New Federal notification requirement for breaches of protected health information

One of the more widely anticipated provisions of the HITECH Act is a new provision requiring many health information exchange participants (specifically, covered entities and business associates under HIPAA) to provide notification to individuals in the event of unauthorized disclosure of “unsecured” protected health information. Although it only applies to health data, this would seem to be the first nationwide regulation for breach notifications, so that alone is noteworthy.

The breach notification law comes into play for any “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. The key element here is the breach of “unsecured protected health information” — for practical purposes, this means the notification rule only applies if the data is not encrypted. The law doesn’t use the term “encryption.” Instead, it says more generically that “unsecured” information is not secured through the use of a technology or method for rendering information “unusable, unreadable, or indecipherable.” the law gives the HHS Secretary 60 days to come up with guidance specifying technologies or methodologies that should be used to provide this protection for data.

Notification must take place “without unreasonable delay” and in any case within 60 days, by written notification or public posting where contact information is unavailable, or telephone where urgency exists. The 60-day timeline seems in stark contrast to existing computer intrusion notification rules for federal agencies, which require notice to the US Computer Emergency Response Team (US-CERT) within one hour of the discovery of the intrusion. Notice must also be provided to major media outlets and to the HHS Secretary for breaches involving 500 or more individuals; these breaches are to be posted on the HHS website. The law gives the HHS Secretary 180 days to publish final regulations on data breach notifications.

Breach notification requirements are also specified for vendors of personal health records, even though these remain non-covered entities under HIPAA. When a breach occurs, notice must be provided to individuals (only US citizens and permanent residents) affected, and to the Federal Trade Commission (the FTC then notifies the Secretary). Violation of this rule is considered an unfair and deceptive act or practice, and as such would be subject to action by the FTC.

What is interesting from a security practices standpoint is that this data breach notification requirement — by exempting secured data from the regulations — all but requires the use of encryption at rest for health records. A great deal of attention has been given to encryption in transit (secure communication channels, digital signatures, and the like) for health information exchange services, but health IT standards efforts have stopped short of imposing controls that would have to be implemented within the boundaries of a participating organization. It will be interesting to see if the health IT standards bodies re-authorized in the HITECH Act will expand their scope into the technical environments of the entities participating in health information exchange.