HHS Releases Breach Notification Final Rule
The Department of Health and Human Services (HHS) has released a final rule on breach notification requirements for covered entities (CEs) and business associates (BAs). Published in the Federal Register
, the rule dictates proper procedure for responding to a breach, including when notification is required, who to tell and how to dispense that information. The rule also reiterates and clarifies recommended methods of data encryption.
The announcement came 2 days after the Federal Trade Commission (FTC) released its breach notification final rule, which covers personal health record vendors and other non-HIPAA CEs. HHS consulted with FTC on requirements and asked the public for input through a request for information released earlier this year.
In the event of a breach, the CE must notify affected individuals promptly, the rule states. If the breach involves more than 500 people, the CE must also alert the HHS secretary and the media. Breaches involving fewer than 500 people must be reported to HHS on an annual basis.
HHS will maintain a list of CEs that experience breaches affecting more than 500 people, which will be posted on the agency's Web site.
BAs that identify a breach are required to notify the CE.
According to the rule, CEs need not report a breach if the information involved has been properly encrypted-in other words, if data was "rendered unusable, unreadable or indecipherable to unauthorized individuals." The theory seems to be that whoever gained access to the information wouldn't be able to read or use it, whether for malicious activity or otherwise, so affected individuals aren't put at risk. However, any data that had not been properly encrypted or destroyed is subject to the notification rules. A firewall, for example, is not an accepted method of encryption, so any CE relying solely on a firewall for protection would be required to notify individuals about a breach.
To reduce the chance of a breach occurring, encryption keys should be held on a separate computer, HHS advised.
From a patient's perspective, this stipulation concerned me. If an unauthorized individual gains access to hospital or physician files, I want to know about it. Whether the information accessed is encrypted or not-heck, even if the hacker just perused a doctor's iTunes library-it still crosses that divide and may even build a bridge for more breaches to follow. One would hope privacy and security officers would tighten controls as soon as the fishy business hits their radar, but will they be so quick to jump when there are other HIPAA risks to monitor?
The rule also cuts CEs some slack regarding "unintentional" breaches. If an employee at a CE or BA or other authorized individual inadvertently accesses personal information, the event is not considered a "breach" and therefore notification is not required. Accidents happen-we're all human, after all-but could this "unintentional disclosure" exemption run the risk of being abused by employees? How easy is it to "accidentally" view private information, and could an employee pass off conniving activity with an "Oops?"
The rule goes into effect 30 days after the announcement. HHS is allowing 60 days for public comment, but let's get your feedback now. What do you think about the notification requirements? Are they too strict? Not tough enough? Do you see any loopholes?