HIPAA Final Rule: Breach Notification Guidance Safe Harbor

January 30, 2013.  Today, we look at the definition of unsecured protected health information and the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable , Unreadable, or Indecipherable to Unauthorized Individuals [“Guidance”] as discussed in the January 25, 2013 Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act [HITECH Act]; Other Modifications to the HIPAA Rules.  The Final Rule becomes effective on March 26, 2013, and requires compliance by covered entities and business associates on September 23, 2013.

Here is the definition of unsecured protected health information: “protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary [of the Department of Health and Human Services (HHS)] under section 13402(h)(2) of Public Law 111-5.”  [78 Federal Register 5695] Public Law 111-5 is the American Recovery and Reinvestment Act of 2009, which included the HITECH Act, and was enacted on February 17, 2009.  There are two minor changes in the definition:  first, “unauthorized individuals” in the interim final rule is changed to “unauthorized persons” in the Final Rule, with the following reason: “the term ‘individual’ is defined in 45 CFR 160.103 to mean the person who is the subject of the protected health information, which is not what is intended with the reference to ‘individual’ in the definition of ‘unsecured protected health information. Accordingly, the final rule uses more appropriately the term ‘unauthorized persons.” [78 Federal Register 5647]  Second, the Final Rule definition removes at the end of the interim final rule definition, “on the HHS Wed site as unnecessary language.”  [78 Federal Register 5647]  Note, however, the Final Rule indicates:  “While we remove the reference to the HHS Web site from the regulatory text, we do plan to continue to post updates to the guidance on the Web site as they are issued.”

In accordance with the HITECH Act, the Secretary of HHS issued the Guidance on April 17, 2009, and it was published in the Federal Register on April 27, 2009. [74 Federal Register 19006]  Subsequently, it was published in the Federal Register as part of the Interim Final Breach Notification Rule on August 24, 2009.  [74 Federal Register 42742-42743]  The Guidance as published in 2009 is in force today and available on the HHS Web site, which is linked in the first paragraph. Note the following from the Final Rule:  “Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information–that is, the information is not considered ‘unsecured’ in such cases. ”  [78 Federal Register 5639]  Finally, “[w]e encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the Guidance.  If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.”   [78 Federal Register 5644]

Tomorrow, we discuss further changes in the Final Breach Notification Rule.

Leave a Reply

Your email address will not be published. Required fields are marked *