notifying prominent media
in the event of a breach involving 500 or more individuals, and
notifying the Secretary of a breach, as well as the costs of
investigating breaches.
Cost of Notifying Affected Individuals by First Class Mail or E-Mail
Section 164.404 requires all covered entities to notify an
individual whose unsecured protected health information is believed to
have been breached as defined in the interim final rule, either by
first class mail, or if the individual has agreed, by e-mail. In its
analysis, the FTC assumed that 90 percent of the notices to affected
individuals will be e-mailed and only 10 percent will be sent by
regular first class mail. Since the firms that the FTC is addressing
are primarily web-based, assuming that the vast majority of
communications would be conducted through e-mail is a reasonable
assumption. For HIPAA covered entities, 90 percent of which are small
businesses or nonprofit organizations, that engage the entire U.S.
population in providing health care
[[Page 42763]]
services, we believe that notification through e-mail will be much more
limited than in the case of the entities the FTC regulates. Most
physicians appear concerned with the lack of confidentiality associated
with e-mail use, and many older patients may be uncomfortable with and/
or do not have access to e-mail. We, therefore, assume that only 50
percent of individuals affected as a result of a breach of unsecured
protected health information will receive e-mail notices.
There will be certain costs that both e-mail and first-class mail
communication will share. The cost of preparing the notice and
preparing a draft will apply to both forms. The median hourly wage for
a healthcare practitioner and technical worker in 2008 was $27.\15\
Doubling the amount to account for fringe benefits equals $54. If we
assume 30 minutes per breach for composing the letter, the cost equals
$27. We assume that it will take 30 minutes per breach for an
administrative assistant to draft the letter in either e-mail or
printed formats and to document the letter to comply with Sec. Sec.
164.414(a) and 164.530(j). The median hourly wage for office and
administrative support staff is $14.32 per hour. Accounting for
benefits, the hourly costs is $29. For the 30 minutes, we estimate $15
per breach. The combined cost for composing and preparing the document
is approximately $42 per breach. Half of the cost will be allocated to
the mailing of the first-class letter and the other half to the sending
of e-mails.
---------------------------------------------------------------------------
\15\ Department of Labor, Occupational Employment Statistics;
Healthcare Practitioner and Technical Occupations. http://www.bls.gov/oes/.
---------------------------------------------------------------------------
Although computer costs for sending e-mail will be insignificant,
it will take staff time to select the e-mail address from the entity's
mailing list. We assume that a staff person could process and send 200
e-mails per hour at a cost of $30 per hour. For each mailed notice we
assume $0.06 for paper and envelope and $0.44 for a first class stamp,
totaling $0.50 per letter. We estimate another $30 per hour to prepare
the mailing by hand at a rate of 100 letters per hour.
Using the data from Table 3 above for 2008 (the latest year for
which we have a complete year of data), there were a total of 106
breach events reported including those of an unknown number of affected
records or individuals. Multiplying the number of breaches by the cost
of composing and drafting a notice (106 x $42) equals $4,346.
Allocating half the costs to e-mailing and the same amount to regular
mail yields $2,173 to each category.
For 2008, there were 2,888,804 reported affected individuals.
Splitting this number evenly between e-mail and regular mail gives us
1,444,402 affected individuals for each notice category. For e-mails we
divide affected individuals by the number of addressed envelopes
processed in an hour (200) and multiply by the hourly cost of $30. To
this number we add the $2,173 giving us an estimated cost for e-mail
notices of $218,833.
We follow the same method for estimating the cost of mailing
notices using postal mail plus the cost of postage and supplies.
Dividing 100 letters per hour into 1,444,402 yields 14,444 hours which
is then multiplied by $30 plus postage and supplies of plus the costs
of composing and drafting equals $ 1,157,695. Summing the cost of e-
mail and postal mail notices equals $1,376,528. Table 4 presents the
results of our analysis. We invite public comment on this analysis and
our assumptions.
Table 4--Cost of E-Mail and First Class Mail to Affected Individuals
--------------------------------------------------------------------------------------------------------------------------------------------------------
Composing
Composing and Affected Hours to Cost to Postage and
and Breaches drafting individuals prepare prepare supplies Total
drafting costs or records mailing mailing
--------------------------------------------------------------------------------------------------------------------------------------------------------
Mail............................................ 21 106 $2,173 1,444,402 14,444 $433,321 $722,201 $1,157,695
E-mail.......................................... 21 106 2,173 1,444,402 7,222 216,660 ........... 218,833
-------------------------------------------------------------------------------------------------------
Total....................................... ........... ........... 4,346 2,888,804 ........... ........... ........... 1,376,528
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost of Substitute Notice
In the event that a HIPAA covered entity is not able to contact an
affected individual through e-mail or postal mail, it must attempt to
contact the person through some other means. If the number of
individuals who cannot be reached through the mailings is less than
ten, the entity may attempt to reach them by some other written means,
or by telephone. We do not know how many breaches occurred with fewer
than ten affected individuals and therefore cannot estimate a cost for
contacting them. We believe, however, that the costs would be very
small and as a result we have not attempted to estimate the costs of
contacting them.
In the event that the covered entity is unable to contact 10 or
more affected individuals through e-mail or postal mail, the interim
final rule requires the entity to (1) publish a notice in the media
(newspaper, television, or radio) containing the information contained
in the mailed notice or post a notice on its Web site, and (2) set up a
toll-free number. The toll-free number is to be included in the public
notice and Web site.
Based on the cost for publishing a public notice in the two leading
newspapers, in the Washington, DC area, rates range between $2.91 and
$15.23 per line. Based on these numbers, we estimate the cost of a
public notice will cost between $80 and $400. Taking the mean of the
range, we estimate an average price of $240 per notice. If we assume
that a provider will publish two notices, the cost will be $480.
Multiplying this amount by the number of breaches reported in 2008 for
the 10 to 499 and 500 or more groupings (70), yields $33,600.
It is conceivable that some breaches involving more than 10 but
fewer than 500 individuals may require notices in several states or
jurisdictions. The probability of this event occurring, however, we
believe, is low and we did not attempt to estimate the costs of such an
event.
If a HIPAA covered entity has a Web site, we assume there will be
no cost to post the notice to the Web site.
The cost of setting up a toll-free phone number is a straight
forward process of contacting any one of a number of service providers
who offer toll-free service. In checking the internet, we found prices
for toll-free service ranging from $0.027 per minute for a basic mail
box arrangement to $0.07 per minute. Some require a
[[Page 42764]]
monthly fee ranging from $10 to $15 per month. A major, national phone
service company offers toll-free service for $15 per month per toll-
free number and per minute charge of $0.07. There is a one-time charge
of $15. For purposes of our analysis, we will use the costs of $15 per
month plus $15 activation fee and $0.07 per minute.
Since the regulation requires providers to maintain a toll-free
number for three months, the monthly charge plus initial fee per breach
will be $60. To estimate the number of calls to the toll-free number we
assumed that more individuals than those who did not receive a notice
or who are not affected by the breach would call out of concern that
their protected health information might have been compromised. The
calls from individuals who are not affected will make up for the
affected individuals who will not call the number either because they
did not learn of the breach or are not concerned.
In its proposed rule, the FTC estimated that 5,000 people would
call within the first month and then decline to an average of 1,000
calls per month. Since most HIPAA covered entities do not serve that
many patients, we decided to use the mean number of affected
individuals for each of the two groups, 10-499 and 500 or more affected
individuals. For breaches with 10-499 affected individuals, the mean is
127 and for 500 or more, the mean equals 51,554 individuals. Since
multiplying the mean times the number of breaches equals the total
number of affected individuals, we assume that breaches affecting
between 10 and 500 individuals will generate 1,772 calls. Similarly,
for breaches affecting 500 or more individuals, we assume 2,887,032
calls. Assuming that a call averages five minutes at $0.07 per minute,
we estimate the total cost for all calls to equal $1,011,084. Added to
this is $4,200 that represents the monthly fee per breach (70 breaches)
for three months plus the one-time fee (totaling $60 per breach). This
brings the total cost of toll-free lines to $1,015,284.
To this cost, we must also include the office staff time to answer
the incoming calls at $30 per hour. Based on an average of five minutes
per call, a staff person could handle 12 calls per hour. Dividing 12
into 2,888,804 equals 240,734 hours and then multiplied by $30 equals
$7,222,025. Summing all cost elements yields a total cost of
$8,237,309.
To the degree that firms already maintain toll-free phone lines,
our estimate overstates the costs of setting up a toll-free line as
required under the rule. Table 5 presents our cost analysis.
Table 5--Cost for Setting Up a Toll-Free Line for Three Months
----------------------------------------------------------------------------------------------------------------
Number of Number of Number of call Number of call
Costs breaches 11- breaches 500 11-499 500 + Total
499 (14) + (56) (1772) (2,887,032)
----------------------------------------------------------------------------------------------------------------
Monthly Charges for 3 months + 1- $840 $3,360 .............. .............. $4,200
time Charge ($60/breach).......
Direct Calling Charges @ $.07/ .............. .............. 622 1,010,461 1,011,084
min x 5 minutes................
Labor cost @ $30/hr x 5 min per .............. .............. 4,445 7,217,580 7,222,025
call...........................
-------------------------------------------------------------------------------
Total....................... 840 3,360 5,067 8,228,041 8,237,309
----------------------------------------------------------------------------------------------------------------
In addition to the cost of the toll-free number and staff time
answering calls, we also imputed a cost to the time individuals will
spend calling the toll-free number. In estimating the time involved, we
assumed that a person will spend five minutes per call. However, the
person may not get through the first time and thus may have to call
back a second time which could add another 5 minutes. Taking the
average between 5 and 10 minutes, we used an average call time of 7.5
minutes.
For purposes of imputing cost to an individual's time, we took the
mean compensation amount from the Bureau of Labor Statistics of $20.32
for all occupations at http://www.bls.gov/oes/current/oes_nat.htm.
Dividing 60 by 7.5 minutes yields 8 calls per hour. Dividing the number
of calls per hour into 2,888,804 calls and then multiplying by $20,
gives us a cost of $7,222,010. We invite the public to comment on our
analysis and assumptions.
Cost of Breaches Involving 500 or More Individuals
If a covered HIPAA entity experiences a data breach of protected
health information affecting 500 or more individuals, Sec. 164.406 of
the interim final rule requires the entity to notify the media in the
jurisdiction or State in which 500 or more individuals reside. Also,
Sec. 164.408 requires the entity to submit a report to the Secretary
at the same time it notifies the media. The covered entity must take
these steps in addition to undertaking efforts to directly notify
affected individuals by first-class mail or e-mail and through
alternative means of notification if it cannot contact 10 or more
individuals.
We anticipate that, when a covered entity must notify the media
under the interim final rule, it will issue a press release. The tasks
involved in issuing the press release will be the drafting of the
statement and clearing it through the organization. We assume that
drafting a one-page statement will contain essentially the same
information provided in the notice to affected individuals and will
take 1 hour of an equivalent to a GS-12 Federal employee, earning $29
per hour. Multiplying the amount by two to account for benefits equals
$58. Approval of the release involves reading the document. We expect
this activity to take 15 minutes. The average hourly rate for a public
relations manager is approximately $49 in 2008. Doubling the amount for
benefits equals $98. Rounding up to $100, one quarter of an hour equals
$25 for approving the release. The total cost of the release equals
$75, and multiplying this amount by the number of breaches affecting
500 or more individuals (56) equals $4,200. It should be noted that
this amount may overstate the actual costs of issuing a notice to the
media. The regulation requires a release only in the jurisdiction or
State where 500 or more individuals are affected. As the example in the
discussion of Sec. 164.406 discussed above in Section IV illustrates,
a breach may affect a total of 500 or more individuals but may affect
fewer than 500 persons in each State or jurisdiction where the affected
individuals reside. In that case, the covered entity does not have to
issue a notice to the media, but must take all the other steps required
of a breach of that size.
There is the possibility that a breach may affect 500 or more
individuals in several States or jurisdictions. In such situations, the
covered entity has the choice of notifying the media in each of
[[Page 42765]]
the several States or jurisdictions; or it may choose to notify the
national media with the expectation that the local media in each
jurisdiction will pick up the information. We expect the covered entity
to select the most efficient means for informing the media.
The report to the Secretary of HHS that must be sent
contemporaneously to the sending of the notices to the affected
individuals will contain essentially the same information as the notice
sent to the affected individuals: (a) Information regarding the nature
and cause of the data breach, (b) the number and contents of the
records breached, (c) the number of individuals affected, (d) steps the
entity took to notify affected individuals and the degree of success it
had in reaching affected individuals, and (e) steps taken to improve
data security.
We anticipate the time and cost to prepare the report will be the
same as that required for issuing a notice to the media. The cost for
reporting the 56 breaches affecting 500 or more individuals based on
the 2008 data is $4,200.
Cost of Investigating a Breach
As a prerequisite to issuing a notice to individuals or to the
media and the report to the Secretary when a breach occurs, the covered
entity will need to conduct some form of investigation to determine the
nature and cause of the breach. We anticipate that most breaches
involving fewer than 500 records or individuals will be relatively easy
to investigate and may involve a day of investigation to determine the
cause and the extent of the breach. An office manager's time at $50 per
hour multiplied by 8 hours equals $400 and multiplied by the number of
breaches affecting fewer than 500 individuals is $20,000. We note that
this estimate includes the time required to produce the documentation
required by Sec. 164.414(a).
For breaches involving 500 or more individuals, the breach
investigation may take considerably longer and involve significantly
greater costs. The FTC, in its proposed rule (74 FR 17921 and footnote
27) estimated 100 hours at a cost of $4,652. We accept this cost for
investigating a breach as an upper bound, but we expect that the
average investigation will take half the time and cost approximately
$2,300. Based on the Ponemon report cited above, the most frequent
cause for data breaches was a lost laptop computer accounting for 35
percent of all data breaches. While system failure was the second most
frequently cited cause of data breaches accounting for 33 percent, the
combined loss of laptops and other data bearing equipment accounted for
almost 50 percent of data losses. For these reasons, we believe that
estimating the average time and cost for breach investigation as being
half the amount FTC estimated is a reasonable assumption. Multiplying
our cost estimate by the number of breaches of 500 or more individuals
protected health information yields us $128,800.
Cost of Submitting the Annual Breach Summary to HHS
Under Sec. 464.408, covered entities must maintain a log of all
breach events. Once per year a covered entity that has experienced a
breach must submit a summary of its log to the Department. Since the
material for the submission has already been gathered and organized for
the issuance of the notices to the affected individuals, we expect
submitting the log summary to the Department will require at most an
hour of office staff time once per year. At $30 per hour multiplied by
the total number of breaches reported for 2008 (106) equals $3,180.
3. Benefits
We were not able to identify any studies that pointed to
quantitative benefits arising from the notification of health data
breaches. On an intuitive level, however, it seems that notifying
affected individuals of compromises to their protected health
information would help in two ways. It would alert them to the
possibility of identity theft resulting from the exposure of
identifiers such as credit card numbers, date of birth, and social
security numbers associated with the individual's name. The other
benefit of notification is enabling an affected individual to mitigate
harm to his or her personal reputation that may result from the
exposure of sensitive medical information.
With respect to the mitigation of financial loss, in the study
cited previously \16\ Turner presents evidence suggesting that 69
percent of individuals who were able to take action within 6 months of
the breach to their financial information to mitigate damages suffered
no out-of-pocket expenses. This compares to 40 percent who took action
after 6 months. In cases where affected individuals who were able to
take action within 5 months of the breach such as monitor their credit
card statement and notify credit bureaus, the value of the fraud
exceeded $5,000 only in 11 percent of the cases. For those who did not
take steps to mitigate the damage for 6 months or longer, the amount of
fraud exceeded $5,000 in 44 percent of the cases. From this evidence,
it appears that there are some tangible benefits to notifying
individuals as soon as possible after a breach of protected health
information occurs. We did not, however, find a clear connection
between the breach of protected health information and the amount of
financial loss or its frequency.
---------------------------------------------------------------------------
\16\ ``Towards A Rational Breach Notification Regime'' by
Michael Turner; Information Policy Institute.
---------------------------------------------------------------------------
The harm to a person's reputation or standing in the community
resulting from the release of protected health information could be
substantial and could have financial and economic consequences. We lack
data on the frequency and extent of damages from the inappropriate
release of sensitive medical information. Notifying a person of
unauthorized access can, however, enable a person to take measures to
reduce the damage. Notification can enable them to prepare
psychologically and take actions to prepare for the consequences. The
individual also may take steps to prepare others for the possible
consequences.
Benefits to the HIPAA covered entity will rest with the actions it
takes to prevent data breaches. As our analysis demonstrates, the costs
of notification for an entity may be significant, although in the
aggregate in terms of overall health care costs, they are extremely
small. Nevertheless, we believe that the costs of the interim final
rule are avoidable if either before a covered entity experiences a
breach or following one, the entity adopts measures to strengthen its
data security. As pointed out, the most frequent form of data loss is
the result of lost or stolen laptops and data bearing media such as
hard drives. If the data on these devices is encrypted, then under the
interim final rule definition of a breach, the event would not require
the covered entity or the business associate to notify affected
individuals.
Because much of the harm resulting from breaches of protected
health information may come from the pain and suffering individuals'
may sustain to their reputations and standing in their communities, the
benefits that reductions in the number of breaches and number of
individuals affected is hard to quantify while the costs of the rule
are identifiable and specific. For these reasons, we are unable to
estimate the net benefits of the rule. Yet we believe by providing an
incentive to reduce the number of breaches of unsecured protected
health information, the rule will help increase confidence among
members of the public in the
[[Page 42766]]
security of their protected health information. To whatever extent
greater trust can be fostered between patients and health care
providers, the better the communication and the higher the quality of
health care delivered.
D. Regulatory Flexibility Analysis
The RFA requires agencies to analyze options for regulatory relief
of small businesses if a rule has a significant impact on a substantial
number of small entities. We are implementing this interim final rule
as required by section 13402 of Public Law 111-5. The objective of the
rule is to establish uniform requirements for HIPAA covered entities
and their business associates to notify individuals whose unsecured
protected health information may have been improperly accessed or used.
In Table 2 above, we identified the type and number of HIPAA
covered entities to which the interim regulation applies. For purposes
of our regulatory flexibility analysis, it is our practice to assume
that all health care providers and suppliers meet the definition of a
small entity. Ninety percent of small entities either meet the Small
Business Administration size standard for a small business or are
nonprofit organizations. Approximately 71 percent of health insurance
carriers and third party administrators meet the SBA's small business
size standard. Although we do not have separate revenue data for health
insurance carriers and third party administrators, we believe that the
majority of the third party administrators meet the SBA standard.
Approximately 22 percent of pharmacies meet the SBA standard for a
small business.
Based on the analysis of data breaches for 2008, we do not expect
the interim final rule to have a significant impact on a substantial
number of small entities. We estimate that the average cost per breach
will cost $160.616. Second, the rule will apply to entities that, in
many instances, already have obligations to provide notification of
data breaches under most State laws covering medical breaches.
Therefore, the Secretary certifies that the rule will not have a
significant impact on a substantial number of small entities.
VI. Paperwork Reduction Act Information Collection
In compliance with the requirement of section 3506(c)(2)(A) of the
Paperwork Reduction Act of 1995, the Office of the Secretary (OS),
Department of Health and Human Services, is publishing the following
summary of a proposed information collection request for public
comment.
Because this rule will go into effect 30 days following
publication, we have submitted a request to OMB for review of these
information collection requirements on an emergency basis, pursuant to
5 CFR 1320.13. We are providing an abbreviated comment period of 14
days. Interested persons are invited to send comments by September 8,
2009 regarding this burden estimate or any other aspect of this
collection of information, including any of the following subjects: (1)
The necessity and utility of the proposed information collection for
the proper performance of the agency's functions; (2) the accuracy of
the estimated burden; (3) ways to enhance the quality, utility, and
clarity of the information to be collected; and (4) the use of
automated collection techniques or other forms of information
technology to minimize the information collection burden.
To comment on this collection of information or to obtain copies of
the supporting statement and any related forms for the proposed
paperwork collections referenced above, e-mail your comment or request,
including your address and phone number to
[email protected], or call the Reports Clearance Office on
(202) 690-6162. Written comments and recommendations for the proposed
information collections must be directed to the OS Paperwork Clearance
Officer at the above e-mail address within 14 days.
Abstract: The Health Information Technology for Economic and
Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of
Division B of the American Recovery and Reinvestment Act of 2009 (ARRA)
(Pub. L. 111-5) requires the Office for Civil Rights to collect
information regarding breaches discovered by covered entities and their
business associates. ARRA was enacted on February 17, 2009. The HITECH
Act (the Act) at section 13402 requires the Department of Health and
Human Services (HHS) to issue interim final regulations within 180 days
of enactment to require HIPAA covered entities and their business
associates to notify affected individuals and the Secretary of breaches
of unsecured protected health information. Section 164.404 of this
interim final regulation requires HIPAA covered entities to notify
affected individuals of a breach of their unsecured protected health
information without reasonable delay and in any case within 60 days of
discovery of the breach, and, in some cases, to notify the media of
such breaches pursuant to Sec. 164.406. Section 164.408 requires
covered entities to provide the Secretary with immediate notice of all
breaches of unsecured protected health information involving more than
500 individuals. Additionally, the Act requires covered entities to
provide the Secretary with an annual log of all breaches of unsecured
protected health information that involve less than 500 individuals.
Finally, covered entities must maintain appropriate documentation under
Sec. 164.530(j) to comply with their burden of proof under Sec.
164.414.
The estimated annualized burden table below was developed using the
same estimates and workload assumptions in the impact statement in
section V, above.
Estimated Annualized Burden Table
----------------------------------------------------------------------------------------------------------------
Average
Number of number of Average Total burden
Type of respondent respondents responses per burden hours hours
respondent per response
----------------------------------------------------------------------------------------------------------------
Individual Notice--Written and E-mail Notice 106 27,253 1/60 48,147
(investigation; drafting, preparing, and
documenting notification; and sending
notification)..................................
Individual Notice--Substitute Notice (posting or 70 1 668 46,760
publishing notice and toll-free number)........
Media Notice.................................... 56 1 1 56
Notice to Secretary (Notice for breaches 106 1 22/60 39
affecting 500 or more individuals and annual
notice)........................................
---------------------------------------------------------------
Total....................................... .............. .............. .............. 95,002
----------------------------------------------------------------------------------------------------------------
[[Page 42767]]
List of Subjects
45 CFR Part 160
Administrative practice and procedure, Computer technology,
Electronic information system, Electronic transactions, Employer
benefit plan, Health, Health care, Health facilities, Health insurance,
Health records, Hospitals, Investigations, Medicaid, Medical research,
Medicare, Penalties, Privacy, Reporting and recordkeeping requirements,
Security.
45 CFR Part 164
Administrative practice and procedure, Computer technology,
Electronic information system, Electronic transactions, Employer
benefit plan, Health, Health care, Health facilities, Health insurance,
Health records, Hospitals, Medicaid, Medical research, Medicare,
Privacy, Reporting and recordkeeping requirements, Security.
0
For the reasons set forth in the preamble, the Department proposes to
revise 45 CFR subtitle A, subchapter C, parts 160 and 164, as follows:
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation for part 160 is revised to read as follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-8; sec.
264, Public Law 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2
(note)); 5 U.S.C. 552; and secs. 13400 and 13402, Public Law 111-5,
123 Stat. 258-263.
0
2. Revise Sec. 160.101 to read as follows:
Sec. 160.101 Statutory basis and purpose.
The requirements of this subchapter implement sections 1171 through
1179 of the Social Security Act (the Act), as added by section 262 of
Public Law 104-191, section 264 of Public Law 104-191, and section
13402 of Public Law 111-5.
0
3. In Sec. 160.202, revise the second paragraph of the definition
``Contrary'' to read as follows:
Sec. 160.202 Definitions.
* * * * *
Contrary * * *
(2) The provision of State law stands as an obstacle to the
accomplishment and execution of the full purposes and objectives of
part C of title XI of the Act, section 264 of Public Law 104-191, or
section 13402 of Public Law 111-5, as applicable.
* * * * *
0
4. In Sec. 160.534 add paragraph (b)(1)(iv), and revise (b)(2) to read
as follows:
Sec. 160.534 The hearing.
* * * * *
(b)(1) * * *
(iv) Compliance with subpart D of part 164, as provided under Sec.
164.414(b).
(2) The Secretary has the burden of going forward and the burden of
persuasion with respect to all other issues, including issues of
liability other than with respect to subpart D of part 164, and the
existence of any factors considered aggravating factors in determining
the amount of the proposed penalty.
* * * * *
PART 164--SECURITY AND PRIVACY
0
5. The authority citation for part 164 is revised to read as follows:
Authority: 42 U.S.C. 1320d-1320d-8; sec. 264, Public Law 104-
191, 110 Stat. 2033-2034 (42 U.S.C. 1320-2 (note)); secs. 13400 and
13402, Public Law 111-5, 123 Stat. 258-263.
0
6. Revise Sec. 164.102 to read as follows:
Sec. 164.102 Statutory basis.
The provisions of this part are adopted pursuant to the Secretary's
authority to prescribe standards, requirements, and implementation
specifications under part C of title XI of the Act, section 264 of
Public Law 104-191, and section 13402 of Public Law 111-5.
0
7. In Sec. 164.103, add in alphabetical order the definition of ``Law
enforcement official'' to read as follows:
Sec. 164.103 Definitions.
* * * * *
Law enforcement official means an officer or employee of any agency
or authority of the United States, a State, a territory, a political
subdivision of a State or territory, or an Indian tribe, who is
empowered by law to:
(1) Investigate or conduct an official inquiry into a potential
violation of law; or
(2) Prosecute or otherwise conduct a criminal, civil, or
administrative proceeding arising from an alleged violation of law.
* * * * *
0
8. In Sec. 164.304, revise the definition of ``Access'' to read as
follows:
Sec. 164.304 Definitions.
* * * * *
Access means the ability or the means necessary to read, write,
modify, or communicate data/information or otherwise use any system
resource. (This definition applies to ``access'' as used in this
subpart, not as used in subparts D or E of this part.)
* * * * *
0
9. Add a new subpart D to part 164 to read as follows:
Subpart D--Notification in the Case of Breach of Unsecured Protected
Health Information
Sec.
164.400 Applicability.
164.402 Definitions.
164.404 Notification to individuals.
164.406 Notification to the media.
164.408 Notification to the Secretary.
164.410 Notification by a business associate.
164.412 Law enforcement delay.
164.414 Administrative requirements and burden of proof.
Authority: Secs. 13400 and 13402, Pub. L. 111-5, 123 Stat. 258-
263.
Subpart D--Notification in the Case of Breach of Unsecured
Protected Health Information
Sec. 164.400 Applicability.
The requirements of this subpart shall apply with respect to
breaches of protected health information occurring on or after
September 23, 2009.
Sec. 164.402 Definitions.
As used in this subpart, the following terms have the following
meanings:
Breach means the acquisition, access, use, or disclosure of
protected health information in a manner not permitted under subpart E
of this part which compromises the security or privacy of the protected
health information.
(1)(i) For purposes of this definition, compromises the security or
privacy of the protected health information means poses a significant
risk of financial, reputational, or other harm to the individual.
(ii) A use or disclosure of protected health information that does
not include the identifiers listed at Sec. 164.514(e)(2), date of
birth, and zip code does not compromise the security or privacy of the
protected health information.
(2) Breach excludes:
(i) Any unintentional acquisition, access, or use of protected
health information by a workforce member or person acting under the
authority of a covered entity or a business associate, if such
acquisition, access, or use was made in good faith and within the scope
of authority and does not result in further use or disclosure in a
manner not permitted under subpart E of this part.
(ii) Any inadvertent disclosure by a person who is authorized to
access protected health information at a covered entity or business
associate to
[[Page 42768]]
another person authorized to access protected health information at the
same covered entity or business associate, or organized health care
arrangement in which the covered entity participates, and the
information received as a result of such disclosure is not further used
or disclosed in a manner not permitted under subpart E of this part.
(iii) A disclosure of protected health information where a covered
entity or business associate has a good faith belief that an
unauthorized person to whom the disclosure was made would not
reasonably have been able to retain such information.
Unsecured protected health information means protected health
information that is not rendered unusable, unreadable, or
indecipherable to unauthorized individuals through the use of a
technology or methodology specified by the Secretary in the guidance
issued under section 13402(h)(2) of Public Law 111-5 on the HHS Web
site.
Sec. 164.404 Notification to individuals.
(a) Standard--(1) General rule. A covered entity shall, following
the discovery of a breach of unsecured protected health information,
notify each individual whose unsecured protected health information has
been, or is reasonably believed by the covered entity to have been,
accessed, acquired, used, or disclosed as a result of such breach.
(2) Breaches treated as discovered. For purposes of paragraph
(a)(1) of this section, Sec. Sec. 164.406(a), and 164.408(a), a breach
shall be treated as discovered by a covered entity as of the first day
on which such breach is known to the covered entity, or, by exercising
reasonable diligence would have been known to the covered entity. A
covered entity shall be deemed to have knowledge of a breach if such
breach is known, or by exercising reasonable diligence would have been
known, to any person, other than the person committing the breach, who
is a workforce member or agent of the covered entity (determined in
accordance with the federal common law of agency).
(b) Implementation specification: Timeliness of notification.
Except as provided in Sec. 164.412, a covered entity shall provide the
notification required by paragraph (a) of this section without
unreasonable delay and in no case later than 60 calendar days after
discovery of a breach.
(c) Implementation specifications: Content of notification--(1)
Elements. The notification required by paragraph (a) of this section
shall include, to the extent possible:
(A) A brief description of what happened, including the date of the
breach and the date of the discovery of the breach, if known;
(B) A description of the types of unsecured protected health
information that were involved in the breach (such as whether full
name, social security number, date of birth, home address, account
number, diagnosis, disability code, or other types of information were
involved);
(C) Any steps individuals should take to protect themselves from
potential harm resulting from the breach;
(D) A brief description of what the covered entity involved is
doing to investigate the breach, to mitigate harm to individuals, and
to protect against any further breaches; and
(E) Contact procedures for individuals to ask questions or learn
additional information, which shall include a toll-free telephone
number, an e-mail address, Web site, or postal address.
(2) Plain language requirement. The notification required by
paragraph (a) of this section shall be written in plain language.
(d) Implementation specifications: Methods of individual
notification. The notification required by paragraph (a) of this
section shall be provided in the following form:
(1) Written notice. (i) Written notification by first-class mail to
the individual at the last known address of the individual or, if the
individual agrees to electronic notice and such agreement has not been
withdrawn, by electronic mail. The notification may be provided in one
or more mailings as information is available.
(ii) If the covered entity knows the individual is deceased and has
the address of the next of kin or personal representative of the
individual (as specified under Sec. 164.502(g)(4) of subpart E),
written notification by first-class mail to either the next of kin or
personal representative of the individual. The notification may be
provided in one or more mailings as information is available.
(2) Substitute notice. In the case in which there is insufficient
or out-of-date contact information that precludes written notification
to the individual under paragraph (d)(1)(i) of this section, a
substitute form of notice reasonably calculated to reach the individual
shall be provided. Substitute notice need not be provided in the case
in which there is insufficient or out-of-date contact information that
precludes written notification to the next of kin or personal
representative of the individual under paragraph (d)(1)(ii).
(i) In the case in which there is insufficient or out-of-date
contact information for fewer than 10 individuals, then such substitute
notice may be provided by an alternative form of written notice,
telephone, or other means.
(ii) In the case in which there is insufficient or out-of-date
contact information for 10 or more individuals, then such substitute
notice shall:
(A) Be in the form of either a conspicuous posting for a period of
90 days on the home page of the Web site of the covered entity
involved, or conspicuous notice in major print or broadcast media in
geographic areas where the individuals affected by the breach likely
reside; and
(B) Include a toll-free phone number that remains active for at
least 90 days where an individual can learn whether the individual's
unsecured protected health information may be included in the breach.
(3) Additional notice in urgent situations. In any case deemed by
the covered entity to require urgency because of possible imminent
misuse of unsecured protected health information, the covered entity
may provide information to individuals by telephone or other means, as
appropriate, in addition to notice provided under paragraph (d)(1) of
this section.
Sec. 164.406 Notification to the media.
(a) Standard. For a breach of unsecured protected health
information involving more than 500 residents of a State or
jurisdiction, a covered entity shall, following the discovery of the
breach as provided in Sec. 164.404(a)(2), notify prominent media
outlets serving the State or jurisdiction. For purposes of this
section, State includes American Samoa and the Northern Mariana
Islands.
(b) Implementation specification: Timeliness of notification.
Except as provided in Sec. 164.412, a covered entity shall provide the
notification required by paragraph (a) of this section without
unreasonable delay and in no case later than 60 calendar days after
discovery of a breach.
(c) Implementation specifications: Content of notification. The
notification required by paragraph (a) of this section shall meet the
requirements of Sec. 164.404(c).
Sec. 164.408 Notification to the Secretary.
(a) Standard. A covered entity shall, following the discovery of a
breach of unsecured protected health information
[[Page 42769]]
as provided in Sec. 164.404(a)(2), notify the Secretary.
(b) Implementation specifications: Breaches involving 500 or more
individuals. For breaches of unsecured protected health information
involving 500 or more individuals, a covered entity shall, except as
provided in Sec. 164.412, provide the notification required by
paragraph (a) of this section contemporaneously with the notice
required by Sec. 164.404(a) and in the manner specified on the HHS Web
site.
(c) Implementation specifications: Breaches involving less than 500
individuals. For breaches of unsecured protected health information
involving less than 500 individuals, a covered entity shall maintain a
log or other documentation of such breaches and, not later than 60 days
after the end of each calendar year, provide the notification required
by paragraph (a) of this section for breaches occurring during the
preceding calendar year, in the manner specified on the HHS Web site.
Sec. 164.410 Notification by a business associate.
(a) Standard. (1) A business associate shall, following the
discovery of a breach of unsecured protected health information, notify
the covered entity of such breach.
(2) Breaches treated as discovered. For purposes of paragraph (1)
of this section, a breach shall be treated as discovered by a business
associate as of the first day on which such breach is known to the
business associate or, by exercising reasonable diligence, would have
been known to the business associate. A business associate shall be
deemed to have knowledge of a breach if the breach is known, or by
exercising reasonable diligence would have been known, to any person,
other than the person committing the breach, who is an employee,
officer, or other agent of the business associate (determined in
accordance with the federal common law of agency).
(b) Implementation specifications: Timeliness of notification.
Except as provided in Sec. 164.412, a business associate shall provide
the notification required by paragraph (a) of this section without
unreasonable delay and in no case later than 60 calendar days after
discovery of a breach.
(c) Implementation specifications: Content of notification. (1) The
notification required by paragraph (a) of this section shall include,
to the extent possible, the identification of each individual whose
unsecured protected health information has been, or is reasonably
believed by the business associate to have been, accessed, acquired,
used, or disclosed during the breach.
(2) A business associate shall provide the covered entity with any
other available information that the covered entity is required to
include in notification to the individual under Sec. 164.404(c) at the
time of the notification required by paragraph (a) of this section or
promptly thereafter as information becomes available.
Sec. 164.412 Law enforcement delay.
If a law enforcement official states to a covered entity or
business associate that a notification, notice, or posting required
under this subpart would impede a criminal investigation or cause
damage to national security, a covered entity or business associate
shall:
(a) If the statement is in writing and specifies the time for which
a delay is required, delay such notification, notice, or posting for
the time period specified by the official; or
(b) If the statement is made orally, document the statement,
including the identity of the official making the statement, and delay
the notification, notice, or posting temporarily and no longer than 30
days from the date of the oral statement, unless a written statement as
described in paragraph (a) of this section is submitted during that
time.
Sec. 164.414 Administrative requirements and burden of proof.
(a) Administrative requirements. A covered entity is required to
comply with the administrative requirements of Sec. 164.530(b), (d),
(e), (g), (h), (i), and (j) with respect to the requirements of this
subpart.
(b) Burden of proof. In the event of a use or disclosure in
violation of subpart E, the covered entity or business associate, as
applicable, shall have the burden of demonstrating that all
notifications were made as required by this subpart or that the use or
disclosure did not constitute a breach, as defined at Sec. 164.402.
Sec. 164.501 [Amended]
0
10. In Sec. 164.501, remove the definition ``Law enforcement
official.''
0
11. In Sec. 164.530, revise paragraphs (b)(1), (b)(2)(i)(C), (d)(1),
the first sentence of paragraph (e)(1), (g)(1), (h), the first sentence
of paragraph (i)(1), (i)(2)(i) and add paragraph (j)(1)(iv) to read as
follows:
Sec. 164.530 Administrative requirements.
* * * * *
(b)(1) Standard: Training. A covered entity must train all members
of its workforce on the policies and procedures with respect to
protected health information required by this subpart and subpart D of
this part, as necessary and appropriate for the members of the
workforce to carry out their functions within the covered entity.
(2) * * * (i) * * *
(C) To each member of the covered entity's workforce whose
functions are affected by a material change in the policies or
procedures required by this subpart or subpart D of this part, within a
reasonable period of time after the material change becomes effective
in accordance with paragraph (i) of this section.
* * * * *
(d)(1) Standard: Complaints to the covered entity. A covered entity
must provide a process for individuals to make complaints concerning
the covered entity's policies and procedures required by this subpart
and subpart D of this part or its compliance with such policies and
procedures or the requirements of this subpart or subpart D of this
part.
* * * * *
(e)(1) Standard: Sanctions. A covered entity must have and apply
appropriate sanctions against members of its workforce who fail to
comply with the privacy policies and procedures of the covered entity
or the requirements of this subpart or subpart D of this part.* * *
* * * * *
(g) Standard: Refraining from intimidating or retaliatory acts. A
covered entity--
(1) May not intimidate, threaten, coerce, discriminate against, or
take other retaliatory action against any individual for the exercise
by the individual of any right established, or for participation in any
process provided for, by this subpart or subpart D of this part,
including the filing of a complaint under this section; and
* * * * *
(h) Standard: Waiver of rights. A covered entity may not require
individuals to waive their rights under Sec. 160.306 of this
subchapter, this subpart, or subpart D of this part, as a condition of
the provision of treatment, payment, enrollment in a health plan, or
eligibility for benefits.
(i)(1) Standard: Policies and procedures. A covered entity must
implement policies and procedures with respect to protected health
information that are designed to comply with the standards,
implementation specifications, or other requirements of this subpart
and subpart D of this part. * * *
[[Page 42770]]
(2) Standard: Changes to policies and procedures.
(i) A covered entity must change its policies and procedures as
necessary and appropriate to comply with changes in the law, including
the standards, requirements, and implementation specifications of this
subpart or subpart D of this part.
* * * * *
(j)(1) * * *
(iv) Maintain documentation sufficient to meet its burden of proof
under Sec. 164.414(b).
* * * * *
Dated: August 6, 2009.
Kathleen Sebelius,
Secretary.
[FR Doc. E9-20169 Filed 8-19-09; 4:15 pm]
BILLING CODE 4153-01-P