HIPAA Regulations: Notification in the Case of Breach -- Definitions - § 164.402
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information
HHS Regulations as Amended January 2013 |
As used in this subpart, the following terms have the following meanings:
Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
(1) Breach excludes:
(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.
(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.
(iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
(2) Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated.
Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.
HHS Description and Commentary From January 2013 Amendments Notification in the Case of Breach -- Definitions |
Definition of “Breach”
Interim Final Rule
Section 13400(1)(A) of the Act defines “breach” as the “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” Section 13400(1)(B) of the Act provides two additional exceptions to the definition of “breach.” The interim final rule at 45 CFR 164.402 defined a “breach” to mean generally “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the Privacy Rule] which compromises the security or privacy of the protected health information.” The definition included the statutory exceptions to the definition (discussed below) and clarified that “unauthorized” for purposes of the statute meant in a manner not permitted by the Privacy Rule.
In addition, for purposes of this definition, the rule provided that “compromises the security or privacy of the protected health information” means poses a significant risk of financial, reputational, or other harm to the individual. The Department included this standard regarding a significant risk of harm to the individual (i.e., harm standard) after considering public comment received in response to the Department’s request for information on the HITECH Act’s breach notification provisions. See 74 FR 19006. The inclusion of the harm standard was intended to align the Department’s rule with many State breach notification laws, as well as existing obligations on Federal agencies pursuant to OMB Memorandum M-07-16, that have similar standards for triggering breach notification. In addition, the standard was intended to ensure that consumers were not flooded with breach notifications for inconsequential events, which could cause unnecessary anxiety and eventual apathy among consumers.
To determine whether an impermissible use or disclosure of protected health information constitutes a breach under this standard, covered entities and business associates were required to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. In conducting the risk assessment, covered entities and business associates were to consider a number or combination of factors, including who impermissibly used the information or to whom the information was impermissibly disclosed; whether the covered entity or business associate had taken steps to mitigate or eliminate the risk of harm; whether the protected health information was actually accessed; and what type or amount of protected health information was impermissibly used or disclosed.
The rule provided further that an impermissible use or disclosure of protected health information that qualifies as a limited data set but also excludes dates of birth and zip codes (both identifiers that may otherwise be included in a limited data set) does not compromise the security or privacy of the protected health information. The Department included this narrow exception in the belief that it would be very difficult to re-identify a limited data set that excludes dates of birth and zip codes. Thus, a breach of such information would pose a low level of risk of harm to an individual.
The interim final rule also included the three statutory exceptions to the definition of breach. To implement section 13400(1)(B)(i) of the Act, the first regulatory exception provided that a breach excludes any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the Privacy Rule. We substituted the term “workforce members” for the statutory term “employees” because “workforce member” is a defined term for purposes of the HIPAA Rules and means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate.
In addition to unintentional, good faith access to protected health information by workforce members, this exception covers similar access by a business associate of a covered entity or subcontractor with respect to a business associate or other person acting on behalf of a covered entity or business associate. The exception does not, however, cover situations involving snooping employees, because access as a result of such snooping would be neither unintentional nor done in good faith.
To implement section 13400(1)(B)(ii) and (iii) of the Act, the second regulatory exception provided that a breach excludes inadvertent disclosures of protected health information from a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity, business associate, or organized health care arrangement in which the covered entity participates. The regulatory exception includes reference to an “organized health care arrangement” to capture, among other things, clinically integrated care settings in which individuals typically receive health care from more than one health care provider, such as a hospital, and the health care providers who have staff privileges at the hospital.
In this regulatory exception, we also interpreted the statutory limitations that the disclosure be to “another person similarly situated at the same facility” to mean that the disclosure be to another person authorized to access protected health information (even if the two persons may not be authorized to access the same types of protected health information) at the same covered entity, business associate, or organized health care arrangement in which the covered entity participates (even if the covered entity, business associate, or organized health care arrangement has multiple facilities or locations across the country).
Finally, to implement section 13400(1)(A) of the Act, the interim final rule exempted disclosures of protected health information where a covered entity or a business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
For example, if a covered entity, due to a lack of reasonable safeguards, sends a number of explanations of benefits (EOBs) to the wrong individuals and a few of the EOBs are returned by the post office, unopened, as undeliverable, the covered entity can conclude that the improper addressees could not reasonably have retained the information. The EOBs that were not returned as undeliverable, however, and that the covered entity knows were sent to the wrong individuals, should be treated as potential breaches. As another example, if a nurse mistakenly hands a patient the discharge papers belonging to another patient, but she quickly realizes her mistake and recovers the protected health information from the patient, this would not constitute a breach if the nurse can reasonably conclude that the patient could not have read or otherwise retained the information.
With respect to any of the three exceptions discussed above, a covered entity or business associate has the burden of proof, pursuant to § 164.414(b) (discussed below), for showing why breach notification was not required. Accordingly, the covered entity or business associate must document why the impermissible use or disclosure falls under one of the above exceptions.
Overview of Public Comments
Of the approximately 85 public comments received on the interim final rule addressing the definition of breach, approximately 70 of those comments addressed the harm standard and risk assessment approach in the interim final rule. We received approximately 60 comments in support of the harm standard and the risk assessment approach. The commenters in support of this approach included providers, health plans, professional associations, and certain members of Congress. These commenters argued that the inclusion of the harm standard and accompanying risk assessment was consistent with the statutory language, aligned the interim final rule with many State breach notification laws and Federal policies, and appropriately placed the obligation to determine if a breach had occurred on covered entities and business associates since they had the requisite knowledge of the incident to best assess the likely impact of the impermissible use or disclosure.
The proponents of the harm standard and risk assessment approach also argued that its removal would increase the cost and burden of implementing the rule for covered entities, business associates, as well as HHS, and may cause unnecessary anxiety and eventual apathy among consumers if notifications are sent when there is no risk of harm to the individual.
We also received approximately 10 comments opposed to the harm standard. Generally, the commenters opposed to this approach were members of Congress and consumer advocacy groups. Some opponents of the harm standard argued that its addition to the interim final rule set too high a bar for triggering breach notification, which was contrary to statutory intent. These commenters argued that the final rule should adopt a bright line standard for breach notification to ensure that individuals are aware of all impermissible uses and disclosures of their health information regardless of the potential risk and to make implementation and enforcement of the rule more uniform by removing the discretion and judgment given to covered entities in the interim final rule. These commenters argued that such transparency would better breed consumer trust and would allow individuals to assess the risk of harm themselves and take necessary measures to mitigate an impermissible use or disclosure of their health information.
Other commenters, while opposed to a harm standard to trigger breach notification, nonetheless agreed that breach notification should not be required following every impermissible use or disclosure of unsecured protected health information no matter how inconsequential the breach. These commenters argued that, rather than a subjective standard measuring the risk of harm to an individual, the final rule should include a more objective standard against which entities would be required to assess risk.
These commenters suggested that the risk assessment should focus on the risk that the protected health information was compromised instead of on the risk of harm to the individual. Additionally, these commenters proposed four factors that should be considered to determine whether the information was compromised: (1) to whom the information was impermissibly disclosed; (2) whether the information was actually accessed or viewed; (3) the potential ability of the recipient to identify the subjects of the data; and (4) in cases where the recipient is the disclosing covered entity’s business associate or is another covered entity, whether the recipient took appropriate mitigating action.
Some commenters stated that the default function of the rule was unclear. In particular, these commenters questioned whether the rule required notification of a breach unless it is determined that a significant risk of harm does not exist, or alternatively, required notification only in cases where significant risk of harm can be demonstrated. Other commenters suggested that we include in the definition an express presumption of a breach unless an entity can show otherwise.
Additionally, many commenters responded to the treatment of limited data sets in the interim final rule. Although many commenters expressed support for the assertion that limited data sets that do not contain dates of birth and zip codes do not compromise the security or privacy of protected health information, most of these commenters expressed concern that the interim final rule did not go far enough and should exempt even those limited data sets that contain dates of birth and/or zip codes from the breach notification requirements. These commenters argued that no impermissible use or disclosure of a limited data set should trigger breach notification obligations because without the 16 direct identifiers that the Privacy Rule requires to be stripped from the information, there is minimal risk of harm to the individual. Additionally, commenters indicated it would be costly and burdensome for entities to have to re-identify the information in a limited data set to provide notification and that re-identifying the information could also pose an additional risk of harm to the affected individuals.
Finally, other commenters noted that because researchers commonly rely on limited data sets that contain dates of birth and zip codes, researchers would not be able to take advantage of the exception for certain limited data sets in the interim final rule, which may have the effect of deterring research.
In contrast, some commenters expressed concern regarding the inclusion of even the limited exception to the definition of breach for limited data sets that do not include dates of birth and zip codes. These commenters supported requiring entities to perform a risk assessment to determine whether an impermissible use or disclosure of such information compromised the security or privacy of the information, as there may be a risk of re-identification of this information depending on who received the information.
Final Rule
After considering the public comments on the definition, the Department in this final rule amends the definition of “breach” at 45 CFR 164.402. Based on the comments, we recognize that the language used in the interim final rule and its preamble could be construed and implemented in manners we had not intended. Accordingly, this final rule modifies and clarifies the definition of breach and the risk assessment approach outlined in the interim final rule.
First, we have added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.
We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised (or one of the other exceptions to the definition of breach applies). We believe that the express statement of this presumption in the final rule will help ensure that all covered entities and business associates interpret and apply the regulation in a uniform manner and also responds to commenters that indicated the default function of the rule was unclear. This new language is also consistent with § 164.414, which provides that covered entities and business associates have the burden of proof to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach (such as by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised) and must maintain documentation sufficient to meet that burden of proof.
Second, to further ensure that this provision is applied uniformly and objectively by covered entities and business associates, we have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised. Thus, breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under the interim final rule. The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary.
Although some commenters urged us to implement a bright line standard, requiring notification for all impermissible uses and disclosures without any assessment of risk, we believe that a risk assessment is necessary. The statute acknowledges, by including a specific definition of breach and identifying exceptions to this definition, as well as by providing that an unauthorized acquisition, access, use, or disclosure of protected health information must compromise the security or privacy of such information to be a breach, that there are several situations in which unauthorized acquisition, access, use, or disclosure of protected health information is so inconsequential that it does not warrant notification. In addition to the statutory exceptions that have been included in both the interim final rule and this final rule, there may be other similar situations that do not warrant breach notification. We agree with commenters that providing notification in such cases may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely. For example, if a covered entity misdirects a fax containing protected health information to the wrong physician practice, and upon receipt, the receiving physician calls the covered entity to say he has received the fax in error and has destroyed it, the covered entity may be able to demonstrate after performing a risk assessment that there is a low risk that the protected health information has been compromised. Although this scenario does not fit into any of the statutory or regulatory exceptions, we believe that, like the exceptions to breach, notification should not be required if the covered entity demonstrates a low probability that the data has been compromised.
Commenters argued that a rule containing a bright line standard for notification would be easier for both the regulated entities to implement and for HHS to enforce. We disagree. Although a rule that required notification following every impermissible use or disclosure may appear easier for covered entities and business associates to implement -- as no determination of the risk that the protected health information has been compromised would be required -- in effect, a bright line standard would be extremely burdensome and costly for entities to implement. With no risk assessment following an impermissible use or disclosure, entities may be required to provide many notices each year for incidents that did not compromise the security or privacy of an individual's protected health information.
Although we do not believe a bright line approach to breach notification is appropriate, we do agree with the commenters who expressed concern that the risk assessment focus on “harm to an individual” in the interim final rule was too subjective and would lead to inconsistent interpretations and results across covered entities and business associates. As a result, instead of assessing the risk of harm to the individual, covered entities and business associates must assess the probability that the protected health information has been compromised based on a risk assessment that considers at least the following factors: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated. We believe that the use of these factors, which are derived from the factors listed in the interim final rule as well as many of the factors suggested by commenters, will result in a more objective evaluation of the risk to the protected health information and a more uniform application of the rule.
As we have modified and incorporated the factors that must be considered when performing a risk assessment into the regulatory text, covered entities and business associates should examine their policies to ensure that when evaluating the risk of an impermissible use or disclosure they consider all of the required factors. In addition, given the circumstances of the impermissible use or disclosure, additional factors may need to be considered to appropriately assess the risk that the protected health information has been compromised. We note that, although we have included this risk assessment in the final rule, this type of assessment of risk should not be a new or different exercise for covered entities and business associates. Similar assessments of risk that data have been compromised must be performed routinely following security breaches and to comply with certain State breach notification laws.
The first factor requires covered entities and business associates to evaluate the nature and the extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification of the information. To assess this factor, entities should consider the type of protected health information involved in the impermissible use or disclosure, such as whether the disclosure involved information that is of a more sensitive nature. For example, with respect to financial information, this includes credit card numbers, social security numbers, or other information that increases the risk of identity theft or financial fraud.
With respect to clinical information, this may involve considering not only the nature of the services or other information11 but also the amount of detailed clinical information involved (e.g., treatment plan, diagnosis, medication, medical history information, test results). Considering the type of protected health information involved in the impermissible use or disclosure will help entities determine the probability that the protected health information could be used by an unauthorized recipient in a manner adverse to the individual or otherwise used to further the unauthorized recipient’s own interests. Additionally, in situations where there are few, if any, direct identifiers in the information impermissibly used or disclosed, entities should determine whether there is a likelihood that the protected health information released could be re-identified based on the context and the ability to link the information with other available information. For example, if a covered entity impermissibly disclosed a list of patient names, addresses, and hospital identification numbers, the protected health information is obviously identifiable, and a risk assessment likely would determine that there is more than a low probability that the information has been compromised, dependent on an assessment of the other factors discussed below.
Alternatively, if the covered entity disclosed a list of patient discharge dates and diagnoses, the entity would need to consider whether any of the individuals could be identified based on the specificity of the diagnosis, the size of the community served by the covered entity, or whether the unauthorized recipient of the information may have the ability to combine the information with other available information to re-identify the affected individuals (considering this factor in combination with the second factor discussed below). We emphasize, however, that the entity must evaluate all the factors, including those discussed below, before making a determination about the probability of risk that the protected health information has been compromised.
The second factor requires covered entities and business associates to consider the unauthorized person who impermissibly used the protected health information or to whom the impermissible disclosure was made. Entities should consider whether the unauthorized person who received the information has obligations to protect the privacy and security of the information. For example, as discussed in the interim final rule, if protected health information is impermissibly disclosed to another entity obligated to abide by the HIPAA Privacy and Security Rules or to a Federal agency obligated to comply with the Privacy Act of 1974 and the Federal Information Security Management Act of 2002, there may be a lower probability that the protected health information has been compromised since the recipient of the information is obligated to protect the privacy and security of the information in a similar manner as the disclosing entity.
We also emphasize that this factor should be considered in combination with the factor discussed above regarding the risk of re-identification. If the information impermissibly used or disclosed is not immediately identifiable, entities should determine whether the unauthorized person who received the protected health information has the ability to reidentify the information. For example, if information containing dates of health care service and diagnoses of certain employees was impermissibly disclosed to their employer, the employer may be able to determine that the information pertains to specific employees based on other information available to the employer, such as dates of absence from work. In this case, there may be more than a low probability that the protected health information has been compromised.
Several commenters suggested that a risk assessment need be completed following only impermissible disclosures of protected health information, since information impermissibly “used” remains within the covered entity or business associate. We disagree. The final rule requires a risk assessment to be performed following both impermissible uses and disclosures (that do not otherwise fall within the other enumerated exceptions to breach). However, the fact that information only is impermissibly used within a covered entity or business associate and the impermissible use does not result in further impermissible disclosure outside the entity, is something that may be taken into account in conducting the risk assessment and may reduce the probability that the protected health information has been compromised.
The third factor requires covered entities and business associates to investigate an impermissible use or disclosure to determine if the protected health information was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed. For example, as we discussed in the interim final rule, if a laptop computer was stolen and later recovered and a forensic analysis shows that the protected health information on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised, the entity could determine that the information was not actually acquired by an unauthorized individual even though the opportunity existed. In contrast, however, if a covered entity mailed information to the wrong individual who opened the envelope and called the entity to say that she received the information in error, then, in this case, the unauthorized recipient viewed and acquired the information because she opened and read the information to the extent that she recognized it was mailed to her in error.
The final factor included in the final rule requires covered entities and business associates to consider the extent to which the risk to the protected health information has been mitigated. Covered entities and business associates should attempt to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed, and should consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised.
We note that this factor, when considered in combination with the factor regarding the unauthorized recipient of the information discussed above, may lead to different results in terms of the risk to the protected health information. For example, a covered entity may be able to obtain and rely on the assurances of an employee, affiliated entity, business associate, or another covered entity that the entity or person destroyed information it received in error, while such assurances from certain third parties may not be sufficient.
As described above, certain commenters suggested that mitigation should only be considered where the recipient of the information is a business associate of the covered entity or another covered entity. We do not in this rule limit this factor to those circumstances but, as discussed above, acknowledge that the recipient of the information will have an impact on whether the covered entity can conclude that an impermissible use or disclosure has been appropriately mitigated.
A covered entity’s or business associate’s analysis of the probability that protected health information has been compromised following an impermissible use or disclosure must address each factor discussed above. Other factors may also be considered where necessary. Covered entities and business associates must then evaluate the overall probability that the protected health information has been compromised by considering all the factors in combination, and we expect these risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable. If an evaluation of the factors discussed above fails to demonstrate that there is a low probability that the protected health information has been compromised, breach notification is required. We do note, however, that a covered entity or business associate has the discretion to provide the required notifications following an impermissible use or disclosure of protected health information without performing a risk assessment.
Because the final rule clarifies the presumption that a breach has occurred following every impermissible use or disclosure of protected health information, entities may decide to notify without evaluation of the probability that the protected health information has been compromised. In the future, we will issue additional guidance to aid covered entities and business associates in performing risk assessments with respect to frequently occurring scenarios.
In addition to the removal of the harm standard and the creation of more objective factors to evaluate the probability that protected health information has been compromised, we have removed the exception for limited data sets that do not contain any dates of birth and zip codes. In the final rule, following the impermissible use or disclosure of any limited data set, a covered entity or business associate must perform a risk assessment that evaluates the factors discussed above to determine if breach notification is not required.
The vast majority of commenters were not supportive of the exception for certain limited data sets outlined in the interim final rule, either because they believed the exception did not go far enough and would chill research that needed access to birth dates and zip codes in limited data sets, or because of concerns regarding the re-identifiability of the limited information to which the exception applied. Based on the comments, we believe it is appropriate to require the impermissible use or disclosure of a limited data set, even those that do not contain dates of birth and zip codes, to be subject to a risk assessment to demonstrate that breach notification is not required.
The final rule expressly includes a factor that would require consideration of the re-identifiability of the information, as well a factor that requires an assessment of the unauthorized person who used the protected health information or to whom the disclosure was made (i.e., whether this person has the ability to re-identify the affected individuals). Thus, the factors are particularly suited to address the probability that a data set without direct identifiers has been compromised following an impermissible use or disclosure. Further, we believe in most cases that the result would be the same under this final rule as under the interim final rule with respect to whether an impermissible use or disclosure of a limited data set that also excludes dates of birth and zip codes constitutes a breach for which notification is required. Due to the lack of identifiers present in the protected health information, entities may reasonably determine that there is a low probability of risk that the information has been compromised; however, we stress that this is a fact specific determination to be made based on the circumstances of the impermissible use or disclosure.
We encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740, 42742). If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.
In addition to the comments discussed above, it was suggested that covered entities be required to include in their notice of privacy practices information about how a risk assessment will be conducted or their internal policies for determining whether a breach has occurred and notification is warranted. It was also suggested that the breach notice to the individual following discovery of a breach of unsecured protected health information contain information about the covered entity or business associate’s risk assessment to help the individual better assess the level of threat posed by the breach and to better determine the appropriate steps, if any, to take.
We decline to require that the covered entity’s notice of privacy practices include a description of how a risk assessment will be conducted, although covered entities may include such information in their notice of privacy practices if they choose. While each risk assessment will differ depending on the specific facts and circumstances surrounding the impermissible use or disclosure, we believe that the modifications in this final rule will help ensure that covered entities and business associates perform risk assessments more uniformly and objectively. We also note that the content requirements for the notice to the individual outlined in § 164.404(c) already require that the individual be notified of the circumstances of a breach, as well as what steps individuals should take to protect themselves from potential harm resulting from the breach.
One commenter suggested that we require a covered entity to hire an independent organization to assess the risk of an impermissible use or disclosure to determine if breach notification is required. We do not believe such a requirement is necessary, although covered entities are free to engage independent organizations to assist in making such determinations provided that, if access to protected health information is required, business associate agreements are entered into to protect the information. Further, we believe the modifications in this final rule are conducive to more uniform risk assessments across covered entities and business associates. Additionally, as with the interim final rule, we note that covered entities and business associates have the burden of proof, pursuant to § 164.414, to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach and to maintain documentation (e.g., of the risk assessment demonstrating that there was a low probability that the protected health information had been compromised or of the assessment that the impermissible use or disclosure falls within one of the other exceptions to breach), pursuant to 45 CFR 164.530(j)(1)(iv), as necessary to meet this burden of proof. Thus, covered entities and business associates have adequate incentive to conduct reasonable and diligent risk assessments.
Finally, after reviewing and considering the comments received regarding the exceptions to the definition of breach in the interim final rule, the Department adopts these exceptions without modification in this final rule. Although the substance of these exceptions has not changed, these exceptions are now located at paragraph (1) of the definition of breach instead of paragraph (2) to accommodate the modifications discussed above. We respond to the public comments addressing these exceptions, as well as other comments received on the definition of “breach,” below.
Response to Other Public Comments
Comment: Many commenters expressed concern that violations of the minimum necessary standard may trigger breach notification obligations.
Response: We do not believe it would be appropriate to exempt minimum necessary violations from the breach notification obligations as we do not believe that all minimum necessary violations present a low probability that the protected health information has been compromised. Thus, uses or disclosures that impermissibly involve more than the minimum necessary information, in violation of §§ 164.502(b) and 164.514(d), may qualify as breaches. Such incidents must be evaluated as any other impermissible uses or disclosures to determine whether breach notification is not required.
As explained above, there are several factors to be considered when determining the probability that the protected health information involved in an impermissible use or disclosure has been compromised, including the unauthorized person who used the information or to whom the disclosure was made. Thus, where a minimum necessary violation occurs in a disclosure to a business associate or as an internal use within a covered entity or business associate, the fact that the information was not acquired by a third party would be considered as part of the risk assessment and may help lead to the conclusion that there is a low probability that the protected health information has been compromised. Alternatively, covered entities and business associates may determine that certain minimum necessary violations fall within the exceptions to the definition of breach at § 164.402(1)(i) or (1)(ii).
We note that the Privacy Rule’s minimum necessary standard requires a covered entity to make reasonable efforts to limit access to protected health information to those persons or classes of persons who need access to protected health information to carry out their duties and to disclose an amount of protected health information reasonably necessary to achieve the purpose of a disclosure. The Privacy Rule requires covered entities to determine and define in their policies and procedures how the minimum necessary standard applies to their own uses and disclosures. Thus, covered entities are in a good position to know when such policies and procedures have been violated and to assess the probability that the incident has compromised the security or privacy of the information. Finally, we will consider including further guidance regarding the interaction between the minimum necessary standard and the breach notification requirements in the guidance required by section 13405(b)(1)(B) of the HITECH Act.
Comment: Several commenters asked that we clarify the differences between “acquisition,” “access,” “use,” and “disclosure” in the exceptions in the final rule. These commenters expressed confusion regarding the use of these terms in the first two exceptions to the definition of breach, stating that the term “acquisition” connotes a disclosure of information, and thus, the exception regarding unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate implicitly includes disclosures of protected health information.
Response: While the Privacy Rule uses the terms “use” and “disclosure,” we included both “acquisition” and “access” in the regulatory text for consistency with the statutory language. We interpret “acquisition” and “access” to information based on their plain meanings and believe that both terms are encompassed within the current definitions of “use” and “disclosure” in the HIPAA Rules. For example, an acquisition may be a “use” or “disclosure” depending on who acquired the information – i.e., a workforce member or someone outside the covered entity, such as a business associate.
Comment: Several commenters supported our interpretations of the statutory terms “employee,” “same facility,” and “similarly situated individual” with respect to the exceptions to the definition of breach.
Response: We retain these clarifications in this final rule.
Comment: Some commenters asked that we use the term “use” instead of “disclosure” to describe the type of information exchange contemplated by the exception for certain inadvertent disclosures among persons similarly authorized to access protected health information at a covered entity or business associate since the information must be shared within a covered entity or business associate for the exception to apply.
Response: We clarify that the exception at paragraph (1)(ii) of the definition of “breach” is intended to apply to certain “disclosures” that may occur “at” a covered entity, business associate, or organized health care arrangement in which the covered entity participates – e.g., to persons onsite at a covered entity’s facility that are not workforce members, such as physicians with staff privileges at a hospital. For impermissible “uses” of protected health information among workforce members of a covered entity or a business associate, a covered entity or business associate should determine whether the exception to breach at paragraph (1)(i) regarding certain unintentional acquisition, access, or use by a workforce member or person acting under the authority of a covered entity or business associate applies.
Comment: One commenter asked if breach notification is required in cases where an impermissible use or disclosure originally qualifies for either of the exceptions to breach at § 164.402(1)(i) or (1)(ii) at the time the incident occurs but later no longer fits within the exception because the protected health information is further used or disclosed in an impermissible manner.
Response: The applicability of an exception to breach must be judged at the time the incident is discovered and evaluated. If an exception to breach is determined to apply such that notification is not warranted, the inquiry into that breach ends; however, the covered entity or business associate should take appropriate steps to ensure that the information is not further used or disclosed impermissibly. If, sometime after making the determination that the exception applied, the information is impermissibly used or disclosed, the covered entity or business associate should treat that incident as a separate impermissible use or disclosure that warrants evaluation as a breach on its own. As explained more fully below, we treat a breach as having occurred at the time of the impermissible use or disclosure, which in the case of the first two exceptions to breach, is at the time of the “further” impermissible use or disclosure.
Comment: One commenter asked that we broaden the application of the inadvertent disclosure exception to apply to all routine disclosures between covered entities. Other commenters asked that the rule exempt from the breach notification obligations situations in which a covered entity discloses information to a business associate or another covered entity. Commenters noted that because covered entities and business associates are required to protect the privacy of protected health information, there is little risk that even an impermissible disclosure between such entities would compromise the security or privacy of the information.
Response: We do not agree that such situations warrant a blanket exception from the breach notification rules. In appropriate cases, some of these impermissible disclosures among covered entities and covered entities and business associates may fall within the existing exceptions to breach at paragraphs (1)(i) and (ii) of the definition. Otherwise, such disclosures must be evaluated as to the probability that the protected health information has been compromised based on a risk assessment of a number of factors. While the fact that the recipient of an impermissible disclosure is a covered entity or business associate with obligations to protect the privacy and security of protected health information is a consideration with respect to assessing the risk that the protected health information has been compromised, it is not the only factor. For example, a covered entity or business associate must also evaluate the extent to which the risk to the protected health information has been mitigated.
Comment: Several commenters suggested that the exceptions to breach should not apply to situations where workforce members or employees further use or disclose information they unintentionally or inadvertently acquired, accessed, or used, even if such further use or disclosure is permitted under the Privacy Rule. Additionally, these commenters suggested that the breach exceptions should apply only in cases in which the workforce member or employee has taken appropriate steps to mitigate the unintentional acquisition, access, or use of protected health information, such as by alerting the sender of the misdirected information, if applicable, and returning or destroying it.
Response: We do not believe it is appropriate to prohibit the sharing of protected health information for permissible purposes following an unintentional or inadvertent error by a workforce member or an employee. Doing so would restrict access and disclosure of the protected health information for necessary treatment and other important purposes to the extent the workforce member or employee needed access to the information in the future for authorized purposes, which would adversely affect health care delivery. We believe that the rule strikes an appropriate balance by not allowing workforce member errors to be excepted from the definition of breach in cases where the workforce member takes the information he or she has mistakenly obtained and then misuses it.
With respect to requiring workforce members or employees to take appropriate steps to mitigate their unintentional access to protected health information, we note that the Privacy Rule already requires covered entities to ensure as part of their minimum necessary policies and procedures that workforce members have appropriate access to protected health information. Therefore, covered entities should ensure that workforce members who gain access in an unauthorized manner to protected health information do not continue to have such unauthorized access. This may require having policies which require workforce members to return or destroy the information to which they obtained unauthorized access. Further, covered entities must implement reasonable safeguards to protect against impermissible uses and disclosures, including further impermissible uses and disclosures by a workforce member who has gained unauthorized access to protected health information.
Comment: One commenter asked that we include an exception in the final rule for situations in which a laptop is lost and recovered and a forensic analysis shows that the protected health information on the computer was not accessed. The commenter stated that because the forensic analysis showed that the information was not compromised, a risk assessment should not be required.
Response: We do not include an explicit exception for this particular scenario. As we explained above, in cases where a lost laptop is recovered, the fact that a forensic analysis of the computer shows that its information was not accessed is a relevant consideration for the risk assessment, and entities in such situations may be able to demonstrate a low probability that the information has been compromised. However, covered entities and business associates still must document their risk assessments in these cases. We also note, as we did in the interim final rule, if a computer is lost or stolen, we do not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.
Comment: Some commenters asked that we create an exception to breach to cover certain routine impermissible disclosures of protected health information. For example, commenters asked that we except from notification disclosures made as a result of the covered entity mailing information to a patient’s old address, faxing information to the wrong number, disclosures made as a result of leaving a voice message at the wrong number reminding a patient of an upcoming appointment, or, in situations where patients have identical or similar names, contacting the wrong patient to inform him or her that lab results were ready.
Response: We decline to create such an exception. The ability of a covered entity or business associate to demonstrate that a particular situation poses a low probability that the protected health information was compromised is very fact specific and will depend on an assessment of all of the factors discussed above, such as to whom the information was disclosed, what information was disclosed, and what mitigation has taken place. We also note that, in some cases, some of the situations contemplated by the commenters may fall within an existing exception. For example, if a covered entity mails protected health information about an individual to a wrong address, the impermissible disclosure may fall into the exception at paragraph (1)(iii) of the definition of breach if the information is returned, undelivered and unopened, to the covered entity, such that an unauthorized recipient could not reasonably have retained the information. If, however, the information was not returned or if the covered entity was informed by the unauthorized recipient that he had received and opened the mail in error, the covered entity would need to complete a risk assessment to determine the probability that the protected health information had been compromised as a result of the impermissible disclosure.
Comment: Several commenters asked that we harmonize the final rule with the FTC’s Health Breach Notification final rule.
Response: Although the FTC and HHS breach notification rules generally apply to different entities, HHS has worked closely with the FTC to ensure both sets of regulations were harmonized to the greatest extent possible by including the same or similar requirements within the constraints of the statutory language. In addition, in the few situations where an entity provides PHRs to customers of a HIPAA covered entity through a business associate arrangement but also provides PHRs directly to the public and a breach of its records occurs, in certain cases, the FTC will deem compliance with certain provisions of HHS’ rule as compliance with FTC’s rule. See 74 FR 42964. In particular, in such situations, it may be appropriate for the vendor to provide the same breach notice to all its PHR customers since it has a direct relationship with all the affected individuals. Thus, in those limited circumstances where a vendor of PHRs (1) provides notice to individuals on behalf of a HIPAA covered entity, (2) has dealt directly with these individuals in managing their PHR accounts, and (3) provides notice to its customers at the same time, the FTC will deem compliance with HHS requirements governing the timing, method, and content of notice to be compliance with the corresponding FTC rule provisions. Note, however, that the PHR vendor still must comply with all other FTC rule requirements, including the requirement to notify the FTC within ten business days after discovering the breach.
Definition of “Unsecured Protected Health Information”
Interim Final Rule
Section 13402(h)(1)(A) of the Act defines “unsecured protected health information” as “protected health information” that is not secured through the use of a technology or methodology specified by the Secretary in guidance issued under [section 13402(h)(2)].” The Act at section 13402(h)(2) requires that the Secretary specify in the guidance the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Accordingly, the interim final rule defined “unsecured protected health information” as protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. This guidance, which was published in updated form within the preamble to the interim final rule and made available on the HHS web site, specifies that only encryption and destruction, consistent with National Institute of Standards and Technology (NIST) guidelines, renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals such that notification is not required in the event of a breach of such information.
Overview of Public Comments
While we received a number of technical and other comments on the guidance, we did not receive any comments on the language of the above definition itself. We intend to address the comments on the guidance in our next update to the guidance.
Final Rule
The final rule modifies the interim final rule’s definition of “unsecured protected health information” to replace the term “unauthorized individuals” in the definition with “unauthorized persons.” The term “individual” is defined in § 160.103 to mean the person who is the subject of the protected health information, which is not what is intended with the reference to “individual” in the definition of “unsecured protected health information.” Accordingly, the final rule uses more appropriately the term “unauthorized persons.” The final rule also modifies the definition to remove the term “on the HHS web site” as unnecessary language. While we remove the reference to the HHS web site from the regulatory text, we do plan to continue to post updates to the guidance on the web site as they are issued.
HHS Description and Commentary From the Interim Breach Rules Notification in the Case of Breach -- Definitions |
Section 13402 of the Act and this interim final rule require covered entities and business associates to provide notification following a breach of unsecured protected health information. Section 13400(1)(A) of the Act defines “breach” as the “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” Section 13400(1)(B) of the Act provides several exceptions to the definition of “breach.” Based on § 13400(1)(A), we have defined “breach” at § 164.402 of the interim final rule as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” We have added paragraph (1) to the definition to clarify when the security or privacy of information is considered to be compromised. Paragraph (2) of the definition then includes the statutory exceptions, including the exception within § 13400(1)(A) that refers to whether the recipient would reasonably have been able to retain the information.
Protected Health Information
We note that the definition of “breach” is limited to protected health information. With respect to a covered entity or business associate of a covered entity, protected health information is individually identifiable health information that is transmitted or maintained in any form or medium, including electronic information. 45 CFR 160.103. If information is de-identified in accordance with 45 CFR 164.514(b), it is not protected health information, and thus, any inadvertent or unauthorized use or disclosure of such information will not be considered a breach for purposes of this subpart. Additionally, § 160.103 excludes certain types of individually identifiable health information from the definition of “protected health information,” such as employment records held by a covered entity in its role as employer. If individually identifiable health information that is not protected health information is used or disclosed in an unauthorized manner, it would not qualify as a breach for purposes of this subpart – although the covered entity should consider whether it has notification requirements under other laws. Further, we note that although the definition of “breach” applies to protected health information generally, covered entities and business associates are required to provide the breach notifications required by the Act and this interim final rule (discussed below) only upon a breach of unsecured protected health information. See also Section II of this document for a list of the technologies and methodologies that render protected health information secure such that notification is not required in the event of a breach.
Unauthorized Acquisition, Access, Use, or Disclosure The statute defines a “breach” as the “unauthorized” acquisition, access, use, or disclosure of protected health information. Several commenters asked that we define “unauthorized” or that we clarify its meaning. We clarify that “unauthorized” is an impermissible use or disclosure of protected health information under the HIPAA Privacy Rule (subpart E of 45 CFR part 164). Accordingly, the definition of “breach” at § 160.402 of the interim final rule interprets the “unauthorized acquisition, access, use, or disclosure of protected health information” as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part.”
We emphasize that not all violations of the Privacy Rule will be breaches under this subpart, and therefore, covered entities and business associates need not provide breach notification in all cases of impermissible uses and disclosures. We also note that the HIPAA Security Rule provides for administrative, physical, and technical safeguards and organizational requirements for electronic protected health information, but does not govern uses and disclosures of protected health information. Accordingly, a violation of the Security Rule does not itself constitute a potential breach under this subpart, although such a violation may lead to a use or disclosure of protected health information that is not permitted under the Privacy Rule and thus, may potentially be a breach under this subpart.
The Act does not define the terms “acquisition” and “access.” Several commenters asked that we define or identify the differences between acquisition, access, use, and disclosure of protected health information, for purposes of the definition of “breach.” We interpret “acquisition” and “access” to information based on their plain meanings and believe that both terms are encompassed within the current definitions of “use” and “disclosure” in the HIPAA Rules. Accordingly, we have not added separate definitions for these terms. We have retained the statutory terms in the regulation in order to maintain consistency with the statute. In addition, we note that while the HIPAA Security Rule at § 164.304 includes a definition of the term “access,” such definition is limited to the ability to use “system resources” and not to access to information more generally and thus, we have revised that definition to make clear that it does not apply for purposes of these breach notification rules.
For an acquisition, access, use, or disclosure of protected health information to constitute a breach, it must constitute a violation of the Privacy Rule. Therefore, one of the first steps in determining whether notification is necessary under this subpart is to determine whether a use or disclosure violates the Privacy Rule. We note that uses or disclosures that impermissibly involve more than the minimum necessary information, in violation of §§ 164.502(b) and 164.514(d), may qualify as breaches under this subpart. In contrast, a use or disclosure of protected health information that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule
Compromises the Security or Privacy of Protected Health Information
The Act and regulation next limit the definition of “breach” to a use or disclosure that “compromises the security or privacy” of the protected health information. Accordingly, once it is established that a use or disclosure violates the Privacy Rule, the covered entity must determine whether the violation compromises the security or privacy of the protected health information.
For the purposes of the definition of “breach,” many commenters suggested that we add a harm threshold such that an unauthorized use or disclosure of protected health information is considered a breach only if the use or disclosure poses some harm to the individual. These commenters noted that the “compromises the security or privacy” language in § 13400(1)(A) of the Act contemplates that covered entities will perform some type of risk assessment to determine if there is a risk of harm to the individual, and therefore, if a breach has occurred. Commenters urged that the addition of a harm threshold to the definition would also align this regulation with many State breach notification laws that require entities to reach similar harm thresholds before providing notification. Finally, some commenters noted that failure to include a harm threshold for requiring breach notification may diminish the impact of notifications received by individuals, as individuals may be flooded with notifications for breaches that pose no may cause unwarranted panic in individuals, and the expenditure of undue costs and other resources by individuals in remedial action.
We agree that the statutory language encompasses a harm threshold and have clarified in paragraph (1) of the definition that “compromises the security or privacy of the protected health information” means “poses a significant risk of financial, reputational, or other harm to the individual.” This ensures better consistency and alignment with State breach notification laws, as well as existing obligations on Federal agencies (some of which also must comply with these rules as HIPAA covered entities) pursuant to OMB Memorandum M-07-16 to have in place breach notification policies for personally identifiable information that take into account the likely risk of harm caused by a breach in determining whether breach notification is required. Thus, to determine if an impermissible use or disclosure of protected health information constitutes a breach, covered entities and business associates will need to perform a risk assessment to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. In performing the risk assessment, covered entities and business associates may need to consider a number or combination of factors, some of which are described below.
Covered entities and business associates should consider who impermissibly used or to whom the information was impermissibly disclosed when evaluating the risk of harm to individuals. If, for example, protected health information is impermissibly disclosed to another entity governed by the HIPAA Privacy and Security Rules or to a Federal agency that is obligated to comply with the Privacy Act of 1974 (5 USC 552a) and the Federal Information Security Management Act of 2002 (44 USC 3541 et seq.), there may be less risk of harm to the individual, since the recipient entity is obligated to protect the privacy and security of the information it received in the same or similar manner as the entity that disclosed the information. In contrast, if protected health information is impermissibly disclosed to any entity or person that does not have similar obligations to maintain the privacy and security of the information, the risk of harm to the individual is much greater.
We expect that there may be circumstances where a covered entity takes immediate steps to mitigate an impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed. If such steps eliminate or reduce the risk of harm to the individual to a less than “significant risk,” then we interpret that the security and privacy of the information has not been compromised and, therefore, no breach has occurred.
In addition, there may be circumstances where impermissibly disclosed protected health information is returned prior to it being accessed for an improper purpose. For example, if a laptop is lost or stolen and then recovered, and a forensic analysis of the computer shows that its information was not opened, altered, transferred, or otherwise compromised, such a breach may not pose a significant risk of harm to the individuals whose information was on the laptop. Note, however, that if a computer is lost or stolen, we do not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.
In performing a risk assessment, covered entities and business associates should also consider the type and amount of protected health information involved in the impermissible use or disclosure. If the nature of the protected health information does not pose a significant risk of financial, reputational, or other harm, then the violation is not a breach. For example, if a covered entity improperly discloses protected health information that merely included the name of an individual and the fact that he received services from a hospital, then this would constitute a violation of the Privacy Rule, but it may not constitute a significant risk of financial or reputational harm to the individual. In contrast, if the information indicates the type of services that the individual received (such as oncology services), that the individual received services from a specialized facility (such as a substance abuse treatment program or if the protected health information includes information that increases the risk of identity theft (such as a social security number, account number, or mother’s maiden name), then there is a higher likelihood that the impermissible use or disclosure compromised the security and privacy of the information. The risk assessment should be fact specific, and the covered entity or business associate should keep in mind that many forms of health information, not just information about sexually transmitted diseases or mental health, should be considered sensitive for purposes of the risk of reputational harm – especially in light of fears about employment discrimination.
We also address impermissible uses and disclosures involving limited data sets (as the term is used at 45 CFR 164.514(e) of the Privacy Rule), in paragraph (1) of the definition of “breach” at § 164.402 of the interim final rule. In the RFI discussed above, we asked for public comment on whether limited data sets should be considered unusable, unreadable, or indecipherable and included as a methodology in the guidance. A limited data set is created by removing the 16 direct identifiers listed in § 164.514(e)(2) from the protected health information. These direct identifiers include the name, address, social security number, and account number of an individual or the individual’s relative, employer, or household member. When these 16 direct identifiers are removed from the protected health information, the information is not completely de-identified pursuant to 45 CFR 164.514(b). In particular, the elements of dates, such as dates of birth, and zip codes, are allowed to remain within the limited data set, which increase the potential for re-identification of the information. Because there is a risk of reidentification of the information within a limited data set, the Privacy Rule treats this information as protected health information that may only be used or disclosed as permitted by the Privacy Rule.
Several commenters suggested that the limited data set should not be included in the guidance as a method to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals such that breach notification is not required. These commenters cited concerns about the risk of re-identification of protected health information in a limited data set and noted that, as more data exists in electronic form and as more data becomes public, it will be easier to combine these various sources to reestablish the identity of the individual. Furthermore, due to the risk of re-identification, these commenters stated that creating a limited data set was not comparable to encrypting information, and therefore, should not be included as a method to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.
The majority of commenters, however, did support the inclusion of the limited data set in the guidance. These commenters stated that it would be impractical to require covered entities and business associates to notify individuals of a breach of information within a limited data set because, by definition, such information excludes the very identifiers that would enable covered entities and business associates, without undue burden, to identify the affected individuals and comply with the breach notification requirements. Additionally, these commenters cited contractual concerns regarding the data use agreement, which prohibits the recipient of a limited data set from re-identifying the information and therefore, may pose problems with complying with the notification requirements of § 13402(b) of the Act. These commenters also noted that the decision to exclude the limited data set from the guidance, such that a breach of a limited data set would require breach notification, would reduce the likelihood that covered entities would continue to create and share limited data sets. This, in turn, would have a chilling effect on the research and public health communities, which rely on receiving information from covered entities in limited data set form.
Finally, commenters noted that the removal of the 16 direct identifiers in the limited data set presents a minimal risk of serious harm to the individual by limiting the possibility that the information could be used for an illicit purpose if breached. These commenters also suggested that the inclusion of the limited data set in the guidance would align with most state breach notification laws, which, as a general matter, only require notification when certain identifiers are exposed and when there is a likelihood that the breach will result in harm to the individual.
We also asked commenters if they believed that the removal of an individual’s date of birth or zip code, in addition to the 16 direct identifiers in 45 CFR 164.514(e)(2), would reduce the risk of re-identification of the information such that it could be included in the guidance. Several commenters responded to this question. While some stated that the removal of these data elements would render the information useless to the research and public health communities, which may, for example, require zip codes for many population based studies, many commenters did acknowledge that the removal of these additional identifiers would reduce the risk of re-identification of the information.
After considering these comments, we decided against including the limited data set in the guidance as a method for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals due to the potential risk of reidentification of this information. However, we address breaches of limited data sets in the definition of “breach” as follows. Under the definition of “breach” at § 164.402, in order to determine whether a covered entity’s or business associate’s impermissible use or disclosure of protected health information constitutes a breach, the covered entity or business associate will need to perform the risk assessment discussed above. This applies to impermissible uses or disclosures of protected health information that constitute a limited data set, unless, as discussed below, the protected health information also does not include zip codes or dates of birth. In performing the risk assessment to determine the likely risk of harm caused by an impermissible use or disclosure of a limited data set, the covered entity or business associate should take into consideration the risk of re-identification of the protected health information contained in the limited data set.
Through a risk assessment, a covered entity or business associate may determine that the risk of identifying a particular individual is so small that the use or disclosure poses no significant risk of harm to any individuals. For example, it may be determined that an impermissible use or disclosures of a limited data set that includes zip codes, based on the population features of those zip codes, does not create a significant risk that a particular individual can be identified. Therefore, there would be no significant risk of harm to the individual. If there is no significant risk of harm to the individual, then no breach has occurred and no notification is required. If, however, the covered entity or business associate determines that the individual can be identified based on the information disclosed, and there is otherwise a significant risk of harm to the individual, then breach notification is required, unless one of the other exceptions discussed below applies.
We have provided a narrow, explicit exception to what compromises the privacy or security of protected health information for a use or disclosure of protected health information that excludes the 16 direct identifiers listed at 45 CFR 164.514(e)(2) as well as dates of birth and zip codes. Thus, we deem an impermissible use or disclosure of this information to not compromise the security or privacy of the protected health information, because we believe that impermissible uses or disclosures of this information – if subjected to the type of risk assessment described above – would pose a low level of risk. We emphasize that this is a narrow exception. If, for example, the information does not contain birth dates but does contain zip code information or contains both birth dates and zip code information, then this narrow exception would not apply, and the covered entity or business associate would be required to perform a risk assessment to determine if the risk of re-identification poses a significant risk of harm to the individual. We invite comments on this narrow exception. We do not believe that this narrow exception will have the unintended consequence of discouraging the use of encryption and other methods for rendering protected health information unusable, unreadable, or indecipherable; however, we invite comments on this issue as well. Finally, we note that this narrow exception should not be construed as encouraging or permitting the use or disclosure of more than the minimum necessary information, in violation of §§ 164.502(b) and 164.514(d).
We do not intend to interfere with research or public health activities that rely on dates of birth or zip codes. Uses and disclosures of limited data sets that include this information continue to be permissible under the Privacy Rule if the applicable requirements, such as a data use agreement, are satisfied. Further, we note that a covered entity or business associate is not responsible for a breach by a third party to whom it permissibly disclosed protected health information, including limited data sets, unless the third party received the information in its role as an agent of the covered entity or business associate. To the extent that a third party recipient of the information is itself a covered entity, and the information is breached while at the third party (i.e., used or disclosed in an impermissible manner and in a manner determined to compromise the privacy or security of the information), then the third party will be responsible for is the recipient of a limited data set pursuant to § 164.514(e) of the Privacy Rule and it is unable to re-identify the individuals after a breach occurs, it may satisfy the requirements of § 164.404 without re-identifying the information, by providing substitute notice to the individuals as required by paragraph (d)(2) of that section.
We note that the discussion above regarding “limited data sets” applies to any protected health information that excludes the 16 direct identifiers listed at §164.514(e)(2), regardless of whether the information is used for health care operations, public health, or research purposes (see §164.514(e)(3)(i)), and is subject to a data use agreement under § 164.514(e) of the Privacy Rule. Thus, for example, a covered entity that impermissibly uses or discloses data that is stripped of the 16 direct identifiers described above, zip codes, and dates of birth, may take advantage of the exception to what is a breach, regardless of the intended purpose of the use or disclosure or whether a data use agreement was in place.
With respect to any type of protected health information, we note that § 164.414, discussed below, gives covered entities and business associates the burden of demonstrating that no breach has occurred because the impermissible use or disclosure did not pose a significant risk of harm to the individual. Covered entities and business associates must document their risk assessments, so that they can demonstrate, if necessary, that no breach notification was required following an impermissible use or disclosure of protected health information. For impermissible uses or disclosures of protected health information that fall under the narrow exception at paragraph (1)(ii) of this definition, which do not qualify as breaches because the protected health information is a limited data set that does not include zip codes or dates or birth, documentation that demonstrates that the lost information did not include these identifiers will suffice.
Exceptions to Breach
Section 13400(1) of the Act also includes three exceptions to the definition of “breach” that encompass situations Congress clearly intended to not constitute breaches: (1) unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate (§ 13400(1)(B)(i)); (2) inadvertent disclosure of protected health information from one person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate (§ 13400(1)(B)(ii) and (iii)); and (3) unauthorized disclosures in which an unauthorized person to whom protected health information is disclosed would not reasonably have been able to retain the information (§ 13400(1)(A)). We have included these three exceptions as paragraphs (2)(i), (ii), and (iii), respectively.
The first regulatory exception at paragraph (2)(i) of this definition, for unintentional acquisition, access, or use of protected health information, generally mirrors the exception in § 13400(1)(B)(i) of the Act. This statutory section excepts from the definition of “breach” the unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or a business associate, if the acquisition, access, or use was made in good faith, within the course and scope of employment or other professional relationship, and does not result in further use or disclosure.
We modified the statutory language to use “workforce members” instead of employees. Workforce member is a defined term in 45 CFR 160.103 and means “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.”
A person is acting under the authority of a covered entity or business associate if he or she is acting on its behalf. This may include a workforce member of a covered entity, an employee of a business associate, or even a business associate of a covered entity. Similarly, to determine whether the access, acquisition, or use was made “within the scope of authority,” the covered entity or business associate should consider whether the person was acting on its behalf at the time of the inadvertent acquisition, access, or use.
Additionally, while the statutory language provides that this exception applies where the recipient does not further use or disclose the information, we have interpreted this exception as encompassing circumstances where the recipient does not further use or disclose the information in a manner not permitted under the Privacy Rule. In circumstances where any further use or disclosure of the information is permissible under the Privacy Rule, we interpret that there is no breach because the security and privacy of the information has not been compromised by any such permissible use or disclosure.
To illustrate this exception, we offer the following example. A billing employee receives and opens an e-mail containing protected health information about a patient which a nurse mistakenly sent to the billing employee. The billing employee notices that he is not the intended recipient, alerts the nurse of the misdirected e-mail, and then deletes it. The billing employee unintentionally accessed protected health information to which he was not authorized to have access. However, the billing employee’s use of the information was done in good faith and within the scope of authority, and therefore, would not constitute a breach and notification would not be required, provided the employee did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.
In contrast, a receptionist at a covered entity who is not authorized to access protected health information decides to look through patient files in order to learn of a friend’s treatment. In this case, the impermissible access to protected health information would not fall within this exception to breach because such access was neither unintentional, done in good faith, nor within the scope of authority.
The second regulatory exception, at paragraph (2)(ii) of this definition, covers inadvertent disclosures and generally mirrors the exception provided in § 13400(1)(B)(ii) and (iii) of the Act, with slight modifications. The statute excepts from the definition of “breach” inadvertent disclosures from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility if the information is not further used or disclosed without authorization. We have modified the statutory language slightly to except from breach inadvertent disclosures of protected health information from a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity, business associate, or organized health care arrangement in which the covered entity participates. Organized health care arrangement is defined by the HIPAA Rules to mean, among other things, a clinically integrated care setting in which individuals typically receive health care from more than one health care provider. See 45 CFR 160.103. This includes, for example, a covered entity, such as a hospital, and the health care providers who have staff privileges at the hospital.
We received several comments with respect to this exception, and many commenters asked that we clarify and explain the statutory language regarding what it means to be a “similarly situated individual” and what constitutes the “same facility” for purposes of this exception. We believe that a “similarly situated individual,” for purposes of the statute, means an individual who is authorized to access protected health information, and thus, for clarity, we have substituted this language for the statutory language in the regulation. Thus, a person who is authorized to access protected health information is similarly situated, for purposes of this regulation, to another person at the covered entity, business associate of the covered entity, or organized health care arrangement in which the covered entity participates, who is also authorized to access protected health information (even if the two persons may not be authorized to access the same types of protected health information). For example, a physician who has authority to use or disclose protected health information at a hospital by virtue of participating in an organized health care arrangement with the hospital is similarly situated to a nurse or billing employee at the hospital. In contrast, the physician is not similarly situated to an employee at the hospital who is not authorized to access protected health information.
Additionally, we have interpreted “same facility” to mean the same covered entity, business associate, or organized health care arrangement in which the covered entity participates and have substituted this language in the regulation. By focusing on the legal entity or status of the entities as an organized health care arrangement when interpreting “same facility,” we believe we have more clearly captured the intent of the statute and have also alleviated commenter concerns that the term “facility” was too narrow. Therefore, the size of the covered entity, business associate, or organized health care arrangement will dictate the scope of this exception. If a covered entity has a single location, then the exception will apply to disclosures between a workforce member and, e.g., a physician with staff privileges at that single location. However, if a covered entity has multiple locations across the country, the same exception will apply even if the workforce member makes the disclosure to a physician with staff privileges at a facility located in another state.
We interpret the statutory limitation that the information not be “further acquired, accessed, used, or disclosed without authorization” as meaning that the information is not further used or disclosed in a manner not permitted by the Privacy Rule. Thus, this exception encompasses circumstances in which a person who is authorized to use or disclose protected health information within a covered entity, business associate, or organized health care arrangement inadvertently discloses that information to another person who is authorized to use or disclose protected health information within the same covered entity, business associate, or organized health care arrangement, as long as the recipient does not further use or disclose the information in violation of the Privacy Rule.
The final regulatory exception to breach at paragraph (2)(iii) of this definition mirrors the exception found in § 13400(1)(A) of the Act. The statute excepts from the definition of “breach” situations in which the unauthorized person to whom protected health information has been disclosed would not reasonably have been able to retain the information. We have slightly modified this language to except from “breach” situations where a covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure of protected health information was made would not reasonably have been able to retain the information.
For example, a covered entity, due to a lack of reasonable safeguards, sends a number of explanations of benefits (EOBs) to the wrong individuals. A few of the EOBs are returned by the post office, unopened, as undeliverable. In these circumstances, the covered entity can conclude that the improper addressees could not reasonably have retained the information. The EOBs that were not returned as undeliverable, however, and that the covered entity knows were sent to the wrong individuals, should be treated as potential breaches.
As another example, a nurse mistakenly hands a patient the discharge papers belonging to another patient, but she quickly realizes her mistake and recovers the protected health information from the patient. If the nurse can reasonably conclude that the patient could not have read or otherwise retained the information, then this would not constitute a breach.
With respect to any of the three exceptions discussed above, a covered entity or business associate has the burden of proof, pursuant to § 164.414(b) (discussed below), for showing why breach notification was not required. Accordingly, the covered entity or business associate must document why the impermissible use or disclosure falls under one of the above exceptions.
Based on the above, we envision that covered entities and business associates will need to do the following to determine whether a breach occurred. First, the covered entity or business associate must determine whether there has been an impermissible use or disclosure of protected health information under the Privacy Rule. Second, the covered entity or business associate must determine, and document, whether the impermissible use or disclosure compromises the security or privacy of the protected health information. This occurs when there is a significant risk of financial, reputational, or other harm to the individual. Lastly, the covered entity or business associate may need to determine whether the incident falls under one of the exceptions in paragraph (2) of the breach definition.
We treat the breach as having occurred at the time of the impermissible use or disclosure (or in the case of the exceptions listed at paragraphs (2)(i) and (ii) of the definition of “breach,” at the time of the “further” impermissible use or disclosure), but recognize that a covered entity or business associate may require a reasonable amount of time to confirm whether the incident qualifies as a breach. As discussed below, a breach is considered discovered when the incident becomes known, not when the covered entity or business associate concludes the above analysis of whether the facts constitute a breach.
HHS Description and Commentary From the Original Breach Rules Notification in the Case of Breach -- Definitions: Unsecured Protected Health Information |
Section 13402(h)(1)(A) of the Act defines “unsecured protected health information” as “protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance issued under [§ 13402(h)(2)].” Further, the Act at § 13402(h)(2) requires that the Secretary specify in the guidance the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Accordingly, the interim final rule defines “unsecured protected health information” to mean protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. We also provide in the regulation that the guidance will be published on the HHS web site.
Section 13402(h)(2) of the Act required that the Secretary initially issue such guidance, after consultation with stakeholders, no later than 60 days after enactment, or April 17, 2009. As discussed above, the Secretary issued the guidance along with a request for information on April 17, 2009, on the HHS web site at http://www.hhs.gov/ocr/privacy/ and the guidance was later published in the Federal Register on April 27, 2009 (74 FR 19006). The Department has reviewed the public comment received in response to the request for information and provides an update to the guidance in Section II of this document. As provided in this interim final rule, this updated guidance is also (and any future updates will be) available on the HHS web site at http://www.hhs.gov/ocr/privacy/.
We note that the definition of “unsecured protected health information” in the Act and this interim final rule incorporates generally the term “protected health information,” as defined at 45 CFR 160.103 of the HIPAA Rules, which includes information in any form or medium. Accordingly, the term “unsecured protected health information” can include information in any form or medium, including electronic, paper, or oral form.