When President Obama signed into law the economic stimulus bill (formally known as the American Recovery and Reinvestment Act of 2009, or ARRA), most employers focused on the COBRA subsidy provisions, as these had an immediate impact on employer-sponsored health plans.
Overlooked by many were amendments to HIPAA. Among other things, these amendments create a new duty to notify individuals if there is a breach of unsecured data.
Similar to security breach notification laws that have been enacted in more than 40 states, the HIPAA breach notification law requires that if an employer’s self-insured health plan experiences a data breach involving individually identifiable health information about plan participants (known as Protected Health Information or PHI), the employer must notify those individuals whose data is involved in the breach. Unlike state laws, which generally apply only to electronic data, the HIPAA breach notification law applies to data in any form, which includes paper documents and even verbal communications. Thus, a duty to notify could arise in the following circumstances:
- A hacker penetrates your firewall and accesses and possibly acquires a database of health plan participants
- An employee goes snooping through health plan records to find information about a co-worker
- A manager accesses health plan records to make personnel decisions about employees
- An employee e-mails records containing PHI to the wrong e-mail address
- An employee discusses a participant's health condition with other employees in the employer's cafeteria
One way to minimize the impact of this new law is to appropriately secure data. Under the new law, there is no duty to notify if the data involved in the breach is secured in such a way that it is unusable, unreadable or indecipherable to the individual who gains improper access. To help employers understand what it means to secure the data, the Department of Health & Human Services (HHS) has recently issued guidance that explains when data will be considered "secured" for these purposes.
The first step is to consider the state of the data. The guidance from HHS identifies four commonly recognized states that should be considered:
- Data in motion. This is data as it moves within your network, for example, from a server to a computer. It also includes data as it moves between networks, such as from your company to a third party administrator, and data that is transferred through wireless transmissions.
- Data at rest. This is data while it is stored, such as on a server, a laptop computer, or a handheld device. For paper documents, this would include records stored in a file cabinet or in someone's office.
- Data in use. This is data in the process of being created, retrieved, updated or deleted. It includes data while it is being processed by your computer systems, or perhaps called up for view on a computer monitor.
- Data disposed. This would include retired computer media or old paper documents that are no longer needed.
Depending on the state of the data, HHS has identified two potential solutions for securing data. The first solution is encryption, which can work for electronic data at rest and data in motion. Whether data is appropriately encrypted depends on two factors: the strength of the encryption algorithm and the security of the decryption key or process. Thus, encrypted data may not be secure if the encryption algorithm is too weak or if the individual inappropriately accessing the data also has access to the decryption key. To secure data in motion, HHS recommends that you follow the encryption guidelines in Federal Information Processing Standard 140-2 (available at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf). For data at rest, HHS recommends that you follow the encryption guidelines in National Institutes of Standards and Technology (NIST) Special Publication 800-11 (available at http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf).
The second acceptable method of securing data, which applies to data disposed, is destruction of the media on which the protected health information is stored. For paper, film or other hard copy media, destruction requires shredding or otherwise destroying the media so that PHI cannot be read or reconstructed. For electronic media, destruction requires that the data be cleared, purged or destroyed consistent with NIST Special Publication 800-88 (available at http://www.fylrr.com/archives.php?doc=NISTSP800-88_rev1.pdf).
At this time, the HHS does not have any recommended solution for ensuring the security of data in use. A breach that involves data in use will likely trigger a notification requirement because the data will not be considered secure. Breaches involving paper forms of PHI (other than paper media that is properly destroyed upon disposal) and verbal communications of PHI are also likely to trigger notification requirements.
The guidance from HHS does not require employers to implement any of these recommendations. However, securing data consistent with this guidance will provide your company a safe harbor for certain types of data breaches and thus reduce the likelihood that you will have to notify individuals. For example, encryption will act as a safe harbor in many cases involving a hacker who penetrates your system's firewalls and in situations involving encrypted files attached to a misdirected e-mail. It will not help, however, if a trusted employee with legitimate access to encrypted files accesses those files for an improper purpose, as that employee will likely also have the decryption key.
Even if the guidance from HHS does not mandate that you encrypt data, you may still be in violation of HIPAA if you do not encrypt. The HIPAA security rules require you to manage the risk of improper access and disclosure of records. Where your risk analysis indicates that data is vulnerable to improper access, encryption may be the best solution. If there were a data breach, HHS could conclude that failure to implement an appropriate safeguard such as encryption is a HIPAA violation.
If your company sponsors a self-insured health plan you should evaluate how and where PHI about plan participants is stored. You should take into account not only the information that you store in your own facilities and computer systems, but also data stored off-site and with contractors, such as your third party administrators. You should consider whether your business associate agreements with third party administrators and other contractors should be modified to address responsibility for notifying individuals in the event of a breach. If the business associate agreement does not address this issue, then the new HIPAA breach notification law only requires the contractor to notify your company of the breach, and it will be your company's responsibility to notify affected individuals.
The new breach notification laws are not in effect yet, but will be soon. HHS is required to issue regulations by August 17, and the new requirements will go into effect 30 days later. This is a very short window of time, so you may want to start addressing the issue now.
If you have questions about the new breach notification requirements under HIPAA or need help implementing appropriate breach notification policies and procedures or revising business associate agreements, contact Norbert F. Kugele at firstname.lastname@example.org or by phone at 616.752.2186.