The HITECH Act is an essential piece of legislation that every healthcare organization needs to be aware of.  Specifically, the Breach Notification Rule requires healthcare organizations to be prepared for any potential breaches and to provide timely notification to those affected.  It is important to understand the background, key changes, and implementation date of the Rule, as well as the definition of a breach, criteria for handling one, and best practices to prepare your organization.

Key Changes in the Rule

The Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in 2009 and introduced significant changes to the existing HIPAA regulations.  The Act bridges healthcare organizations and technology and strengthens the security of protected health information (PHI).  The HITECH Act includes changes to the Privacy and Security Rules that have important implications for covered entities and business associates regarding cybersecurity. 

The HITECH Act also introduced the Breach Notification Rule.  This rule requires that covered entities and business associates report any breach of PHI.  We’ll go into more detail about what must be reported and to whom later in this article.

Other key changes in the rule include mandatory risk assessments, enhanced encryption requirements, and greater penalties for violations.  These changes have made it essential for healthcare organizations to have comprehensive cybersecurity strategies in place.

The Breach Notification Rule: An Overview

The most notable change included in HITECH was the Breach Notification Rule.  This Rule requires organizations to notify individuals if their protected health information is subject to a data breach.  Furthermore, the Rule outlines steps that organizations must take to mitigate risk and ensure that data breaches do not occur in the first place.  The Rule also requires organizations to notify the Department of Health and Human Services (HHS) of any breach of unsecured protected health information affecting 500 or more individuals.

The Rule became effective for covered entities and business associates on September 23, 2009.  Organizations need to be aware of the requirements outlined by this rule and stay up to date on the latest changes, as the HHS regularly updates its policies on notifications concerning a breach.

What Constitutes a Breach?

In the HITECH Act, a breach is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”

The Privacy Rule includes requirements for covered entities and business associates to protect PHI from intentional and unintentional uses and disclosures not permitted by the Privacy Rule.

When a breach is suspected or confirmed, covered entities and business associates must comply with specific steps and criteria outlined in the Rule.  These steps and criteria are designed to ensure the timely discovery and response to potential threats and to provide notifications in accordance with applicable law.

Steps and Criteria for Handling a Breach

Under the Rule, organizations must take specific steps to respond to a breach of confidential patient information.  Organizations must have procedures that detail what actions must be taken to detect, contain, and mitigate any breach, as well as policies to ensure compliance with the HIPAA Security Rule.

When a breach of PHI is discovered, the organization must first assess the risk of harm associated with the breach.  This involves considering factors such as the type of information involved, the number of individuals affected, and the likelihood that the information will be used for identity theft or other malicious activities.

If it is determined that a breach has occurred, the organization must then take steps to contain the breach and prevent further disclosure of confidential data.  This includes limiting access to the compromised data, changing passwords, and developing new security protocols.  If the organization has an Incident Response Plan (and every covered entity & business associate should), it should be consulted and followed.  Check out this article for a more detailed look into the required elements of an incident response plan.

A key aspect of properly handling a breach involves a detailed post-mortem to determine how the breach occurred and what corrective measures will be taken to prevent such an incident from happening in the future.  This may include implementing additional technical safeguards, training staff on properly handling PHI, and updating security protocols regularly.

Required Notifications

The Rule requires organizations to provide timely notifications to affected individuals, the Secretary of Health and Human Services (HHS), and in some cases, the media.  Organizations must provide notifications within 60 days of becoming aware of the breach.

There are five separate elements defined in HITECH that must be included in the notification to affected individuals:

1. A brief description of what happened, including the date(s) of the breach and the date it was discovered.
2. A description of the types of unsecured PHI that was compromised (e.g., name, address, Social Security Number, etc.).
3. Steps that individuals should take to protect themselves from harm due to the breach.
4. A description of what the covered entity or business associate is doing to investigate the breach, and what steps are being taken to mitigate the damage and protect against further breaches.
5. Contact information for individuals to ask questions and learn additional information.  The contact information should be a toll-free number, an email address, a web site, or a postal address.

Organizations must also notify HHS about the breach via a web-based portal.  Lastly, organizations must notify prominent media outlets if the breach affects more than 500 individuals in a single state or jurisdiction.

Exceptions to Breach Notification

There are a couple of exceptions to note regarding notification.  First, if law enforcement determines that making notification would impede a criminal investigation or compromise national security, then notification may be delayed until such time as law enforcement deems it safe to disclose.

Second, if the data that was compromised was properly encrypted using standard encryption methodologies, then no notification is necessary since the information is considered unusable (i.e., secure).

Best Practices for Preparing Your Organization for Breaches

When it comes to preparing for a potential breach, the HITECH Act and Breach Notification Rule can provide your organization with an essential roadmap.  With the right measures in place, you can ensure that your business complies with the law and is ready to face any issue head-on.

Develop a plan to detect, respond, and mitigate any potential breaches.  As soon as a breach is suspected, report it immediately to your organization’s leadership and take action to contain the breach.  Create policies and procedures on how to handle a breach, such as identifying and notifying affected individuals and government agencies, as well as notifying the media if necessary.

Finally, ensure that your organization has adequate cybersecurity insurance coverage to protect against financial losses due to a breach.  Check with your insurance provider to make sure you have the right coverage for any potential incident.

Handling a data breach is a nuanced and complex issue.  MediGuard by Axeleos is a comprehensive HIPAA security audit engagement that will ensure your organization is maximally protected against a breach of PHI.  Contact us today for a free consultation.