The new federal data breach notification requirements, introduced by the HITECH Act that was part of the American Reinvestment and Recovery Act signed into law by President Obama in February 2009, are now effective.
Generally, the breach notification rules require employers that sponsor group health plans (including medical reimbursement arrangements) to notify individuals, the regulators and, in certain cases, the media, when unsecured protected health information is breached. Generally, a breach occurs when there is an unauthorized acquisition or disclosure of protected health information In addition, the HITECH Act generally prohibits the sale and marketing of protected health information.
Notification of breaches of unsecured information must be made without unreasonable delay, but in no event more than 60 days after an employer becomes aware of the breach. Both the HHS and the Federal Trade Commission will assess sanctions for failure to provide the required notice for breaches discovered after February 22, 2010.
The new breach notification rules apply only to information that is “unsecured.” HHS has issued guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable or indecipherable to unauthorized individuals and, thus, secured. Certain limited exceptions for unintentional breaches may also apply.Under the HITECH Act, group health plan business associates are also subject to these requirements, although the effective date of the application of these rules directly to business associates has been postponed. Employers should insure that their policies and practices, as well as their agreements with service providers and business associates, incorporate these restrictions. Employers should discuss with their health plan business associates and insurers the feasibility of encrypting all protected health information to the extent possible, and should review the terms of their business associate agreements and their procedures for incident response in the event that a breach occurs.