On September 23 and 24, 2009, new federal regulations will go into effect for many organizations that hold third-party individually identifiable health information if the security of that information is breached.[1] The regulations require that a covered organization experiencing a security breach notify the affected individuals about what happened, what types of their health information were involved in the breach, what steps they should take to protect themselves from potential harm, what steps the organization is taking to mitigate the harm and protect against further breaches, and procedures to contact that organization. Both regulations have the same compliance date: February 22, 2010. Both regulations implement the American Recovery and Reinvestment Act of 2009 (“ARRA”), which required each of the Federal Trade Commission (“FTC”) and the Department of Health and Human Services (“HHS”) to promulgate security breach notification rules relating to individually identifiable health information. Unfortunately, ARRA set forth different definitions of “breach” for the agencies, and included different requirements for the agencies, so the agencies could not issue identical rules. The rules are identical with respect to some provisions, similar in others, and completely different in a few others. Those differences can matter because some organizations will be covered by both regulations.

Security breach notification requirements have been in effect since California’s 2003 law, which was intended to give individuals notice of the breach so that they could take action to prevent identity theft. Most of those laws, however, either specifically limited their coverage to individually identifiable data that related more to financial data (such as name plus Social Security number or credit card number plus PIN) than to health-related data.[2] Some states even excluded from the security breach notification requirements organizations that were complying with HIPAA’s requirements.[3] More recently, however, states have begun including medical information in the list of information covered by the breach notification laws.[4] If the connection between identity theft and medical information is not clear, note that the Identity Theft Resource Center’s survey of security breaches in 2008 found that two-thirds of identity theft victims that worked with ITRC stated that “a medical provider billed me for services I never received” and one-third of those victims “found out there is another person’s information on my medical records.”[5] In other words, some identity thieves were using information to receive health care services.

Both the FTC and HHS intend for their regulations’ notices to be combined with the state-required notices, so that a consumer would receive only a single notice.[6] The agencies’ requirements for the content of the notices are practically identical, but the regulations have many differing requirements on a wide range of topics. For example, HHS’ requirements extend to breaches of health information in all formats, including paper, whereas the FTC’s requirements extend only to health information in electronic form.[7]

As a service to Fulbright’s clients and friends, below is a process outline designed to help guide organizations covered by either or both of the new regulations through the regulatory maze in the event of a security breach of individually identifiable health information.

1. Does your organization have possession of individually identifiable health information?
2. Is your organization one or more of the following, as defined in the regulations:
   • “Covered entity”
   • “Business associate”
   • “Vendor of personal health records” (PHR)
   • “PHR related entity”
3. Is electronic personal health information encrypted and the encryption key NOT present/accompanying the information?
4. Was there a breach of security of unprotected personal health information? If so, when did it occur?
5. Is there evidence of no likelihood of harm to the affected individuals?
6. If there was a breach, is your organization a third-party service provider to a vendor of PHR/PHR-related entity, or a business associate of a HIPAA-covered entity, or both?
7. If there was a breach, is your organization a vendor of PHR or a PHR-related entity or a covered entity?
8. Were more than 500 affected individuals located in one state or jurisdiction?
9. How many individuals in the aggregate were affected?
10. What are the content requirements for the notice, which must be written in “plain language”?
11. How long does your organization have to retain the documentation?
12. For HHS-covered entities, what additional administrative requirements exist?

Although the answers to these questions will sometimes provide a clear path to the next steps that an organization must take, the more likely result is that the answers will lead to additional, more nuanced questions. For example, an organization that is a vendor of PHRs may ask if it is beyond the FTC’s jurisdiction. The FTC has taken a very broad view of its authority under ARRA, and has specifically stated that non-profits and foreign entities with U.S. customers must provide breach notifications.[8] Because of differences in ARRA, the HHS definition of “breach” contains several exceptions not present in the FTC regulations,[9] so what constitutes a “breach” under one rule may not be a “breach” under the other.[10] Other questions that could arise include: Is the organization that had the breach the one that consumers typically deal with? Was the organization acting in the same capacity with respect to all affected consumers? What are the terms of the business associate/service provider agreements that relate to the breach?

Conclusion

Anyone who has possession of or uses individually identifiable health information should review the new regulations.