Baker & McKenzie
Learn about us Locally »
English (Change Language)
Close
Baker & McKenzie
Learn about us Locally
Asia Pacific
Europe, Middle East & Africa
Latin America
North America
and/or
Combining the knowledge of local laws and cultures with a global reach is just one of the ways Baker & McKenzie separates itself from other firms. Our genuinely global perspective allows us to operate without boundaries around the world, in every jurisdiction that is important to your business.

Select a region or country to learn about on-the-ground resources immersed in the local culture or Learn about us Globally to view our talent and services worldwide.

When content is available in multiple languages, please select your preference on the right.
Supporting Your Business
Legal Services
Our People
Locations
About Us
World-Class Careers
Close

Related Professionals

New HIPAA Security Breach Notification Rules Require Immediate Action

Author/s: Pia D. Flanagan
New HIPAA Security Breach Notification Rules Require Immediate Action

The Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), enacted as part of the American Recovery and Reinvestment Act of 2009, made some significant changes to the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  HIPAA's privacy rule (the "Privacy Rule") imposes standards for the use and disclosure of protected health information ("PHI"), while HIPAA's security rule (the "Security Rule") imposes standards for the protection of electronic PHI.  One significant change to the Privacy Rule and the Security Rule is the requirement that entities covered by HIPAA, including health plans and health care providers ("covered entities"), notify individuals when their "unsecured" PHI has been breached.[1]  On August 24, 2009, HHS issued interim final rules providing guidance on the new security breach notification requirements.

Even before the HITECH Act became law, companies have needed to comply with various state laws requiring notification in the event of a breach of personal information (e.g., stolen laptops containing Social Security numbers or other sensitive information).  Now, the same type of breach notification requirements apply to covered entities and PHI, as further discussed below.  Pursuant to the HITECH Act, business associates of covered entities (e.g., third party administrators, consultants, pharmacy benefit managers) are now directly covered under HIPAA and also will be subject to certain breach notification requirements.  Amongst other things, covered entities will need to modify existing agreements with business associates to include the new security breach notification requirements, and incorporate such language in any new business associate agreements.

The new rules are effective for breaches occurring on and after September 23, 2009.  HHS recognizes that it will take covered entities time to comply and, as a result, has stated that it will use its enforcement discretion and not impose sanctions for failure to provide the required notifications for breaches discovered through February 22, 2010.  Nonetheless, covered entities are still expected to comply with the new rules during this period and HHS has stated that it will work with covered entities through technical assistance and voluntary corrections to achieve compliance.

Only "Unsecured PHI" Is Subject to the New Notification Requirements

The breach notification requirements only apply to breaches of "unsecured" PHI.  PHI is individually identifiable health information that is transmitted or maintained in any form or medium, including paper, electronic or oral form.  Unsecured PHI is defined as PHI that is not secured by technology or methodology that renders the PHI unreadable, unusable or indecipherable to unauthorized individuals.  The HITECH Act provides only two methods for securing PHI:  encryption and destruction.  To be secure, PHI must either be encrypted under specific standards adopted by the National Institute of Standards and Technology or must be destroyed so that it cannot be read or reconstructed. 

Electronic PHI must be secured through encryption.  The guidance provides that where PHI is encrypted, the encryption key must be kept on a separate device from the data being encrypted or decrypted to avoid a breach.  PHI that is maintained in the form of paper, film or other hard copy media must be destroyed or shredded.  Although other means of safeguarding PHI, such as access controls, firewalls or redaction, are acceptable under the Security Rule, unauthorized disclosure of data secured by these means may be considered breaches of unsecured PHI. 

Determining Whether a Breach Has Occurred

The notice obligation is triggered only if there has been a "breach" of unsecured PHI.  A breach exists if there is an acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy Rule, and such action compromises the security or privacy of the PHI.  If there is no violation of the Privacy Rule, there is no breach.  For instance, if there is an inadvertent disclosure of PHI by a person who is not authorized to access PHI, the disclosure will not be a breach if the PHI is not further used or disclosed in a manner that violates the Privacy Rule.  Breaches of de-identified information (as defined in the Privacy Rule) would not trigger a notice obligation because de-identified information is not considered PHI.  However, HHS notes that uses and disclosures that impermissibly involve more than the minimum necessary information may qualify as breaches.

Once it is established that the acquisition, access, use or disclosure of PHI violates the Privacy Rule, the covered entity or business associate must determine whether the violation compromises the security or privacy of the PHI.  The security and privacy of PHI is compromised, and the notification requirement is triggered, only if the acquisition, access, use or disclosure of the PHI poses a significant risk of financial, reputational, or other harm to an individual.  To make this determination, HHS provides that covered entities and business associates must conduct a risk assessment, taking into consideration, among other things, the following factors:

·      Who impermissibly used the PHI or to whom was the PHI impermissibly disclosed;

·      The type and amount of PHI involved;

·      Whether and what immediate steps were taken to mitigate an impermissible use or disclosure; and

·      Whether the PHI was returned prior to being used for an improper purpose.

Covered entities and business associates must document their risk assessments in order to demonstrate, if necessary, that no breach notification was required. 

Breach Exceptions

The HITECH Act includes three exceptions to the definition of "breach", which include situations where a violation of the Privacy Rule has occurred, but the violation is not to be considered a breach.  These exceptions include:

(i)   An unintentional acquisition, access or use of PHI by a workforce member[2] or individual acting under the authority of a covered entity or business associate, provided the PHI is not further used or disclosed in a manner that violates the Privacy Rule.  Such individual must have acted in good faith and within the course and scope of his or her employment or other professional relationship.  HHS gives an example of a nurse mistakenly sending an e-mail with PHI to a hospital's billing employee.  After opening the e-mail, the billing employee notifies the nurse and deletes the e-mail.  No reportable breach has occurred in this situation.

(ii)   An inadvertent disclosure of PHI from one covered entity or business associate employee to another similarly situated covered entity or business associate employee, provided the PHI is not further used or disclosed in any manner that violates the Privacy Rule.  For example, a doctor and billing employee may be similarly situated in that they are both authorized to view PHI, but a doctor and a receptionist may not be.

(iii)  Unauthorized disclosures where the covered entity or business associate has a good faith belief that the unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information.  HHS gives an example where a covered entity sends out explanations of benefits ("EOBs") to the wrong individual. If the EOBs are returned by the post office, unopened, as undeliverable, the covered entity can conclude that the recipient did not retain the information (for EOBs that are not returned, HHS says this should be treated as a potential breach.)

The covered entity has the burden of demonstrating an exception applies and must document why the impermissible use or disclosure falls under one of the exceptions.

Notification Requirements in the Event of a Breach

Notification to Individuals.  If unsecured PHI has been breached, the covered entity must notify the affected individuals without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach.  The breach will be considered discovered on the first day it is known (or reasonably should have been known) to any member of the covered entity's workforce or an agent of the covered entity[3] (other than the person who committed the breach).  HHS notes that the 60-day time period is an outer limit for providing notice, and in certain circumstances, it may be an unreasonable delay to wait until the 60th day to provide notification. 

The notices must be sent to the individual's last known address by first-class mail, or by e-mail if the individual has agreed to receive electronic notices and has not withdrawn such agreement.  If insufficient or out-of-date contact information prevents individual notice, the covered entity must provide a substitute form of notice.  Substitute notice may be provided by an alternative form of written notice, or by phone or other means if there are fewer than 10 affected individuals.  If there are 10 or more affected individuals, the covered entity must either post a conspicuous notice on the homepage of its website for a period of 90 days, or publish a conspicuous notice in major print or broadcast media in the geographic areas where individuals affected by the breach are likely to reside. 

The notice must be written in "plain language" and include (i) a  brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (ii) a description of the types of unsecured PHI that were involved in the breach; (iii) any steps individuals should take to protect themselves from potential harm resulting from the breach; (iv) a brief description of steps the covered entity is taking to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and (v) contact procedures for individuals to ask questions, including a toll-free telephone number, e-mail address, website or postal address.

Notification to the Media.  If the breach involves more than 500 individuals in a single state or jurisdiction, the HITECH Act requires a covered entity to notify "prominent media outlets" in the relevant state or jurisdiction, which notice may be in the form of a press release.  The notice must include the same content as the individual notice, and be provided within the same 60-day timeframe.  HHS states that what constitutes a "prominent media outlet" will differ depending on the state or jurisdiction involved.

Notification to HHS.  A covered entity is required to report all breaches of unsecured PHI to HHS.  If the breach involves 500 or more individuals, the covered entity is required to report the breach to HHS at the same time affected individuals are notified.  The manner and content of this notice are expected to be specified on the HHS website.  As required by the HITECH Act, HHS will post on its website a list of covered entities with a breach affecting 500 or more individuals. 

If the breach involves less than 500 individuals, the covered entity must maintain a log of such breaches and submit the log to HHS annually within 60 days after the end of the calendar year in which the breach occurred. 

Notification by a Business Associate.  If a business associate is responsible for a breach of unsecured PHI, the business associate must notify the covered entity and provide the information necessary to permit the covered entity to provide the required notice.  Notice must be provided without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach.  A breach is treated as discovered by a business associate as of the first day on which such breach is known (or reasonably should have been known) to the business associate or to any person (other than the person committing the breach) who is an employee, officer, or other agent of the business associate.  HHS notes that if a business associate is an agent of the covered entity, the covered entity will be treated as having discovered the breach when the business associate discovers the breach.  Otherwise, the business associate must report the breach to the covered entity within 60 days after discovery, at which time the breach will be considered known to the covered entity.

Covered entities will need to negotiate with their business associates regarding the time frame and manner in which a business associate will notify the covered entity of the breach, and incorporate such information into their business associate agreements.

State Law Preemption

HHS acknowledges that many states have adopted breach notification laws that may be contrary to the HITECH Act notification requirements.  The new guidance indicates that state breach notification laws will not be preempted unless they are "contrary to" the HITECH Act requirement.  In other words, the state notification requirements will not be preempted unless a covered entity finds it impossible to comply with both the state and federal breach notification requirements, or if the state breach notification law stands as an obstacle to the accomplishment and execution of the full purpose and objectives of the breach notification provisions in the HITECH Act.  Thus, it is important that covered entities become familiar with the relevant state breach notification laws in order to determine whether preemption applies.

Action Items

Although there is a 6-month delay on sanctions under the interim final rules, the breach notification rules are still effective for breaches of unsecured PHI that occur on or after September 23, 2009.  Covered entities that maintain or have access to PHI must act immediately to ensure compliance, and should: 

·      Amend business associate agreements to address the new breach notification requirements and include such requirements in any new business associate agreements

·      Identify unsecured PHI in their possession and determine what PHI can be secured in accordance with HHS guidance to avoid the possibility of having to provide breach notifications

·      Train workforce members regarding the new breach notice requirements

·      Update HIPAA policies and procedures to include procedures for complying with the new notice requirements

·      Establish risk assessment procedures 
© Baker & McKenzie 2012 | Attorney Advertising | Disclaimers | Privacy Statement | Contact Us | Global Newsroom | Extranet | LawInContext | RSS
Close
Governing    |    Managing    |    Operating    |    Financing    |    Global Markets
 
Close
Search Globally


Antitrust & Competition
Automotive
Banking & Finance
Corporate Compliance
Dispute Resolution
Employment
Energy, Mining & Infrastructure
Environmental
Financial Restructuring & Insolvency
Information Technology & Communications
Insurance
Intellectual Property
Mergers & Acquisitions
Pharmaceuticals & Healthcare
Private Equity
Real Estate
Securities
Tax
Trade & Commerce


or

Real-world solutions


We understand your industry, culture and goals. Our innovative solutions extend beyond practices and borders, just as your business needs do.

Our global perspective is based on our knowledge of local laws and customs everywhere we operate, while our lawyers understand issues across a broad spectrum of business and legal practices. This fluency allows us to bring the right talent and knowledge to deliver world-class commercially pragmatic advice.

To learn more, click the drop down menu to choose a service area or type in your search request.
Close
Search Globally
Alphabetical by Last Name
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O |
P | Q | R | S | T | U | V | W | X | Y | Z
Antitrust & Competition
Automotive
Banking & Finance
Corporate Compliance
Dispute Resolution
Employment
Energy, Mining & Infrastructure
Environmental
Financial Restructuring & Insolvency
Information Technology & Communications
Insurance
Intellectual Property
Mergers & Acquisitions
Pharmaceuticals & Healthcare
Private Equity
Real Estate
Securities
Tax
Trade & Commerce
Associate
Business Services
Partner
Afrikaans
Aguacateco
Arabic
Armenian
Azerbaijani
Bahasa Malaysia
Belarusian
Bengali
Berber (Other)
Bulgarian
Cantonese
Catalan
Cebuano
Chinese
Croatian
Czech
Danish
Dutch
English
Farsi
Filipino, Pilipino
Finnish
Fookien
French
German
Greek
Gujarati
Haitian Creole
Hebrew
Hindi
Hokkien
Hungarian
Indonesian
Irish
Italian
Japanese
Kannada
Kashmiri
Kazakh
Korean
Latin
Luxembourgish, Letzeburgesch
Macedonian
Malay
Malayalam
Mandarin
Norwegian
Panjabi, Punjabi
Papiamento
Persian
Philippine (Other)
Polish
Portuguese
Putonghua
Romanian
Russian
Serbian
Serbo-Croatian
Shanghainese
Sindhi
Slovak
Slovenian
Spanish
Swahili
Swedish
Tagalog
Taiwanese
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Visayan
Antitrust & Competition
Automotive
Banking & Finance
Corporate Compliance
Dispute Resolution
Employment
Energy, Mining & Infrastructure
Environmental
Financial Restructuring & Insolvency
Information Technology & Communications
Insurance
Intellectual Property
Mergers & Acquisitions
Pharmaceuticals & Healthcare
Private Equity
Real Estate
Securities
Tax
Trade & Commerce
Every day our more than 3,800 lawyers, economists, tax advisors and other professionals share insights and best practices across borders and practices. We speak more than 75 languages and represent more than 55 nationalities, and the close relationships among our people fosters the trust needed to develop and deliver world-class solutions to multinational clients.

We share an uncompromising commitment to excellence, which explains why more of our lawyers are included as leading lawyers in the Chambers Global Guide to the World’s Best Lawyers than any other Global 20 law firm.

To find a Baker & McKenzie lawyer or other professional, enter a search parameter to the left.
Close
Passionately global
We are passionately global — it's in our DNA.

We started with a vision of going global and were in eight countries before our 10th anniversary. Today we have 70 offices in 42 countries -- including the emerging markets so important to the growth of your business.
Asia Pacific
Australia
Melbourne
Sydney
China
Beijing
Hong Kong
Shanghai
Indonesia
Jakarta*
Japan
Tokyo
Malaysia
Kuala Lumpur*
Philippines
Manila*
Singapore
Taiwan
Taipei
Thailand
Bangkok
Vietnam
Hanoi
Ho Chi Minh City
Europe, Middle East & Africa
Austria
Vienna
Azerbaijan
Baku
Bahrain
Belgium
Antwerp
Brussels
Czech Republic
Prague
Egypt
Cairo
France
Paris
Germany
Berlin
Dusseldorf
Frankfurt
Munich
Hungary
Budapest
Italy
Milan
Rome
Kazakhstan
Almaty
Luxembourg
Netherlands
Amsterdam
Poland
Warsaw
Qatar
Doha
Russia
Moscow
St. Petersburg
Saudi Arabia
Riyadh
Spain
Barcelona
Madrid
Sweden
Stockholm
Switzerland
Geneva
Zurich
Turkey
Istanbul
Ukraine
Kyiv
United Arab Emirates
Abu Dhabi
United Kingdom
London
Latin America
Argentina
Buenos Aires
Brazil
Brasília*
Porto Alegre*
Rio de Janeiro*
Sao Paulo*
Chile
Santiago
Colombia
Bogota
Mexico
Guadalajara
Juarez
Mexico City
Monterrey
Tijuana
Venezuela
Caracas
Valencia
North America
Canada
Toronto
United States
Chicago
Dallas
Houston
Miami
New York
Palo Alto
San Diego
San Francisco
Washington, DC
*Associated Firms
Other Countries

We service clients in countries where we do not have offices, working with carefully selected local firms, leveraging our global knowledge and capabilities.

 India Africa Central America 
  Central Europe   
Close
Explore us Globally »
We offer world-class career opportunities around the globe, while our entrepreneurial culture makes Baker & McKenzie a unique place to develop professionally.

Explore us Locally by selecting a region, country or office below, or select Submit to view our site Globally.
Asia Pacific
Europe, Middle East & Africa
Latin America
North America