February 1, 2013. Today, we wrap up discussion of breach notification in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules. The Final Rule is effective on March 26, 2013, and requires compliance by covered entities and business associates on September 23, 2013. The focus is on timing of reporting a breach by a business associate to a covered entity, and, because the definition of breach was modified in the Final Rule, on the requirements to update policies and procedures, retrain the workforce on those updated policies and procedures, and document all breach characteristics and notifications.
Notification by a Business Associate. There was only a “technical and non-substantive correction” in 45 CFR 164.410: Notification by a Business Associate. [78 Federal Register 5656]. Here is the Standard [164.410(a)] from the Final Rule:
“(1) General Rule. A business associate shall, following discovery of a breach of unsecured protected health information, notify the covered entity of such breach.
“(2) Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency).” [78 Federal Register 5695]
Here is an important point from the Final Rule regarding timing and discovery: “Section 164.410(b) requires that a business associate provide notice of a breach of unsecured protected health information to a covered entity without unreasonable delay and in no case later than 60 days following the discovery of a breach. With respect to timing, if a business associate is acting as an agent of a covered entity, then, pursuant to 164.404(a)(2) [Notification to individuals: breaches treated as discovered], the business associate’s discovery of the breach will be imputed to the covered entity. In such circumstances, the covered entity must provide notifications under 164.404(a) [to individuals] based on the time the business associate discovers the breach, not from the time the business associate notifies the covered entity. In contrast, if the business associate is not an agent of the covered entity, then the covered entity is required to provide notification based on the time the business associate notifies the covered entity of the breach. We encouraged [in the 2009 discussion of the interim final rule] covered entities and business associates to address the timing of this notification in their business associate contracts.” [78 Federal Register 5655] “Because of the agency implications on the timing of breach notifications, we encourage covered entities to discuss and define in their business associate agreements the requirements regarding how, when, and to whom a business associate should notify the covered entity of a potential breach.” [78 Federal Register 5656] Consult with your organization attorney on defining any agency role and timing in the business associate agreement, and, for guidance on the business associate agreement, also visit the Office for Civil Rights (OCR) Web site: Business Associate Contract–Sample Business Associate Agreement Provisions, published January 25, 2013.
Administrative Requirements and Burden of Proof. 45 CFR 164.414 was not modified in the Final Rule. Nevertheless, the preamble makes two important points:
With respect to administrative requirements, “[w]e emphasize the importance of ensuring that all workforce members are appropriately trained and knowledgable about what constitutes a breach and on the policies and procedures for reporting, analyzing, and documenting a possible breach of unsecured protected health information. We note that because this final rule modifies the definition of breach as stated in the interim final rule, covered entities will need to update their policies and procedures and retrain workforce members as necessary to reflect such modifications.” [78 Federal Register 5657-5658] This applies to business associates as well. Remember, your organization will have 180 days between the effective date of the Final Rule, March 26, 2013, and the compliance date of the Final Rule, September 23, 2013, to update policies and procedures and retain your workforce members on all of the modifications in the Final Rule. For assistance on training, visit HIPAA School; if you are a member of the American Medical Association, visit AMA HIPAA School.
With respect to burden of proof, “section 13402 of the [HITECH Act] places the burden of proof on a covered entity or business associate, if applicable, to demonstrate that all notifications were made as required. Therefore, section 45 CFR 164.530(j)(1)(iv) [of the HIPAA Privacy Rule] requires covered entities to maintain documentation to meet this burden of proof. This includes documentation that all required notifications have been provided or that no breach occurred and notification was not necessary. If a covered entity’s determination with respect to whether a breach occurred is called into question, the covered entity should produce the documentation that demonstrates the reasonableness of its conclusions based on the findings of its risk assessment.” [78 Federal Register 5658] Remember, the burden is on the covered entity–not the business associate–to report the particulars of the breach and notifications to the HHS Secretary on the OCR Web site: Instructions for Submitting Notice of a Breach to the Secretary.
Next week, we take up modifications to the Security Rule.