HHS and FTC Weigh in on Details of Security Breach Notification Requirements Under HITECH Act
At the end of last week, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) each issued documents that begin to fill in the details of the new federal security breach notification obligations for Covered Entities, Business Associates, vendors of personal health records and related entities required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
HHS issued guidance (the "HHS Guidance") specifying the technologies and methodologies that render protected health information (PHI) "unusable, unreadable, or indecipherable to unauthorized individuals." The HHS Guidance will apply not only to Covered Entities and Business Associates, but also apply to personal health record vendors and related entities under the FTC Proposed Rule to render PHR identifiable health information secured. HHS is seeking comments by May 21, 2009 on its guidance to inform future rulemaking and updates to the guidance.
In addition, the FTC released the Proposed Health Breach Notification Rule (the "FTC Proposed Rule") to implement the statutory requirement under HITECH that vendors of personal health records and related entities notify individuals upon a security breach involving the acquisition of unsecured PHR identifiable health information. The FTC is seeking comments to the proposed rule by June 1, 2009.
In the HHS Guidance issued on April 17, 2009, HHS addresses the HITECH requirement that HHS identify the technologies and methodologies that will be deemed to render PHI "unusable, unreadable, or indecipherable to unauthorized individuals." If PHI is secured through one of these technologies/methodologies it will not be considered "unsecured" and will not trigger the breach notification requirements of Section 13402 the HITECH Act. That section requires that Covered Entities notify affected individuals, and requires Business Associates to notify Covered Entities, following the discovery of a breach of unsecured PHI. In its guidance, HHS seeks comment on related issues, such as breaches involving limited data sets and state law requirements.
Encryption and Destruction
Under the HHS Guidance, PHI is rendered unusable, unreadable or indecipherable to unauthorized individuals only if one or more of the following applies:
Encryption of Data at Rest and Data in Motion: Electronic PHI has been encrypted as specified in the HIPAA Security Rule by "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key" and such confidential process or key that might enable decryption has not been breached. Encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.
Valid encryption processes for data at rest (i.e., data that resides in databases, file systems, and other structured storage methods) are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
Valid encryption processes for data in motion (i.e., data that is moving through a network, including wireless transmission) are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection of Transport Layer Security (TSL) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.
Destruction of PHI: The media on which the PHI is stored or recorded has been destroyed in one of the following ways:
Paper, film or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
Electronic media have been cleared, purged or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
While Covered Entities and Business Associates are not mandated to follow the HHS Guidance, HHS explains that the specified technologies and methodologies, if used, create the equivalent of a safe harbor, with the result that Covered Entities and Business Associates are not required to provide notification under the HITECH Act in the event of a breach. The HHS Guidance notes that Covered Entities and Business Associates may still need to comply with other security breach notification requirements, such as pursuant to state law, even if they employ the technologies and methodologies set forth in the HHS Guidance.
De-Identified Data and Limited Data Set
The HHS Guidance explains that it does not address the use of de-identified information as a method to render PHI unusable, unreadable or indecipherable to unauthorized individuals. Of course, because de-identified information is not PHI, it is not subject to the HIPAA Privacy and Security Rules.
HHS specifically solicits comments as to whether PHI in a limited data set should be treated as "unusable, unreadable or indecipherable to unauthorized individuals" for purposes of breach notification and therefore included in the HHS Guidance as a recognized technology/methodology. Information in a limited data set is not de-identified, but is stripped of direct identifiers. HHS notes that the following reasons support including the use of a limited data set in the HHS Guidance: (1) doing so would better align the HITECH Act breach notice requirements with the requirements in state security breach notification laws, which typically only apply where direct identifiers are compromised; and (2) there may be difficulties for a Covered Entity in notifying individuals of a breach involving a limited data set because the entity may be restricted in its ability to identify the individuals who are the subject of the limited data set, since they are specifically prohibited by their data use agreements from re-identifying or contacting the individuals who are the subject of the limited data set.
Another point to consider is that frequently a limited data set recipient is not part of the Covered Entity, but rather a third party that uses the limited data set for research or public health purposes. If HHS does not include the limited data set as one of the means for considering data to be "unusable, unreadable or indecipherable to unauthorized individuals," Covered Entities will presumably need to modify data use agreements to require limited data set recipients to inform them of a breach of unsecured PHI in a limited data set. Covered Entities would then be responsible for re-identifying the information and notifying the affected individuals. Covered Entities may also wish to require their limited data set recipients to apply the technologies and methodologies set forth in the HHS Guidance so that the PHI in the limited data set is considered secured in the event of a breach. HHS also seeks comment on whether something less than a complete limited data set should be included in the HHS Guidance if the entire limited data set is not included.
State Laws on Breach
HHS also seeks comment as to whether there are potential areas of conflict with state breach notification laws that HHS should consider in promulgating federal breach notification requirements. Given current obligations under state breach notification laws, HHS asks whether Covered Entities and Business Associates anticipate having to send multiple notices to an individual regarding a single breach, or whether there are circumstances where the federal notice would not also satisfy a notice obligation under state law. Further, HHS asks whether there are any circumstances in which a covered entity or Business Associate would still need to notify individuals under state laws of a breach of information that has been rendered secure based on federal requirements.
FTC Proposed Health Breach Notification Rule
The FTC issued its proposed rule on health breach notification on April 16, 2009. Under HITECH, PHR Vendors and entities offering products and services through a PHR Vendor's website (a PHR Related Entity), upon discovery of a security breach involving unsecured PHR identifiable health information, are required to notify the individuals impacted and the FTC. Further, Third Party Service Providers that handle unsecured PHR identifiable health information in providing services to PHR Vendors and to PHR Related Entities are required to notify the vendor or related entity following the discovery of a security breach involving such information. The requirements for timing of notifications and content that are applicable to security breaches by HIPAA Covered Entities and Business Associates under HITECH also apply to the content and timeliness of notifications by PHR Vendors, PHR Related Entities and Third Party Service Providers under the FTC Proposed Rule.
Technologies and Methodologies to Secure Data
The breach notification requirement applies only to "unsecured" PHR identifiable health information, which means PHR identifiable health information that is not protected through the use of a technology or methodology specified in the HHS Guidance issued on April 17th and summarized above.
The definitions in the FTC Proposed Rule substantively equivalent to the definitions in HITECH:
Personal Health Record or PHR: means an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual.
PHR Identifiable Health Information: means individually identifiable health information and, with respect to an individual, information that (1) is provided by or on behalf of the individual, and (2) identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. The FTC notes in its analysis that because the definition of PHR identifiable health information includes information that relates to the past, present or future payment for health care, the proposed rule covers breaches of information that may not necessarily disclose a person's health status but merely contains names and credit card numbers of individuals. Further, because the definition includes information that relates to the health or condition of the individual, it would include the fact of having an account with a vendor of PHR where the products or services of the vendor relate to a particular health condition, such as if the vendor or related entity is directed to persons being treated for HIV / AIDS.
Vendor of PHR or PHR Vendor: means an entity that is neither a HIPAA covered entity nor a Business Associate and that offers or maintains a personal health record.
PHR Related Entity: means the following three types of entities:
entities that are not HIPAA Covered Entities and that offer products or services through the website of a vendor of personal health records (e.g., where a customer can click on a link on a PHR website to get to a company that advertises dietary supplements or offers medication management services);
non-HIPAA Covered Entities that offer products or services through the websites of HIPAA-Covered Entities that offer individuals personal health records;
non-HIPAA covered entities that access information in a personal health record or send information to a personal health record (e.g., this could include a company that manufactures blood pressure cuffs or blood glucose monitors that can track information about a patient and include it in the patient's PHR).
Third Party Service Provider: means an entity that (1) provides services to a vendor of PHR in connection with the offering or maintenance of the PHR or to a PHR related entity in connection with a product or service offered by that entity, and (2) accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses unsecured PHR identifiable health information as a result of such services. This would include billing or data storage services to PHR vendors or PHR-related entities.
De-Identified Data and Limited Data Set
As with the HHS Guidance, the FTC notes in its analysis that a breach involving only de-identified information would not be subject to the breach notification rule because no PHR identifiable health information would be involved. The FTC recognizes that there may be instances where although information may not fully meet the de-identification requirement, it may nonetheless not reasonably be identifiable. It seeks commenters to give examples of such a situation.
"Acquisition of" vs. "Access to" Data
The HITECH Act states that a security breach only occurs when unsecured PHR identifiable information is "acquired" without authorization. The FTC Proposed Rule makes a distinction between data being available to an unauthorized person and that person actually acquiring the data. For example, if an employee accidentally opens a file they are not authorized to access, but immediately closes the file without reading, using or disclosing any PHR identifiable health information, the FTC does not view this as an acquisition of the data. The FTC explains that the entity experiencing the breach is in the best position to determine if an unauthorized acquisition has taken place.
The FTC Proposed Rule creates a presumption that unauthorized persons have acquired information if they have access to it, but this presumption may be rebutted by reliable evidence showing that the information was not or could not reasonably have been acquired. This evidence can be gathered through interviews with employees, by reviewing access logs or sign-in sheets, and by examining forensic evidence. The FTC provides an example of a lost laptop that is recovered, where the entity may rebut the presumption that PHR identifiable health information was acquired without authorization by showing through forensic analysis that the files were never opened, altered, transferred or compromised.
Third Party Service Providers
Third Party Services Providers to PHR Vendors and PHR Related Entities must provide notice to such vendors and entities following discovery of a breach, who must in turn notify the customers. This means that the Third Party Service Provider must tell the vendor or related entity the identity of the individuals whose information has been or is reasonably believed to have been acquired during the breach. One can imagine scenarios where a Third Party Service Provider may not have information that it can use to identify an individual, even though the information they possess is not fully de-identified. In such circumstances, it seems reasonable that the PHR Vendor or PHR Related Entity would be responsible for determining the identity of the customers impacted by the breach. These are issues that will need to be considered by parties when entering into agreements to act as or engage a Third Party Service Provider.
Content of Breach Notice
In its analysis, the FTC suggests steps that can be recommended to individuals in the breach notification letter so that the individuals who are the subject of a security breach can protect themselves. The steps differ depending on the circumstances of the breach and the type of PHR identifiable health information involved. The FTC recommends:
If health insurance account information is compromised, the entity could suggest steps such as requesting and reviewing copies of medical files for potential errors; monitoring explanation of benefit forms for potential errors; contacting insurers to notify them of possible medical identity theft; following up with providers if medical bills do not arrive on time to ensure that an identity thief has not changed the billing address; and trying to change health insurance account numbers if necessary.
If the breach involves Social Security numbers, the entity should suggest additional steps such as placing a fraud alert on credit reports; obtaining and reviewing copies of credit reports for signs of identity theft; calling the local police or sheriff's office in the event suspicious activity is detected; and obtaining a credit freeze if appropriate.
If the breach involves financial account numbers, the entity should direct consumers to monitor their accounts for suspicious activity and contact their financial institutions about closing any compromised accounts. In appropriate cases, the entity also could refer consumers to the FTC's identity theft website. The FTC recognizes, however, that with some PHR identifiable health information, the risk from a breach is personal embarrassment, so any steps to protect the individual will be personal to that individual.
The FTC Proposed Rule sunsets when Congress enacts legislation affecting entities subject to the FTC rule.
Notice: The purpose of this newsletter is to review the latest developments which are of interest to clients of Blank Rome LLP. The information contained herein is abridged from legislation, court decisions, and administrative rulings and should not be construed as legal advice or opinion, and is not a substitute for the advice of counsel.