HITECH Act: Security Breach Notifications

Security Breach Notifications
By: W. Holmes Lilley III, Esq.

No health care provider wants to face the possibility of dealing with an incident that involves a breach of their patients protected health information (PHI). With ever increasing numbers of patients and the ever increasing costs associated with the storage and maintenance of patient records, it’s no surprise that we are beginning to see the number of PHI security breaches increase. All health care providers should be aware of circumstances might necessitate their having an obligation to notify patients should a patients PHI security be breached.

The health care provider should first determine if the information that was subject to a security breach was indeed PHI. Next, the health care provider should determine if the PHI was unsecured, i.e. was the PHI electronic, was it encrypted, or were the records destroyed in a manner that would render the information irrecoverable. The health care provider should also evaluate whether or not the information disclosed violates the HIPAA Privacy Rule. Not all disclosures of PHI will violate this rule because the rule has many built in exceptions that specifically state allowable disclosures. The health care provider should also make an honest assessment of whether or not the information disclosed poses a risk of harm to the patient’s finances or reputation.

If the health care provider determines that there has been a breach, they will need to notify each affected individual. Additionally, HITECH Act provides that if the breach involves 500 or more patients the incident must be reported to Health and Human Services. Further if the 500 or more individuals are from the same state or jurisdiction the health care provider is required to notify a “prominent media outlet serving the state or jurisdiction”.

The notice that is given to the patient after a PHI security breach must be given within 60 days of the discovery of the incident. This can create a real danger for larger health care providers because an employee may discover a PHI security breach and not notify management until much later; resulting in management having a shorter time to respond to the breach.

Once the health care provider determines that there has been a breach of PHI and notice is due, they must ensure that the notice gives the necessary information. Regulations state that the notice must include: A description of what happened, including the date of the breach and the date the breach was discovered. The notice should also state the types of PHI involved, as well as steps that patients can take to reduce the risk of harm from the breach. The health care provider will also want to describe their internal investigation, the efforts they are making to mitigate harm to patients, and the policies enacted to prevent the breach from reoccurring. Finally, the patient should be directed to an employee of the provider who can provide additional information if necessary.

Obviously each breach is different and involves a different set of facts and circumstances, so to ensure that you are limiting your liability to the maximum extent possible contact an attorney with experience in regulatory and health law.

About the author; Mr. Lilley is an associate with Karen McKeithen Schaede. PLLC and concentrates his practice in the areas of health care regulatory law, corporate health law, and civil litigation he can be reached at (336) 333-7907.