HITECH Breach Notification: A Blizzard of Activity

While Washington, D.C., is digging out of its largest blizzard in decades, the health care industry, too, is trying to weather storm after storm of compliance obligations under the Health Information Technology for Economic and Clinical Health Act (HITECH). Feb. 22, 2010, marks the enforcement date for the health information security breach notification requirements under HITECH, followed a week later by the submission date for breach reports to the federal government.

Covered entities and business associates should be ready to comply with the breach notification requirements including having policies and procedures in place. Covered entities also should be prepared to submit reports to the Department of Health and Human Services (HHS) of any breaches that occurred during the last quarter of 2009.

Enforcement of the federal breach notification requirements

By way of background, HITECH created the first federal health information breach notification mandate and called on HHS to promulgate regulations within six months after its enactment. HHS issued interim final breach notification regulations on Aug. 24, 2009, which became effective on Sept. 23, 2009.

Recognizing the Herculean efforts required for the health care industry to comply with these extensive requirements, HHS said that it would use its enforcement discretion to not impose sanctions for failure to provide notification for breaches that were discovered before Feb. 22, 2010. Beginning on this date, however, HHS can be expected to start enforcing the breach notification requirements.

In a nutshell, covered entities and business associates must provide notification of breaches of unsecured protected health information if the breach poses a significant risk of harm to the individual. Business associates must notify their affected covered entities. Covered entities must notify the affected individuals, HHS, and, if more than 500 individuals in a state or jurisdiction are affected, the media. Notification must be made without unreasonable delay, but in no event more than 60 days from the date of discovery, and must comply with the specific HITECH requirements. For more detailed information on the requirements, please see our Aug. 25, 2009, advisory, "HHS Issues Rule on Breach Notification for Unsecured Protected Health Information."

Data breach reporting to HHS

Under the HITECH breach notification requirements, covered entities must notify HHS of all reportable breaches. The timing of the notification varies with the scope of the breach. For breaches involving fewer than 500 individuals in a state or jurisdiction, covered entities must maintain a log of such breaches and provide that log to HHS annually no later than 60 days following the end of the calendar year. Breaches involving 500 or more individuals in a state or jurisdiction require reporting to HHS contemporaneously with notification to the affected individuals.

Within 60 days of the end of each calendar year (March 1, by our calculation for this year), covered entities must provide HHS with information about breaches involving fewer than 500 individuals that occurred in the previous calendar year. Reporting in 2010 need cover only those breaches occurring from Sept. 23 to the end of 2009. Reporting must be in the manner specified on the HHS Web site.

Notification must be made electronically through the Web site and must include detailed information about each individual breach. Although HITECH requires covered entities to maintain and submit an annual log of breaches to the HHS, the Web site requires a separate incident report for each breach, containing the same information that is required for breaches involving more individuals.