Law requires health data breach notifications

The recently enacted economic stimulus law includes new requirements for how companies must notify people of breaches to their protected health information. Some experts say the rules could lead to federal breach notification requirements for other types of data.

Health data experts are still studying provisions in the $787 billion spending law that will expand what health care-related businesses are required to do when they discover unsecured, protected medical data has been breached.

The law gave the Health and Human Services Department 60 days to issue guidance on the types of technologies and methodologies that should be used to make protected health information secure -- unusable, unreadable or indecipherable to unauthorized people.

Under the new law if a health care provider, health plan administrator or health care clearing house covered under the Health Insurance Portability and Accountability Act (HIPAA) has a breach to the personal medical data it holds which is not secured in the way HHS recommends, that organization will have to notify within 60 days each person whose data is believed to have been compromised. Companies that work with those entities that handle the medical data will also have to notify the company they work for if a breach is believed to have occurred on their watch.

“It is a big change in terms of the scope of the laws…and it now establishes a federal standard so regardless of what state you do business in, if you do business in the health industry, you are likely to be subject to these breach requirements,” said Kathryn Roe, an attorney focused on health care with the firm Neal, Gerber and Eisenberg in Chicago.

Federal lawmakers have made several recent attempts to pass national data notification requirements for data breaches of all kinds, but thus far those efforts have stalled and states have promulgated their own requirements. Without a national rule for data breach notifications, more than 40 states have developed their own data breach notification requirements.

Lisa Sotto, head of the privacy and information management practice at law firm of Hunton and Williams and an expert on privacy and data security, said the current situation is complex because data breaches rarely affect residents of just one state and laws often differ.

“I think what could happen here is this could set the bar and become the standard of data compromises of other types of sensitive personal data,” Sotto said.

The new law, only applicable to protected medical data, requires that individuals affected by the breach are notified in writing and that local news media are alerted of the breach in cases where more than 500 people are believed to have been affected. The provisions also require the companies to notify HHS of any breach and to do so immediately if it involved 500 people or more. HHS will post on its Web site a list of the HIPAA-covered entities involved in the breach if the problem reaches the threshold of 500 people having been involved.

Pam Dixon, executive director of the public research group World Privacy Form, said the law was also significant because it includes requirements for organizations not covered under HIPAA. She added that the law was an acknowledgment that certain kinds of data need more protection.

Regardless of how they are made, breach notifications, to the extent possible, will have to include:

• A description of what happened, including when the breach occurred and when it was discovered.
• A description of the types of unsecured protected health information that was breached.
• The steps individuals should take to protect themselves against potential harm from the breach.
• A description of what the covered entity involved is doing to investigate the breach, mitigate losses and prevent future breaches.

HHS also was given one year to submit to Congress what will be the first of an annual report on medical data breaches that have occurred and what was done in response to them. The department also was given 180 days to disseminate interim final regulations to enact the law’s requirements.