– 2 –
Special Report August 2009
acquisition, access, use or disclosure of protected health
information which compromises the security or privacy
of such information, except where an unauthorized
person to whom such information is disclosed would not
reasonably have been able to retain such information.”
In such a situation, the entity is required to provide
notification within a given amount of time (“without
unreasonable delay and in no case later than 60 calendar
days after the discovery of a
breach”) and via particular
methods (written, telephonic,
Web site or media notification
depending on the number
of affected individuals, the
possibility of imminent
misuse of the disclosed PHI
and whether the entity has
current contact information
for those individuals). In certain large breach situations,
the entity is also required to provide immediate notice to
the Secretary of Health and Human Services, and annual
notice for all other breaches.
Regardless of the method of breach notification,
notice of the breach is to include:
A brief description of what happened,
including the date of the discovery of the
breach, if known.
A description of the types of unsecured
protected health information that were
involved in the breach (such as full name,
Social Security number, date of birth, home
address, account number and disability
code).
The steps individuals should take to protect
themselves from potential harm resulting
from the breach.
A brief description of what the covered entity
involved is doing to investigate the breach,
to mitigate losses and to protect against any
further breaches.
Contact procedures for individuals to ask
questions or learn additional information,
which shall include a toll-free telephone
number, an e-mail address, Web site or
postal address.
1)
2)
3)
4)
5)
These breach notification requirements will also
apply to entities that are neither covered entities nor
business associates, with respect to breaches of security
of “personal health records.” A personal health record
(PHR) is an electronic record containing individually
identifiable information received from or on behalf
of the individual who is the subject of the record
“that can be drawn from multiple sources and that is
managed, shared, and controlled by or primary for the
individual.” Noncovered entities
and nonbusiness associates who
(i) offer products or services
through the Web site of a vendor
of PHR, (ii) offer products or
services through the Web site of
covered entities that make PHR
available to individuals and/or
(iii) access information in a PHR
or send information to a PHR are required to notify an
individual of the security breach in the same manner as
described above and, additionally, to notify the Federal
Trade Commission.
Examples of such entities include companies with
Web-based applications that help consumers manage
medications, a bricks-and-mortar company advertising
dietary supplements online, companies that provide
online medication or weight tracking programs and
companies that provide online applications through
which individuals can connect blood pressure cuffs,
blood glucose monitors or other devices so that the
results can be tracked through their personal health
records. Entities that provide services to PHR vendors
are required, upon discovery of a security breach, to
provide notice to the PHR vendor, and the PHR vendor
is required to notify the individual.
Technology and Methodology Guidance
The notification procedures outlined in the HITECH Act
are triggered when there is a disclosure of “unsecured”
PHI. The Act directed the Department of Health
and Human Services to issue guidance specifying
technologies and methodologies entities can use to
render PHI unusable, unreadable or indecipherable to
unauthorized individuals. The Department of Health
and Human Services issued such guidance on April 17,
The notification procedures
outlined in the HITECH Act
are triggered when there is a
disclosure of ‘unsecured’ PHI