HIPAA Regulations: Notification in the Case of Breach -- Notification to Individuals: General Rule - § 164.404(a)
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information
HHS Regulations |
Standard--
-
General rule. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.
-
Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, §§ 164.406(a), and 164.408(a), a breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency).
HHS Discussion and Commentary From the January 2013 Amendments |
Interim Final Rule
Section 13402(a) of the Act provides that a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, in the case of a breach of such information that is discovered by the covered entity, notify each affected individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.
Accordingly, § 164.404(a)(1) of the interim final rule included the general rule that a covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, used, or disclosed as a result of such breach.
Breaches Treated as Discovered
Section 13402(c) of the HITECH Act states that a breach shall be treated as discovered by a covered entity or business associate as of the first day on which such breach is known or should reasonably have been known to the covered entity or business associate. The Act also specifies that this discovery is triggered as soon as any person, other than the individual committing the breach, who is an employee, officer, or other agent of the covered entity or business associate knows or should reasonably have known of the breach.
Section 164.404(a)(2) of the interim final rule implemented the Act’s discovery provision, with respect to covered entities by stating that a breach shall be treated as discovered by a covered entity on the first day the breach is known to the covered entity, or by exercising reasonable diligence would have been known to the covered entity. The interim final rule incorporated the term “by exercising reasonable diligence,” which is used in the HIPAA Enforcement Rule and defined to mean the “business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.”
Section 164.404(a)(2) of the interim final rule further provided, in accordance with the Act, that a covered entity is deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person other than the person committing the breach, who is a workforce member or agent of the covered entity. Thus, the breach is treated as discovered by the covered entity at the time the workforce member or other agent has knowledge of the breach. The rule also clarified that the federal common law of agency controls in determining who is an agent of the covered entity, which is consistent with how agency liability is determined under the HIPAA Rules.
Overview of Public Comments
Several commenters argued that a breach should be treated as discovered by a covered entity only after management has been notified of the incident. Commenters stated that the Department should not hold an entity responsible for knowing of a breach if an appropriately trained employee fails to inform the proper persons within the entity of a breach. Other commenters asked for guidance and more clarification regarding what it means for a covered entity or business associate to be exercising reasonable diligence, such as what frequency of monitoring for breaches is expected or what types of systems must covered entities and business associates have in place to detect breaches.
Final Rule
We retain § 164.404(a)(2) in this final rule without modification. We decline to adopt the suggestion that a covered entity be deemed to have discovered a breach only when management is notified of the breach. The HITECH Act itself provides that a breach is to be treated as discovered by a covered entity or business associate if “any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate” knows or should reasonably have known of the breach. This concept is also consistent with the HIPAA Enforcement Rule and the Federal common law of agency. We encourage covered entities and business associates to ensure their workforce members and other agents are adequately trained on the importance of prompt reporting of privacy and security incidents.
With respect to those commenters asking for guidance on what it means for a covered entity to be exercising reasonable diligence, we note that the term reasonable diligence, as defined in § 160.401, means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. The determination of whether a person acted with reasonable diligence is generally a factual one, since what is reasonable depends on the circumstances.
Factors to be considered include whether a covered entity or business associate took reasonable steps to learn of breaches and whether there were indications of breaches that a person seeking to satisfy the Rule would have investigated under similar circumstances.
Covered entities and business associates may wish to look to how other covered entities and business associates operating under similar circumstances conduct themselves for a standard of practice.
HHS Description and Commentary From the Interim Breach Rule Notification to Individuals: General Rule |
Section 164.404 of the interim final rule provides the requirements for the notifications covered entities are to provide to individuals affected by a breach of unsecured protected health information. This section includes implementation specifications regarding timeliness, content, and methods of the notice.
Section 164.404(a)(1) provides the general rule that a covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. This regulatory provision implements § 13402(a) of the Act, but does not include the phrase “that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses” used in the statute to describe a covered entity’s actions with respect to unsecured protected health information because inclusion of such terms was deemed unnecessary. In addition, the statute refers to protected health information that has been “accessed, acquired, or disclosed”; it does not include “used.” In contrast, the statutory definition of “breach” refers to the “acquisition, access, use, or disclosure” of protected health information. For consistency with the definition, therefore, we have added “used” to the list of actions for which notification is required in § 164.404(a)(1).
Breaches Treated as Discovered
Section 164.404(a)(2) states that a breach shall be treated as discovered by a covered entity as of the first day the breach is known to the covered entity, or by exercising reasonable diligence would have been known to the covered entity. Thus, a covered entity is not liable for failing to provide notification in cases in which it is not aware of a breach unless the covered entity would have been aware of the breach had it exercised reasonable diligence. Section 164.404(a)(2) further provides that a covered entity is deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency). These provisions implement § 13402(c) of the Act but clarify that the federal common law of agency is to control in determining who is an agent of the covered entity. This approach is consistent with the HIPAA Enforcement Rule (45 CFR part 160, subparts C through E), which provides that the federal common law of agency applies in determining agency liability under the HIPAA Rules.
We have also modified the statutory language slightly to better conform to existing language in the HIPAA Enforcement Rule by incorporating the term “by exercising reasonable diligence.” The term “reasonable diligence” means the “business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.” We have made these clarifications for consistency and uniformity across the regulations with the HIPAA Enforcement Rule (45 CFR part 160, subparts C through E), which provides that the federal common law of agency applies in determining agency liability under the HIPAA Rules.
We have also modified the statutory language slightly to better conform to existing language in the HIPAA Enforcement Rule by incorporating the term “by exercising reasonable diligence.” The term “reasonable diligence” means the “business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.” We have made these clarifications for consistency and uniformity across the regulations.