Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Provisional Breach Notification Regulation

Provisional Breach Notification Regulation

Ratings: (0)|Views: 18 |Likes:
Published by huffpostfund
The provisional breach notification regulation.
The provisional breach notification regulation.

More info:

Published by: huffpostfund on Dec 01, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Monday, August 24, 2009
Part II
Department of Health and Human Services
45 CFR Parts 160 and 164Breach Notification for Unsecured Protected Health Information; Interim Final Rule
VerDate Nov<24>2008 15:01 Aug 21, 2009Jkt 217001PO 00000Frm 00001Fmt 4717Sfmt 4717E:\FR\FM\24AUR2.SGM24AUR2
  e  r  o  w  e  o  n   D   S   K   5   C   L   S   3   C   1   P   R   O   D  w   i   t   h   R   U   L   E   S_   2
Federal Register
/Vol. 74, No. 162/Monday, August 24, 2009/Rules and Regulations
DEPARTMENT OF HEALTH ANDHUMAN SERVICESOffice of the Secretary45 CFR Parts 160 and 164
RIN 0991–AB56
Breach Notification for UnsecuredProtected Health Information
Office for Civil Rights,Department of Health and HumanServices.
Interim final rule with requestfor comments.
The Department of Health andHuman Services (HHS) is issuing thisinterim final rule with a request forcomments to require notification of  breaches of unsecured protected healthinformation. Section 13402 of theHealth Information Technology forEconomic and Clinical Health (HITECH)Act, part of the American Recovery andReinvestment Act of 2009 (ARRA) thatwas enacted on February 17, 2009,requires HHS to issue interim finalregulations within 180 days to requirecovered entities under the HealthInsurance Portability andAccountability Act of 1996 (HIPAA) andtheir business associates to providenotification in the case of breaches of unsecured protected health information.For purposes of determining whatinformation is ‘‘unsecured protectedhealth information,’’ in this documentHHS is also issuing an update to itsguidance specifying the technologiesand methodologies that render protectedhealth information unusable,unreadable, or indecipherable tounauthorized individuals.
Effective Date:
This interim finalrule is effective September 23, 2009.
Comment Date:
Comments on theprovisions of this interim final rule aredue on or before October 23, 2009.Comments on the information collectionrequirements associated with this ruleare due on or before September 8, 2009.
You may submit comments,identified by RIN 0991–AB56, by any of the following methods (please do notsubmit duplicate comments):
Follow theinstructions for submitting comments.Attachments should be in MicrosoftWord, WordPerfect, or Excel; however,we prefer Microsoft Word.
Regular, Express, or Overnight Mail:
U.S. Department of Health and HumanServices, Office for Civil Rights,Attention: HITECH Breach Notification,Hubert H. Humphrey Building, Room509F, 200 Independence Avenue, SW.,Washington, DC 20201. Please submitone original and two copies.
Hand Delivery or Courier:
Office forCivil Rights, Attention: HITECH BreachNotification, Hubert H. HumphreyBuilding, Room 509F, 200Independence Avenue, SW.,Washington, DC 20201. Please submitone original and two copies. (Becauseaccess to the interior of the Hubert H.Humphrey Building is not readilyavailable to persons without federalgovernment identification, commentersare encouraged to leave their commentsin the mail drop slots located in themain lobby of the building.)
Inspection of Public Comments:
Allcomments received before the close of the comment period will be available forpublic inspection, including anypersonally identifiable or confidential business information that is included ina comment. We will post all commentsreceived before the close of thecomment period at
Becausecomments will be made public, theyshould not include any sensitivepersonal information, such as a person’ssocial security number; date of birth;driver’s license number, stateidentification number or foreign countryequivalent; passport number; financialaccount number; or credit or debit cardnumber. Comments also should notinclude any sensitive healthinformation, such as medical records orother individually identifiable healthinformation.
For access to the docket toread background documents orcomments received, go to
or U.S. Departmentof Health and Human Services, Officefor Civil Rights, 200 IndependenceAvenue, SW., Washington, DC 20201(call ahead to the contact listed belowto arrange for inspection).
Andra Wicks, 202–205–2292.
I. Background
The Health Information Technologyfor Economic and Clinical Health(HITECH) Act, Title XIII of Division Aand Title IV of Division B of theAmerican Recovery and ReinvestmentAct of 2009 (ARRA) (Pub. L. 111–5), wasenacted on February 17, 2009. SubtitleD of Division A of the HITECH Act (theAct), entitled ‘‘Privacy,’’ among otherprovisions, requires the Department of Health and Human Services (HHS or theDepartment) to issue interim finalregulations for breach notification bycovered entities subject to theAdministrative Simplificationprovisions of the Health InsurancePortability and Accountability Act of 1996 (HIPAA) (Pub. L. 104–191) andtheir business associates.These breach notification provisionsare found in section 13402 of the Actand apply to HIPAA covered entitiesand their business associates thataccess, maintain, retain, modify, record,store, destroy, or otherwise hold, use, ordisclose unsecured protected healthinformation. The Act incorporates thedefinitions of ‘‘covered entity,’’‘‘business associate,’’ and ‘‘protectedhealth information’’ used in the HIPAAAdministrative Simplificationregulations (45 CFR parts 160, 162, and164) (HIPAA Rules) at §160.103. Underthe HIPAA Rules, a covered entity is ahealth plan, health care clearinghouse,or health care provider that transmitsany health information electronically inconnection with a covered transaction,such as submitting health care claims toa health plan. Business associate, asdefined in the HIPAA Rules, means aperson who performs functions oractivities on behalf of, or certainservices for, a covered entity thatinvolve the use or disclosure of individually identifiable healthinformation. Examples of businessassociates include third partyadministrators or pharmacy benefitmanagers for health plans, claimsprocessing or billing companies,transcription companies, and personswho perform legal, actuarial,accounting, management, oradministrative services for coveredentities and who require access toprotected health information. TheHIPAA Rules define ‘‘protected healthinformation’’ as the individuallyidentifiable health information held ortransmitted in any form or medium bythese HIPAA covered entities and business associates, subject to certainlimited exceptions.The Act requires HIPAA coveredentities to provide notification toaffected individuals and to the Secretaryof HHS following the discovery of a breach of unsecured protected healthinformation. In addition, in some cases,the Act requires covered entities toprovide notification to the media of  breaches. In the case of a breach of unsecured protected health informationat or by a business associate of a coveredentity, the Act requires the businessassociate to notify the covered entity of the breach. Finally, the Act requires theSecretary to post on an HHS Web sitea list of covered entities that experience breaches of unsecured protected healthinformation involving more than 500individuals.
VerDate Nov<24>2008 15:01 Aug 21, 2009Jkt 217001PO 00000Frm 00002Fmt 4701Sfmt 4700E:\FR\FM\24AUR2.SGM24AUR2
  e  r  o  w  e  o  n   D   S   K   5   C   L   S   3   C   1   P   R   O   D  w   i   t   h   R   U   L   E   S_   2
Federal Register
/Vol. 74, No. 162/Monday, August 24, 2009/Rules and Regulations
The FTC issued a notice of proposed rulemakingto implement section 13407 of the Act on April 20,2009 (74 FR 17914).
Section 13400(1) of the Act defines‘‘breach’’ to mean, generally, theunauthorized acquisition, access, use, ordisclosure of protected healthinformation which compromises thesecurity or privacy of such information.The Act provides exceptions to thisdefinition to encompass disclosureswhere the recipient of the informationwould not reasonably have been able toretain the information, certainunintentional acquisition, access, or useof information by employees or personsacting under the authority of a coveredentity or business associate, as well ascertain inadvertent disclosures amongpersons similarly authorized to accessprotected health information at a business associate or covered entity.Further, section 13402(h) of the Actdefines ‘‘unsecured protected healthinformation’’ as ‘‘protected healthinformation that is not secured throughthe use of a technology or methodologyspecified by the Secretary in guidance’’and provides that the guidance specifythe technologies and methodologies thatrender protected health informationunusable, unreadable, or indecipherableto unauthorized individuals. Coveredentities and business associates thatimplement the specified technologiesand methodologies with respect toprotected health information are notrequired to provide notifications in theevent of a breach of such information—that is, the information is notconsidered ‘‘unsecured’’ in such cases.As required by the Act, the Secretaryinitially issued this guidance on April17, 2009 (it was subsequently publishedin the
Federal Register
at 74 FR 19006on April 27, 2009). The guidance listedand described encryption anddestruction as the two technologies andmethodologies for rendering protectedhealth information unusable,unreadable, or indecipherable tounauthorized individuals.In cases in which notification isrequired, the Act at section 13402prescribes the timeliness, content, andmethods of providing the breachnotifications. We discuss these and theabove statutory provisions in moredetail below where we describe section- by-section how these new regulationsimplement the breach notificationprovisions at section 13402 of the Act.In addition to the breach notificationprovisions for HIPAA covered entitiesand business associates at section13402, section 13407 of the Act, whichis to be implemented and enforced bythe Federal Trade Commission (FTC),imposes similar breach notificationrequirements upon vendors of personalhealth records (PHRs) and their thirdparty service providers following thediscovery of a breach of security of unsecured PHR identifiable healthinformation.
As with the definition of ‘‘unsecured protected healthinformation,’’ the provisions at section13407(f)(3) define ‘‘unsecured PHRidentifiable health information’’ as PHRidentifiable health information that isnot protected through the use of atechnology or methodology specified bythe Secretary of HHS in guidance. Thus,entities subject to the FTC breachnotification rules must also use theSecretary’s guidance to determinewhether the information subject to a breach was ‘‘unsecured’’ and, therefore,whether breach notification is required.When HHS issued the guidance, HHSalso published in the same document arequest for information (RFI), invitingpublic comment both on the guidanceitself, as well as on the breachprovisions of section 13402 of the Actgenerally. After considering the publiccomment, we are issuing an updatedversion of the guidance in Section II below. In addition, we discuss publiccomment received on the Act’s breachnotification provisions where relevant below in the section-by-sectiondescription of the interim final rule.We have concluded that we have goodcause, under 5 U.S.C. 553(b)(B), towaive the notice-and-commentrequirements of the AdministrativeProcedure Act and to proceed with thisinterim final rule. Section 13402(j)explicitly required us to issue theseregulations as ‘‘interim finalregulations’’ and to do so within 180days. Based on this statutory directiveand limited time frame, we concludedthat notice-and-comment rulemakingwas impracticable and contrary topublic policy. Nevertheless, we soughtcomments in the RFI referenced aboveand considered those comments whendrafting this rule. In addition, weprovide the public with a 60-day periodfollowing publication of this documentto submit comments on the interim finalrule.
II. Guidance Specifying theTechnologies and Methodologies ThatRender Protected Health InformationUnusable, Unreadable, orIndecipherable to UnauthorizedIndividuals
A. Background 
As discussed above, section 13402 of the Act requires breach notificationfollowing the discovery of a breach of unsecured protected health information.Section 13402(h) of the Act defines‘‘unsecured protected healthinformation’’ as ‘‘protected healthinformation that is not secured throughthe use of a technology or methodologyspecified by the Secretary in guidance’’and requires the Secretary to specify inthe guidance the technologies andmethodologies that render protectedhealth information unusable,unreadable, or indecipherable tounauthorized individuals. As required by the Act, this guidance was issued onApril 17, 2009, and later published inthe
Federal Register
on April 27, 2009(74 FR 19006). The guidance specifiedencryption and destruction as thetechnologies and methodologies forrendering protected health information,as well as PHR identifiable healthinformation under section 13407 of theAct and the FTC’s implementingregulation, unusable, unreadable, orindecipherable to unauthorizedindividuals such that breachnotification is not required. The RFIasked for general comment on thisguidance as well as for specificcomment on the technologies andmethodologies to render protectedhealth information unusable,unreadable, or indecipherable tounauthorized individuals.Many commenters expressed concernand confusion regarding the purpose of the guidance and its impact on acovered entity’s responsibilities underthe HIPAA Security Rule (45 CFR part164, subparts A and C). We emphasizethat this guidance does nothing tomodify a covered entity’sresponsibilities with respect to theSecurity Rule nor does it impose anynew requirements upon covered entitiesto encrypt all protected healthinformation. The Security Rule requirescovered entities to safeguard electronicprotected health information andpermits covered entities to use anysecurity measures that allow them toreasonably and appropriatelyimplement all safeguard requirements.Under 45 CFR 164.312(a)(2)(iv) and(e)(2)(ii), a covered entity must considerimplementing encryption as a methodfor safeguarding electronic protectedhealth information; however, becausethese are addressable implementationspecifications, a covered entity may bein compliance with the Security Ruleeven if it reasonably decides not toencrypt electronic protected healthinformation and instead uses acomparable method to safeguard theinformation.Therefore, if a covered entity choosesto encrypt protected health informationto comply with the Security Rule, doesso pursuant to this guidance, andsubsequently discovers a breach of that
VerDate Nov<24>2008 15:01 Aug 21, 2009Jkt 217001PO 00000Frm 00003Fmt 4701Sfmt 4700E:\FR\FM\24AUR2.SGM24AUR2
  e  r  o  w  e  o  n   D   S   K   5   C   L   S   3   C   1   P   R   O   D  w   i   t   h   R   U   L   E   S_   2

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->