Daily Rules, Proposed Rules, and Notices of the Federal Government

• Home
• Departments
• Agencies
• Dates

Top Searches

Popular Sites

Common CFR Searches

Federal Register: August 24, 2009 (Volume 74, Number 162)

DOCID: fr24au09-10 FR Doc E9-20169

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Western Area Power Administration

CFR Citation: 45 CFR Parts 160 and 164

RIN ID: RIN 0991-AB56

NOTICE: Part II

DOCID: fr24au09-10

DOCUMENT ACTION: Interim final rule with request for comments.

SUBJECT CATEGORY:

Breach Notification for Unsecured Protected Health Information

DATES: Effective Date: This interim final rule is effective September 23, 2009.

Comment Date: Comments on the provisions of this interim final rule are due on or before October 23, 2009. Comments on the information collection requirements associated with this rule are due on or before September 8, 2009.

DOCUMENT SUMMARY:

The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to require notification of breaches of unsecured protected health information. Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) that was enacted on February 17, 2009, requires HHS to issue interim final regulations within 180 days to require covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates to provide notification in the case of breaches of unsecured protected health information. For purposes of determining what information is ``unsecured protected health information,'' in this document HHS is also issuing an update to its guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.

SUMMARY:

Health and Human Services Department

SUPPLEMENTAL INFORMATION

I. Background

The Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111 5), was enacted on February 17, 2009. Subtitle D of Division A of the HITECH Act (the Act), entitled ``Privacy,'' among other provisions, requires the Department of Health and Human Services (HHS or the Department) to issue interim final regulations for breach notification by covered entities subject to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. 104191) and their business associates.

These breach notification provisions are found in section 13402 of the Act and apply to HIPAA covered entities and their business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information. The Act incorporates the definitions of ``covered entity,'' ``business associate,'' and ``protected health information'' used in the HIPAA Administrative Simplification regulations (45 CFR parts 160, 162, and 164) (HIPAA Rules) at Sec. 160.103. Under the HIPAA Rules, a covered entity is a health plan, health care clearinghouse, or health care provider that transmits any health information electronically in connection with a covered transaction, such as submitting health care claims to a health plan. Business associate, as defined in the HIPAA Rules, means a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of individually identifiable health information. Examples of business associates include third party administrators or pharmacy benefit managers for health plans, claims processing or billing companies, transcription companies, and persons who perform legal, actuarial, accounting, management, or administrative services for covered entities and who require access to protected health information. The HIPAA Rules define ``protected health information'' as the individually identifiable health information held or transmitted in any form or medium by these HIPAA covered entities and business associates, subject to certain limited exceptions.

The Act requires HIPAA covered entities to provide notification to affected individuals and to the Secretary of HHS following the discovery of a breach of unsecured protected health information. In addition, in some cases, the Act requires covered entities to provide notification to the media of breaches. In the case of a breach of unsecured protected health information at or by a business associate of a covered entity, the Act requires the business associate to notify the covered entity of the breach. Finally, the Act requires the Secretary to post on an HHS Web site a list of covered entities that experience breaches of unsecured protected health information involving more than 500 individuals.

[[Page 42741]]

Section 13400(1) of the Act defines ``breach'' to mean, generally, the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information. The Act provides exceptions to this definition to encompass disclosures where the recipient of the information would not reasonably have been able to retain the information, certain unintentional acquisition, access, or use of information by employees or persons acting under the authority of a covered entity or business associate, as well as certain inadvertent disclosures among persons similarly authorized to access protected health information at a business associate or covered entity.

Further, section 13402(h) of the Act defines ``unsecured protected health information'' as ``protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance'' and provides that the guidance specify the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such informationthat is, the information is not considered ``unsecured'' in such cases. As required by the Act, the Secretary initially issued this guidance on April 17, 2009 (it was subsequently published in the Federal Register at 74 FR 19006 on April 27, 2009). The guidance listed and described encryption and destruction as the two technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals.

In cases in which notification is required, the Act at section 13402 prescribes the timeliness, content, and methods of providing the breach notifications. We discuss these and the above statutory provisions in more detail below where we describe sectionbysection how these new regulations implement the breach notification provisions at section 13402 of the Act.

In addition to the breach notification provisions for HIPAA covered entities and business associates at section 13402, section 13407 of the Act, which is to be implemented and enforced by the Federal Trade Commission (FTC), imposes similar breach notification requirements upon vendors of personal health records (PHRs) and their third party service providers following the discovery of a breach of security of unsecured PHR identifiable health information.\1\ As with the definition of ``unsecured protected health information,'' the provisions at section 13407(f)(3) define ``unsecured PHR identifiable health information'' as PHR identifiable health information that is not protected through the use of a technology or methodology specified by the Secretary of HHS in guidance. Thus, entities subject to the FTC breach notification rules must also use the Secretary's guidance to determine whether the information subject to a breach was ``unsecured'' and, therefore, whether breach notification is required.
\1\ The FTC issued a notice of proposed rulemaking to implement section 13407 of the Act on April 20, 2009 (74 FR 17914).

When HHS issued the guidance, HHS also published in the same document a request for information (RFI), inviting public comment both on the guidance itself, as well as on the breach provisions of section 13402 of the Act generally. After considering the public comment, we are issuing an updated version of the guidance in Section II below. In addition, we discuss public comment received on the Act's breach notification provisions where relevant below in the sectionbysection description of the interim final rule.

We have concluded that we have good cause, under 5 U.S.C. 553(b)(B), to waive the noticeandcomment requirements of the Administrative Procedure Act and to proceed with this interim final rule. Section 13402(j) explicitly required us to issue these regulations as ``interim final regulations'' and to do so within 180 days. Based on this statutory directive and limited time frame, we concluded that noticeandcomment rulemaking was impracticable and contrary to public policy. Nevertheless, we sought comments in the RFI referenced above and considered those comments when drafting this rule. In addition, we provide the public with a 60day period following publication of this document to submit comments on the interim final rule.
II. Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

A. Background

As discussed above, section 13402 of the Act requires breach notification following the discovery of a breach of unsecured protected health information. Section 13402(h) of the Act defines ``unsecured protected health information'' as ``protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance'' and requires the Secretary to specify in the guidance the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. As required by the Act, this guidance was issued on April 17, 2009, and later published in the Federal Register on April 27, 2009 (74 FR 19006). The guidance specified encryption and destruction as the technologies and methodologies for rendering protected health information, as well as PHR identifiable health information under section 13407 of the Act and the FTC's implementing regulation, unusable, unreadable, or indecipherable to unauthorized individuals such that breach notification is not required. The RFI asked for general comment on this guidance as well as for specific comment on the technologies and methodologies to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.

Many commenters expressed concern and confusion regarding the purpose of the guidance and its impact on a covered entity's responsibilities under the HIPAA Security Rule (45 CFR part 164, subparts A and C). We emphasize that this guidance does nothing to modify a covered entity's responsibilities with respect to the Security Rule nor does it impose any new requirements upon covered entities to encrypt all protected health information. The Security Rule requires covered entities to safeguard electronic protected health information and permits covered entities to use any security measures that allow them to reasonably and appropriately implement all safeguard requirements. Under 45 CFR 164.312(a)(2)(iv) and (e)(2)(ii), a covered entity must consider implementing encryption as a method for safeguarding electronic protected health information; however, because these are addressable implementation specifications, a covered entity may be in compliance with the Security Rule even if it reasonably decides not to encrypt electronic protected health information and instead uses a comparable method to safeguard the information.

Therefore, if a covered entity chooses to encrypt protected health information to comply with the Security Rule, does so pursuant to this guidance, and subsequently discovers a breach of that
[[Page 42742]]
encrypted information, the covered entity will not be required to provide breach notification because the information is not considered ``unsecured protected health information'' as it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals. On the other hand, if a covered entity has decided to use a method other than encryption or an encryption algorithm that is not specified in this guidance to safeguard protected health information, then although that covered entity may be in compliance with the Security Rule, following a breach of this information, the covered entity would have to provide breach notification to affected individuals. For example, a covered entity that has a large database of protected health information may choose, based on their risk assessment under the Security Rule, to rely on firewalls and other access controls to make the information inaccessible, as opposed to encrypting the information. While the Security Rule permits the use of firewalls and access controls as reasonable and appropriate safeguards, a covered entity that seeks to ensure breach notification is not required in the event of a breach of the information in the database would need to encrypt the information pursuant to the guidance.

We also received several comments asking for clarification and additional detail regarding the forms of information and the specific devices and protocols described in the guidance. As a result, we provide clarification regarding the forms of information addressed in the National Institute of Standards and Technology (NIST) publications referenced in the guidance. We clarify that ``data in motion'' includes data that is moving through a network, including wireless transmission, whether by email or structured electronic interchange, while ``data at rest'' includes data that resides in databases, file systems, flash drives, memory, and any other structured storage method. ``Data in use'' includes data in the process of being created, retrieved, updated, or deleted, and ``data disposed'' includes discarded paper records or recycled electronic media.

Additionally, many commenters suggested that access controls be included in the guidance as a method for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. We recognize that access controls, as well as other security methods such as firewalls, are important tools for safeguarding protected health information. While we believe access controls may render information inaccessible to unauthorized individuals, we do not believe that access controls meet the statutory standard of rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. If access controls are compromised, the underlying information may still be usable, readable, or decipherable to an unauthorized individual, and thus, constitute unsecured protected health information for which breach notification is required. Therefore, we have not included access controls in the guidance; however, we do emphasize the benefit of strong access controls, which may function to prevent breaches of unsecured protected health information from occurring in the first place.

Other commenters suggested that the guidance include redaction of paper records as an alternative to destruction. Because redaction is not a standardized methodology with proven capabilities to destroy or render the underlying information unusable, unreadable or
indecipherable, we do not believe that redaction is an accepted alternative method to secure paperbased protected health information. Therefore, we have clarified in this guidance that only destruction of paper protected health information, and not redaction, will satisfy the requirements to relieve a covered entity or business associate from breach notification. We note, however, that covered entities and business associates may continue to create limited data sets or de identify protected health information through redaction if the removal of identifiers results in the information satisfying the criteria of 45 CFR 164.514(e)(2) or 164.514(b), respectively. Further, a loss or theft of information that has been redacted appropriately may not require notification under these rules either because the information is not protected health information (as in the case of deidentified information) or because the unredacted information does not compromise the security or privacy of the information and thus, does not constitute a breach as described in Section IV below.

In response to comments received, we also make two additional clarifications in the guidance. First, for purposes of the guidance below and ensuring encryption keys are not breached, we clarify that covered entities and business associates should keep encryption keys on a separate device from the data that they encrypt or decrypt. Second, we also include in the guidance below a note regarding roadmap guidance activities on the part of the NIST pertaining to data storage on enterpriselevel storage devices, such as RAID (redundant array of inexpensive disks), or SAN (storageattached network) systems.

For ease of reference, we have published this updated guidance in this document below; however, it will also be available on the HHS Web site at http://www.hhs.gov/ocr/privacy/. Any further comments regarding this guidance received in response to the interim final rule will be addressed in the first annual update to the guidance, to be issued in April 2010.
B. Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:
(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ``the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key'' \2\ and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. \2\ 45 CFR 164.304, definition of ``encryption.''
(i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800111, Guide to Storage Encryption Technologies for End User Devices.^{3 4}
\3\ NIST Roadmap plans include the development of security guidelines for enterpriselevel storage devices, and such guidelines will be considered in updates to this guidance, when available. \4\ Available at http://www.csrc.nist.gov/. (ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 80052, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 80077, Guide to IPsec VPNs; or 800113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 1402 validated.\5\
\5\ Available at http://www.csrc.nist.gov/. [[Page 42743]]
(b) The media on which the PHI is stored or recorded have been destroyed in one of the following ways:
(i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
(ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 80088, Guidelines for Media Sanitization,\6\ such that the PHI cannot be retrieved.
\6\ Available at http://www.csrc.nist.gov/. III. Overview of Interim Final Rule

We are adding a new subpart D to part 164 of title 45 of the Code of Federal Regulations (CFR) to implement the breach notification provisions in section 13402 of the Act. These provisions apply to HIPAA covered entities and their business associates and set forth the requirements for notification to affected individuals, the media, and the Secretary of HHS following a breach of unsecured protected health information. In drafting this interim final regulation, we considered the public comments received in response to the RFI described above.

In addition, we consulted closely with the FTC in the development of these regulations. Commenters in response to both the RFI as well as the FTC's notice of proposed rulemaking urged HHS and the FTC to work together to ensure that the regulated entities know with which rule they must comply and that those entities that are subject to both rules because they may operate in different roles are not subject to two completely different and inconsistent regulatory schemes. In addition, commenters were concerned that individuals could receive multiple notices of the same breach if the HHS and the FTC regulations overlapped. Thus, HHS coordinated with the FTC to ensure these issues were addressed in the respective rulemakings. First, the rules make clear that entities operating as HIPAA covered entities and business associates are subject to HHS', and not the FTC's, breach notification rule. Second, in those limited cases where an entity may be subject to both HHS' and the FTC's rules, such as a vendor that offers PHRs to customers of a HIPAA covered entity as a business associate and also offers PHRs directly to the public, we worked with the FTC to ensure both sets of regulations were harmonized by including the same or similar requirements, within the constraints of the statutory language. See Section IV.F. below for a more detailed discussion and an example of our harmonization efforts.

IV. SectionbySection Description of Interim Final Rule

The following discussion describes the provisions of the interim final rule section by section. Those interested in commenting on the interim final rule can assist the Department by preceding discussion of any particular provision or topic with a citation to the section of the interim final rule being discussed.

A. ApplicabilitySection 164.400

Section 164.400 of the interim final rule provides that this breach notification rule is applicable to breaches occurring on or after 30 days from the date of publication of this interim final rule. See Section IV.K. Effective/Compliance Date of this rule for further discussion.

B. DefinitionsSection 164.402

Section 164.402 of the interim final rule adopts definitions for the terms ``breach'' and ``unsecured protected health information.'' 1. Breach

Section 13402 of the Act and this interim final rule require covered entities and business associates to provide notification following a breach of unsecured protected health information. Section 13400(1)(A) of the Act defines ``breach'' as the ``unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.'' Section 13400(1)(B) of the Act provides several exceptions to the definition of ``breach.'' Based on section 13400(1)(A), we have defined ``breach'' at Sec. 164.402 of the interim final rule as ``the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.'' We have added paragraph (1) to the definition to clarify when the security or privacy of information is considered to be compromised. Paragraph (2) of the definition then includes the statutory exceptions, including the exception within section 13400(1)(A) that refers to whether the recipient would reasonably have been able to retain the information.

Protected Health Information

We note that the definition of ``breach'' is limited to protected health information. With respect to a covered entity or business associate of a covered entity, protected health information is individually identifiable health information that is transmitted or maintained in any form or medium, including electronic information. 45 CFR 160.103. If information is deidentified in accordance with 45 CFR 164.514(b), it is not protected health information, and thus, any inadvertent or unauthorized use or disclosure of such information will not be considered a breach for purposes of this subpart. Additionally, Sec. 160.103 excludes certain types of individually identifiable health information from the definition of ``protected health information,'' such as employment records held by a covered entity in its role as employer. If individually identifiable health information that is not protected health information is used or disclosed in an unauthorized manner, it would not qualify as a breach for purposes of this subpartalthough the covered entity should consider whether it has notification requirements under other laws. Further, we note that although the definition of ``breach'' applies to protected health information generally, covered entities and business associates are required to provide the breach notifications required by the Act and this interim final rule (discussed below) only upon a breach of unsecured protected health information. See also Section II of this document for a list of the technologies and methodologies that render protected health information secure such that notification is not required in the event of a breach.

Unauthorized Acquisition, Access, Use, or Disclosure

The statute defines a ``breach'' as the ``unauthorized'' acquisition, access, use, or disclosure of protected health information. Several commenters asked that we define ``unauthorized'' or that we clarify its meaning. We clarify that ``unauthorized'' is an impermissible use or disclosure of protected health information under the HIPAA Privacy Rule (subpart E of 45 CFR part 164). Accordingly, the definition of ``breach'' at Sec. 160.402 of the interim final rule interprets the ``unauthorized acquisition, access, use, or disclosure of protected health information'' as ``the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part.'' We emphasize that not all violations of the Privacy Rule will be
[[Page 42744]]
breaches under this subpart, and therefore, covered entities and business associates need not provide breach notification in all cases of impermissible uses and disclosures. We also note that the HIPAA Security Rule provides for administrative, physical, and technical safeguards and organizational requirements for electronic protected health information, but does not govern uses and disclosures of protected health information. Accordingly, a violation of the Security Rule does not itself constitute a potential breach under this subpart, although such a violation may lead to a use or disclosure of protected health information that is not permitted under the Privacy Rule and thus, may potentially be a breach under this subpart.

The Act does not define the terms ``acquisition'' and ``access.'' Several commenters asked that we define or identify the differences between acquisition, access, use, and disclosure of protected health information, for purposes of the definition of ``breach.'' We interpret ``acquisition'' and ``access'' to information based on their plain meanings and believe that both terms are encompassed within the current definitions of ``use'' and ``disclosure'' in the HIPAA Rules. Accordingly, we have not added separate definitions for these terms. We have retained the statutory terms in the regulation in order to maintain consistency with the statute. In addition, we note that while the HIPAA Security Rule at Sec. 164.304 includes a definition of the term ``access,'' such definition is limited to the ability to use ``system resources'' and not to access to information more generally and thus, we have revised that definition to make clear that it does not apply for purposes of these breach notification rules.

For an acquisition, access, use, or disclosure of protected health information to constitute a breach, it must constitute a violation of the Privacy Rule. Therefore, one of the first steps in determining whether notification is necessary under this subpart is to determine whether a use or disclosure violates the Privacy Rule. We note that uses or disclosures that impermissibly involve more than the minimum necessary information, in violation of Sec. Sec. 164.502(b) and 164.514(d), may qualify as breaches under this subpart. In contrast, a use or disclosure of protected health information that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule pursuant to 45 CFR
164.502(a)(1)(iii) and, therefore, would not qualify as a potential breach. Finally, violations of administrative requirements, such as a lack of reasonable safeguards or a lack of training, do not themselves qualify as potential breaches under this subpart (although such violations certainly may lead to impermissible uses or disclosures that qualify as breaches).
Compromises the Security or Privacy of Protected Health Information

The Act and regulation next limit the definition of ``breach'' to a use or disclosure that ``compromises the security or privacy'' of the protected health information. Accordingly, once it is established that a use or disclosure violates the Privacy Rule, the covered entity must determine whether the violation compromises the security or privacy of the protected health information.

For the purposes of the definition of ``breach,'' many commenters suggested that we add a harm threshold such that an unauthorized use or disclosure of protected health information is considered a breach only if the use or disclosure poses some harm to the individual. These commenters noted that the ``compromises the security or privacy'' language in section 13400(1)(A) of the Act contemplates that covered entities will perform some type of risk assessment to determine if there is a risk of harm to the individual, and therefore, if a breach has occurred. Commenters urged that the addition of a harm threshold to the definition would also align this regulation with many State breach notification laws that require entities to reach similar harm thresholds before providing notification. Finally, some commenters noted that failure to include a harm threshold for requiring breach notification may diminish the impact of notifications received by individuals, as individuals may be flooded with notifications for breaches that pose no threat to the security or privacy of their protected health information or, alternatively, may cause unwarranted panic in individuals, and the expenditure of undue costs and other resources by individuals in remedial action.

We agree that the statutory language encompasses a harm threshold and have clarified in paragraph (1) of the definition that ``compromises the security or privacy of the protected health information'' means ``poses a significant risk of financial, reputational, or other harm to the individual.'' This ensures better consistency and alignment with State breach notification laws, as well as existing obligations on Federal agencies (some of which also must comply with these rules as HIPAA covered entities) pursuant to OMB Memorandum M0716 to have in place breach notification policies for personally identifiable information that take into account the likely risk of harm caused by a breach in determining whether breach notification is required. Thus, to determine if an impermissible use or disclosure of protected health information constitutes a breach, covered entities and business associates will need to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. In performing the risk assessment, covered entities and business associates may need to consider a number or combination of factors, some of which are described below.\7\
\7\ Covered entities may also wish to review OMB Memorandum M 0716 for examples of the types of factors that may need to be taken into account in determining whether an impermissible use or disclosure presents a significant risk of harm to the individual.

Covered entities and business associates should consider who impermissibly used or to whom the information was impermissibly disclosed when evaluating the risk of harm to individuals. If, for example, protected health information is impermissibly disclosed to another entity governed by the HIPAA Privacy and Security Rules or to a Federal agency that is obligated to comply with the Privacy Act of 1974 (5 U.S.C. 552a) and the Federal Information Security Management Act of 2002 (44 U.S.C. 3541 et seq.), there may be less risk of harm to the individual, since the recipient entity is obligated to protect the privacy and security of the information it received in the same or similar manner as the entity that disclosed the information. In contrast, if protected health information is impermissibly disclosed to any entity or person that does not have similar obligations to maintain the privacy and security of the information, the risk of harm to the individual is much greater.

We expect that there may be circumstances where a covered entity takes immediate steps to mitigate an impermissible use or disclosure, such as by obtaining the recipient's satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed. If such steps eliminate or reduce the risk of harm to the individual to a less than ``significant risk,'' then we interpret that the security and privacy of the
[[Page 42745]]
information has not been compromised and, therefore, no breach has occurred.

In addition, there may be circumstances where impermissibly disclosed protected health information is returned prior to it being accessed for an improper purpose. For example, if a laptop is lost or stolen and then recovered, and a forensic analysis of the computer shows that its information was not opened, altered, transferred, or otherwise compromised, such a breach may not pose a significant risk of harm to the individuals whose information was on the laptop. Note, however, that if a computer is lost or stolen, we do not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.

In performing a risk assessment, covered entities and business associates should also consider the type and amount of protected health information involved in the impermissible use or disclosure. If the nature of the protected health information does not pose a significant risk of financial, reputational, or other harm, then the violation is not a breach. For example, if a covered entity improperly discloses protected health information that merely included the name of an individual and the fact that he received services from a hospital, then this would constitute a violation of the Privacy Rule, but it may not constitute a significant risk of financial or reputational harm to the individual. In contrast, if the information indicates the type of services that the individual received (such as oncology services), that the individual received services from a specialized facility (such as a substance abuse treatment program \8\), or if the protected health information includes information that increases the risk of identity theft (such as a social security number, account number, or mother's maiden name), then there is a higher likelihood that the impermissible use or disclosure compromised the security and privacy of the information. The risk assessment should be fact specific, and the covered entity or business associate should keep in mind that many forms of health information, not just information about sexually transmitted diseases or mental health, should be considered sensitive for purposes of the risk of reputational harmespecially in light of fears about employment discrimination.
\8\ Note that an impermissible disclosure that indicates that an individual has received services from a substance abuse treatment program may also constitute a violation of 42 U.S.C. 290dd2 and the implementing regulations at 42 CFR part 2. These provisions require the confidentiality of substance abuse patient records.

We also address impermissible uses and disclosures involving limited data sets (as the term is used at 45 CFR 164.514(e) of the Privacy Rule), in paragraph (1) of the definition of ``breach'' at Sec. 164.402 of the interim final rule. In the RFI discussed above, we asked for public comment on whether limited data sets should be considered unusable, unreadable, or indecipherable and included as a methodology in the guidance. A limited data set is created by removing the 16 direct identifiers listed in Sec. 164.514(e)(2) from the protected health information.\9\ These direct identifiers include the name, address, social security number, and account number of an individual or the individual's relative, employer, or household member. When these 16 direct identifiers are removed from the protected health information, the information is not completely deidentified pursuant to 45 CFR 164.514(b). In particular, the elements of dates, such as dates of birth, and zip codes, are allowed to remain within the limited data set, which increase the potential for reidentification of the information. Because there is a risk of reidentification of the information within a limited data set, the Privacy Rule treats this information as protected health information that may only be used or disclosed as permitted by the Privacy Rule.
\9\ A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: (1) Names; (2) postal address information, other than town or city, State, and zip code; (3) telephone numbers; (4) fax numbers; (5) e mail addresses; (6) social security numbers; (7) medical record numbers; (8) health plan beneficiary numbers; (9) account numbers; (10) certificate/license plate numbers; (11) vehicle identifiers and serial numbers; (12) device identifiers and serial numbers; (13) Web URLs; (14) Internet Protocol (IP) address numbers; (15) biometric identifiers, including finger and voice prints; and (16) full face photographic images and any comparable images.

Several commenters suggested that the limited data set should not be included in the guidance as a method to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals such that breach notification is not required. These commenters cited concerns about the risk of reidentification of protected health information in a limited data set and noted that, as more data exists in electronic form and as more data becomes public, it will be easier to combine these various sources to reestablish the identity of the individual. Furthermore, due to the risk of re identification, these commenters stated that creating a limited data set was not comparable to encrypting information, and therefore, should not be included as a method to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.

The majority of commenters, however, did support the inclusion of the limited data set in the guidance. These commenters stated that it would be impractical to require covered entities and business associates to notify individuals of a breach of information within a limited data set because, by definition, such information excludes the very identifiers that would enable covered entities and business associates, without undue burden, to identify the affected individuals and comply with the breach notification requirements. Additionally, these commenters cited contractual concerns regarding the data use agreement, which prohibits the recipient of a limited data set from re identifying the information and therefore, may pose problems with complying with the notification requirements of section 13402(b) of the Act.

These commenters also noted that the decision to exclude the limited data set from the guidance, such that a breach of a limited data set would require breach notification, would reduce the likelihood that covered entities would continue to create and share limited data sets. This, in turn, would have a chilling effect on the research and public health communities, which rely on receiving information from covered entities in limited data set form.

Finally, commenters noted that the removal of the 16 direct identifiers in the limited data set presents a minimal risk of serious harm to the individual by limiting the possibility that the information could be used for an illicit purpose if breached. These commenters also suggested that the inclusion of the limited data set in the guidance would align with most state breach notification laws, which, as a general matter, only require notification when certain identifiers are exposed and when there is a likelihood that the breach will result in harm to the individual.

We also asked commenters if they believed that the removal of an individual's date of birth or zip code, in addition to the 16 direct identifiers in 45 CFR 164.514(e)(2), would reduce the risk of re identification of the information such that it could be included in the guidance. Several commenters responded to this question. While some stated that the removal of these data elements would render the [[Page 42746]]
information useless to the research and public health communities, which may, for example, require zip codes for many population based studies, many commenters did acknowledge that the removal of these additional identifiers would reduce the risk of reidentification of the information.

After considering these comments, we decided against including the limited data set in the guidance as a method for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals due to the potential risk of reidentification of this information. However, we address breaches of limited data sets in the definition of ``breach'' as follows.

Under the definition of ``breach'' at Sec. 164.402, in order to determine whether a covered entity's or business associate's impermissible use or disclosure of protected health information constitutes a breach, the covered entity or business associate will need to perform the risk assessment discussed above. This applies to impermissible uses or disclosures of protected health information that constitute a limited data set, unless, as discussed below, the protected health information also does not include zip codes or dates of birth. In performing the risk assessment to determine the likely risk of harm caused by an impermissible use or disclosure of a limited data set, the covered entity or business associate should take into consideration the risk of reidentification of the protected health information contained in the limited data set.

Through a risk assessment, a covered entity or business associate may determine that the risk of identifying a particular individual is so small that the use or disclosure poses no significant risk of harm to any individuals. For example, it may be determined that an impermissible use or disclosures of a limited data set that includes zip codes, based on the population features of those zip codes, does not create a significant risk that a particular individual can be identified. Therefore, there would be no significant risk of harm to the individual. If there is no significant risk of harm to the individual, then no breach has occurred and no notification is required. If, however, the covered entity or business associate determines that the individual can be identified based on the information disclosed, and there is otherwise a significant risk of harm to the individual, then breach notification is required, unless one of the other exceptions discussed below applies.

We have provided a narrow, explicit exception to what compromises the privacy or security of protected health information for a use or disclosure of protected health information that excludes the 16 direct identifiers listed at 45 CFR 164.514(e)(2) as well as dates of birth and zip codes. Thus, we deem an impermissible use or disclosure of this information to not compromise the security or privacy of the protected health information, because we believe that impermissible uses or disclosures of this informationif subjected to the type of risk assessment described abovewould pose a low level of risk. We emphasize that this is a narrow exception. If, for example, the information does not contain birth dates but does contain zip code information or contains both birth dates and zip code information, then this narrow exception would not apply, and the covered entity or business associate would be required to perform a risk assessment to determine if the risk of reidentification poses a significant risk of harm to the individual. We invite comments on this narrow exception. We do not believe that this narrow exception will have the unintended consequence of discouraging the use of encryption and other methods for rendering protected health information unusable, unreadable, or indecipherable; however, we invite comments on this issue as well. Finally, we note that this narrow exception should not be construed as encouraging or permitting the use or disclosure of more than the minimum necessary information, in violation of Sec. Sec. 164.502(b) and 164.514(d).

We do not intend to interfere with research or public health activities that rely on dates of birth or zip codes. Uses and disclosures of limited data sets that include this information continue to be permissible under the Privacy Rule if the applicable requirements, such as a data use agreement, are satisfied. Further, we note that a covered entity or business associate is not responsible for a breach by a third party to whom it permissibly disclosed protected health information, including limited data sets, unless the third party received the information in its role as an agent of the covered entity or business associate. To the extent that a third party recipient of the information is itself a covered entity, and the information is breached while at the third party (i.e., used or disclosed in an impermissible manner and in a manner determined to compromise the privacy or security of the information), then the third party will be responsible for complying with the provisions of this interim final rule. In cases where a covered entity is the recipient of a limited data set pursuant to Sec. 164.514(e) of the Privacy Rule and it is unable to reidentify the individuals after a breach occurs, it may satisfy the requirements of Sec. 164.404 without reidentifying the information, by providing substitute notice to the individuals as required by paragraph (d)(2) of that section.

We note that the discussion above regarding ``limited data sets'' applies to any protected health information that excludes the 16 direct identifiers listed at Sec. 164.514(e)(2), regardless of whether the information is used for health care operations, public health, or research purposes (see Sec. 164.514(e)(3)(i)), and is subject to a data use agreement under Sec. 164.514(e) of the Privacy Rule. Thus, for example, a covered entity that impermissibly uses or discloses data that is stripped of the 16 direct identifiers described above, zip codes, and dates of birth, may take advantage of the exception to what is a breach, regardless of the intended purpose of the use or disclosure or whether a data use agreement was in place.

With respect to any type of protected health information, we note that Sec. 164.414, discussed below, gives covered entities and business associates the burden of demonstrating that no breach has occurred because the impermissible use or disclosure did not pose a significant risk of harm to the individual. Covered entities and business associates must document their risk assessments, so that they can demonstrate, if necessary, that no breach notification was required following an impermissible use or disclosure of protected health information. For impermissible uses or disclosures of protected health information that fall under the narrow exception at paragraph (1)(ii) of this definition, which do not qualify as breaches because the protected health information is a limited data set that does not include zip codes or dates of birth, documentation that demonstrates that the lost information did not include these identifiers will suffice.

Exceptions to Breach

Section 13400(1) of the Act also includes three exceptions to the definition of ``breach'' that encompass situations Congress clearly intended to not constitute breaches: (1) Unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate (section 13400(1)(B)(i)); (2) inadvertent disclosure of protected health information from one person
[[Page 42747]]
authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate (section 13400(1)(B)(ii) and (iii)); and (3) unauthorized disclosures in which an unauthorized person to whom protected health information is disclosed would not reasonably have been able to retain the information (section 13400(1)(A)). We have included these three exceptions as paragraphs (2)(i), (ii), and (iii), respectively.

The first regulatory exception at paragraph (2)(i) of this definition, for unintentional acquisition, access, or use of protected health information, generally mirrors the exception in section 13400(1)(B)(i) of the Act. This statutory section excepts from the definition of ``breach'' the unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or a business associate, if the acquisition, access, or use was made in good faith, within the course and scope of employment or other professional relationship, and does not result in further use or disclosure.

We modified the statutory language to use ``workforce members'' instead of employees. Workforce member is a defined term in 45 CFR 160.103 and means ``employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.''

A person is acting under the authority of a covered entity or business associate if he or she is acting on its behalf. This may include a workforce member of a covered entity, an employee of a business associate, or even a business associate of a covered entity. Similarly, to determine whether the access, acquisition, or use was made ``within the scope of authority,'' the covered entity or business associate should consider whether the person was acting on its behalf at the time of the inadvertent acquisition, access, or use.

Additionally, while the statutory language provides that this exception applies where the recipient does not further use or disclose the information, we have interpreted this exception as encompassing circumstances where the recipient does not further use or disclose the information in a manner not permitted under the Privacy Rule. In circumstances where any further use or disclosure of the information is permissible under the Privacy Rule, we interpret that there is no breach because the security and privacy of the information has not been compromised by any such permissible use or disclosure.

To illustrate this exception, we offer the following example. A billing employee receives and opens an email containing protected health information about a patient which a nurse mistakenly sent to the billing employee. The billing employee notices that he is not the intended recipient, alerts the nurse of the misdirected email, and then deletes it. The billing employee unintentionally accessed protected health information to which he was not authorized to have access. However, the billing employee's use of the information was done in good faith and within the scope of authority, and therefore, would not constitute a breach and notification would not be required, provided the employee did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.

In contrast, a receptionist at a covered entity who is not authorized to access protected health information decides to look through patient files in order to learn of a friend's treatment. In this case, the impermissible access to protected health information would not fall within this exception to breach because such access was neither unintentional, done in good faith, nor within the scope of authority.

The second regulatory exception, at paragraph (2)(ii) of this definition, covers inadvertent disclosures and generally mirrors the exception provided in section 13400(1)(B)(ii) and (iii) of the Act, with slight modifications. The statute excepts from the definition of ``breach'' inadvertent disclosures from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility if the information is not further used or disclosed without authorization. We have modified the statutory language slightly to except from breach inadvertent disclosures of protected health information from a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity, business associate, or organized health care arrangement in which the covered entity participates. Organized health care arrangement is defined by the HIPAA Rules to mean, among other things, a clinically integrated care setting in which individuals typically receive health care from more than one health care provider.\10\ See 45 CFR 160.103. This includes, for example, a covered entity, such as a hospital, and the health care providers who have staff privileges at the hospital.
\10\ 45 CFR 160.103 also defines ``organized health care arrangement'' to include ``an organized system of health care in which more than one covered entity participates'' and in which the participating covered entities engage in certain joint utilization review, quality assessment and improvement, or payment activities. In addition, the definition encompasses certain relationships between group health plans and health insurance issuers or health maintenance organizations (HMO), as well as relationships among group health plans which are maintained by the same plan sponsor.

We received several comments with respect to this exception, and many commenters asked that we clarify and explain the statutory language regarding what it means to be a ``similarly situated individual'' and what constitutes the ``same facility'' for purposes of this exception. We believe that a ``similarly situated individual,'' for purposes of the statute, means an individual who is authorized to access protected health information, and thus, for clarity, we have substituted this language for the statutory language in the regulation. Thus, a person who is authorized to access protected health information is similarly situated, for purposes of this regulation, to another person at the covered entity, business associate of the covered entity, or organized health care arrangement in which the covered entity participates, who is also authorized to access protected health information (even if the two persons may not be authorized to access the same types of protected health information). For example, a physician who has authority to use or disclose protected health information at a hospital by virtue of participating in an organized health care arrangement with the hospital is similarly situated to a nurse or billing employee at the hospital. In contrast, the physician is not similarly situated to an employee at the hospital who is not authorized to access protected health information.

Additionally, we have interpreted ``same facility'' to mean the same covered entity, business associate, or organized health care arrangement in which the covered entity participates and have substituted this language in the regulation. By focusing on the legal entity or status of the entities as an organized health care arrangement when interpreting ``same facility,'' we believe we have more clearly captured the intent of the statute and have also alleviated commenter concerns that the term ``facility'' was too narrow. Therefore, the size of the covered entity,
[[Page 42748]]
business associate, or organized health care arrangement will dictate the scope of this exception. If a covered entity has a single location, then the exception will apply to disclosures between a workforce member and, e.g., a physician with staff privileges at that single location. However, if a covered entity has multiple locations across the country, the same exception will apply even if the workforce member makes the disclosure to a physician with staff privileges at a facility located in another state.

We interpret the statutory limitation that the information not be ``further acquired, accessed, used, or disclosed without
authorization'' as meaning that the information is not further used or disclosed in a manner not permitted by the Privacy Rule. Thus, this exception encompasses circumstances in which a person who is authorized to use or disclose protected health information within a covered entity, business associate, or organized health care arrangement inadvertently discloses that information to another person who is authorized to use or disclose protected health information within the same covered entity, business associate, or organized health care arrangement, as long as the recipient does not further use or disclose the information in violation of the Privacy Rule.

The final regulatory exception to breach at paragraph (2)(iii) of this definition mirrors the exception found in section 13400(1)(A) of the Act. The statute excepts from the definition of ``breach'' situations in which the unauthorized person to whom protected health information has been disclosed would not reasonably have been able to retain the information. We have slightly modified this language to except from ``breach'' situations where a covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure of protected health information was made would not reasonably have been able to retain the information.

For example, a covered entity, due to a lack of reasonable safeguards, sends a number of explanations of benefits (EOBs) to the wrong individuals. A few of the EOBs are returned by the post office, unopened, as undeliverable. In these circumstances, the covered entity can conclude that the improper addressees could not reasonably have retained the information. The EOBs that were not returned as undeliverable, however, and that the covered entity knows were sent to the wrong individuals, should be treated as potential breaches.

As another example, a nurse mistakenly hands a patient the discharge papers belonging to another patient, but she quickly realizes her mistake and recovers the protected health information from the patient. If the nurse can reasonably conclude that the patient could not have read or otherwise retained the information, then this would not constitute a breach.

With respect to any of the three exceptions discussed above, a covered entity or business associate has the burden of proof, pursuant to Sec. 164.414(b) (discussed below), for showing why breach notification was not required. Accordingly, the covered entity or business associate must document why the impermissible use or disclosure falls under one of the above exceptions.

Based on the above, we envision that covered entities and business associates will need to do the following to determine whether a breach occurred. First, the covered entity or business associate must determine whether there has been an impermissible use or disclosure of protected health information under the Privacy Rule. Second, the covered entity or business associate must determine, and document, whether the impermissible use or disclosure compromises the security or privacy of the protected health information. This occurs when there is a significant risk of financial, reputational, or other harm to the individual. Lastly, the covered entity or business associate may need to determine whether the incident falls under one of the exceptions in paragraph (2) of the breach definition.

We treat the breach as having occurred at the time of the impermissible use or disclosure (or in the case of the exceptions listed at paragraphs (2)(i) and (ii) of the definition of ``breach,'' at the time of the ``further'' impermissible use or disclosure), but recognize that a covered entity or business associate may require a reasonable amount of time to confirm whether the incident qualifies as a breach. As discussed below, a breach is considered discovered when the incident becomes known, not when the covered entity or business associate concludes the above analysis of whether the facts constitute a breach.

2. Unsecured Protected Health Information

The interim final rule adopts a definition of ``unsecured protected health information'' to identify to what information the breach notification provisions apply. Section 13402(h)(1)(A) of the Act defines ``unsecured protected health information'' as ``protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance issued under [section 13402(h)(2)].'' Further, the Act at section 13402(h)(2) requires that the Secretary specify in the guidance the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Accordingly, the interim final rule defines ``unsecured protected health information'' to mean protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. We also provide in the regulation that the guidance will be published on the HHS Web site.

Section 13402(h)(2) of the Act required that the Secretary initially issue such guidance, after consultation with stakeholders, no later than 60 days after enactment, or April 17, 2009. As discussed above, the Secretary issued the guidance along with a request for information on April 17, 2009, on the HHS Web site at http:// www.hhs.gov/ocr/privacy/ and the guidance was later published in the Federal Register on April 27, 2009 (74 FR 19006). The Department has reviewed the public comment received in response to the request for information and provides an update to the guidance in Section II of this document. As provided in this interim final rule, this updated guidance is also (and any future updates will be) available on the HHS Web site at http://www.hhs.gov/ocr/privacy/.

We note that the definition of ``unsecured protected health information'' in the Act and this interim final rule incorporates generally the term ``protected health information,'' as defined at 45 CFR 160.103 of the HIPAA Rules, which includes information in any form or medium. Accordingly, the term ``unsecured protected health information'' can include information in any form or medium, including electronic, paper, or oral form.

C. Notification to IndividualsSection 164.404

Section 164.404 of the interim final rule provides the requirements for the notifications covered entities are to provide to individuals affected by a breach of unsecured protected health information. This section includes implementation specifications regarding timeliness, content, and methods of the notice.
[[Page 42749]]

General Rule

Sectio

FOR FURTHER INFORMATION CONTACT

Andra Wicks, 202-205-2292.