Newly Enacted HIPAA Security Breach Notification Requirements Raise New Risks For Employers

Employers have good reason to re-evaluate their HIPAA compliance efforts. Recent enforcement actions by the U.S. Department of Health and Human Services (HHS) that resulted in large settlement payments signal more pronounced efforts to enforce HIPAA’s compliance requirements. These enforcement actions were driven by publicly disclosed security breaches that brought compliance lapses to HHS’ attention.

Recent amendments to the HIPAA Privacy Rule, enacted as part of the massive federal economic stimulus legislation, will fuel this “breach-driven enforcement.” Under existing law, the HIPAA Privacy Rule contains no security breach notification requirement. Effective February 17, 2010, however, employers will be required to take the following steps when they learn that the “unsecured” protected health information (PHI) of participants in HIPAA-covered plans has been subjected to unauthorized access, use or disclosure:

• Notify major media outlets and HHS if a breach involves 500 or more plan participants
• Notify affected individuals within 60 days of becoming aware of the breach
• Provide in the notice to individuals, at a minimum, five specific categories of information
• Deliver the notice by first-class mail to each affected individual’s last known address

This notice obligation applies regardless of whether the employer or a third-party service provider, such as a benefits administrator, pharmacy benefits manager, or insurance broker is responsible for the breach.

As a result of the new law, employers should amend their business associates agreements to include the following terms:

• The business associate’s representation that it is in compliance with the HIPAA Security Rule’s principal requirements (required under the new law);
• A requirement that the business associate promptly notify the employer of any breach;
• A requirement that the business associate’s notice include detailed information about the breach, such as contact information for all affected individuals, a description of the breach, and the steps that have been taken to mitigate the harm and prevent a recurrence;
• A requirement that the business associate indemnify the employer for all expenses incurred by the employer when responding to any security breach caused by the business associate’s actions or inaction;
• A requirement limiting the business associate’s use and disclosure of, and requests for PHI, to a “limited data set,” unless a greater amount of PHI is the minimum necessary to accomplish the purposes of the use, disclosure or request (required under the new law). 

For a more detailed discussion of these developments, please see “Recent Enforcement Actions and Significant Amendments to the HIPAA Privacy Rule Compel Employers to Revisit Their HIPAA Compliance Efforts” by Philip L Gordon.


Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.