Provisional Breach Notification Regulation

Monday,
August 24, 2009
Part II
Department of
Health and Human
Services
45 CFR Parts 160 and 164
Breach Notification for Unsecured
Protected Health Information; Interim
Final Rule
erowe on DSK5CLS3C1PROD with RULES_2
VerDate Nov<24>2008 15:01 Aug 21, 2009 Jkt 217001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\24AUR2.SGM 24AUR2
42740 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations
DEPARTMENT OF HEALTH AND 509F, 200 Independence Avenue, SW., Administrative Simplification
HUMAN SERVICES Washington, DC 20201. Please submit provisions of the Health Insurance
one original and two copies. Portability and Accountability Act of
Office of the Secretary • Hand Delivery or Courier: Office for 1996 (HIPAA) (Pub. L. 104–191) and
Civil Rights, Attention: HITECH Breach their business associates.
45 CFR Parts 160 and 164 Notification, Hubert H. Humphrey These breach notification provisions
Building, Room 509F, 200 are found in section 13402 of the Act
RIN 0991–AB56 and apply to HIPAA covered entities
Independence Avenue, SW.,
Breach Notification for Unsecured Washington, DC 20201. Please submit and their business associates that
Protected Health Information one original and two copies. (Because access, maintain, retain, modify, record,
access to the interior of the Hubert H. store, destroy, or otherwise hold, use, or
AGENCY: Office for Civil Rights, Humphrey Building is not readily disclose unsecured protected health
Department of Health and Human available to persons without federal information. The Act incorporates the
Services. government identification, commenters definitions of ‘‘covered entity,’’
ACTION: Interim final rule with request are encouraged to leave their comments ‘‘business associate,’’ and ‘‘protected
for comments. in the mail drop slots located in the health information’’ used in the HIPAA
main lobby of the building.) Administrative Simplification
SUMMARY: The Department of Health and Inspection of Public Comments: All regulations (45 CFR parts 160, 162, and
Human Services (HHS) is issuing this comments received before the close of 164) (HIPAA Rules) at § 160.103. Under
interim final rule with a request for the comment period will be available for the HIPAA Rules, a covered entity is a
comments to require notification of public inspection, including any health plan, health care clearinghouse,
breaches of unsecured protected health personally identifiable or confidential or health care provider that transmits
information. Section 13402 of the business information that is included in any health information electronically in
Health Information Technology for a comment. We will post all comments connection with a covered transaction,
Economic and Clinical Health (HITECH) received before the close of the such as submitting health care claims to
Act, part of the American Recovery and comment period at http:// a health plan. Business associate, as
Reinvestment Act of 2009 (ARRA) that www.regulations.gov. Because defined in the HIPAA Rules, means a
was enacted on February 17, 2009, comments will be made public, they person who performs functions or
requires HHS to issue interim final should not include any sensitive activities on behalf of, or certain
regulations within 180 days to require personal information, such as a person’s services for, a covered entity that
covered entities under the Health social security number; date of birth; involve the use or disclosure of
Insurance Portability and driver’s license number, state individually identifiable health
Accountability Act of 1996 (HIPAA) and identification number or foreign country information. Examples of business
their business associates to provide equivalent; passport number; financial associates include third party
notification in the case of breaches of account number; or credit or debit card administrators or pharmacy benefit
unsecured protected health information. number. Comments also should not managers for health plans, claims
For purposes of determining what include any sensitive health processing or billing companies,
information is ‘‘unsecured protected information, such as medical records or transcription companies, and persons
health information,’’ in this document other individually identifiable health who perform legal, actuarial,
HHS is also issuing an update to its information. accounting, management, or
guidance specifying the technologies Docket: For access to the docket to administrative services for covered
and methodologies that render protected read background documents or entities and who require access to
health information unusable, comments received, go to http:// protected health information. The
unreadable, or indecipherable to www.regulations.gov or U.S. Department HIPAA Rules define ‘‘protected health
unauthorized individuals. of Health and Human Services, Office information’’ as the individually
identifiable health information held or
DATES: Effective Date: This interim final for Civil Rights, 200 Independence
transmitted in any form or medium by
rule is effective September 23, 2009. Avenue, SW., Washington, DC 20201
these HIPAA covered entities and
Comment Date: Comments on the (call ahead to the contact listed below
business associates, subject to certain
provisions of this interim final rule are to arrange for inspection).
limited exceptions.
due on or before October 23, 2009. FOR FURTHER INFORMATION CONTACT: The Act requires HIPAA covered
Comments on the information collection Andra Wicks, 202–205–2292. entities to provide notification to
requirements associated with this rule SUPPLEMENTARY INFORMATION: affected individuals and to the Secretary
are due on or before September 8, 2009. of HHS following the discovery of a
ADDRESSES: You may submit comments,
I. Background
breach of unsecured protected health
identified by RIN 0991–AB56, by any of The Health Information Technology information. In addition, in some cases,
the following methods (please do not for Economic and Clinical Health the Act requires covered entities to
submit duplicate comments): (HITECH) Act, Title XIII of Division A provide notification to the media of
• Federal eRulemaking Portal: http:// and Title IV of Division B of the breaches. In the case of a breach of
www.regulations.gov. Follow the American Recovery and Reinvestment unsecured protected health information
instructions for submitting comments. Act of 2009 (ARRA) (Pub. L. 111–5), was at or by a business associate of a covered
Attachments should be in Microsoft enacted on February 17, 2009. Subtitle entity, the Act requires the business
Word, WordPerfect, or Excel; however, D of Division A of the HITECH Act (the associate to notify the covered entity of
we prefer Microsoft Word. Act), entitled ‘‘Privacy,’’ among other the breach. Finally, the Act requires the
• Regular, Express, or Overnight Mail: provisions, requires the Department of Secretary to post on an HHS Web site
U.S. Department of Health and Human Health and Human Services (HHS or the a list of covered entities that experience
Services, Office for Civil Rights, Department) to issue interim final breaches of unsecured protected health
Attention: HITECH Breach Notification, regulations for breach notification by information involving more than 500
Hubert H. Humphrey Building, Room covered entities subject to the individuals.
Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations 42741
Section 13400(1) of the Act defines discovery of a breach of security of ‘‘unsecured protected health
‘‘breach’’ to mean, generally, the unsecured PHR identifiable health information’’ as ‘‘protected health
unauthorized acquisition, access, use, or information.1 As with the definition of information that is not secured through
disclosure of protected health ‘‘unsecured protected health the use of a technology or methodology
information which compromises the information,’’ the provisions at section specified by the Secretary in guidance’’
security or privacy of such information. 13407(f)(3) define ‘‘unsecured PHR and requires the Secretary to specify in
The Act provides exceptions to this identifiable health information’’ as PHR the guidance the technologies and
definition to encompass disclosures identifiable health information that is methodologies that render protected
where the recipient of the information not protected through the use of a health information unusable,
would not reasonably have been able to technology or methodology specified by unreadable, or indecipherable to
retain the information, certain the Secretary of HHS in guidance. Thus, unauthorized individuals. As required
unintentional acquisition, access, or use entities subject to the FTC breach by the Act, this guidance was issued on
of information by employees or persons notification rules must also use the April 17, 2009, and later published in
acting under the authority of a covered Secretary’s guidance to determine the Federal Register on April 27, 2009
entity or business associate, as well as whether the information subject to a (74 FR 19006). The guidance specified
certain inadvertent disclosures among breach was ‘‘unsecured’’ and, therefore, encryption and destruction as the
persons similarly authorized to access whether breach notification is required. technologies and methodologies for
protected health information at a When HHS issued the guidance, HHS rendering protected health information,
business associate or covered entity. also published in the same document a as well as PHR identifiable health
Further, section 13402(h) of the Act request for information (RFI), inviting information under section 13407 of the
defines ‘‘unsecured protected health public comment both on the guidance Act and the FTC’s implementing
information’’ as ‘‘protected health itself, as well as on the breach regulation, unusable, unreadable, or
information that is not secured through provisions of section 13402 of the Act indecipherable to unauthorized
the use of a technology or methodology generally. After considering the public individuals such that breach
specified by the Secretary in guidance’’ comment, we are issuing an updated notification is not required. The RFI
and provides that the guidance specify version of the guidance in Section II asked for general comment on this
the technologies and methodologies that below. In addition, we discuss public guidance as well as for specific
render protected health information comment received on the Act’s breach comment on the technologies and
unusable, unreadable, or indecipherable notification provisions where relevant methodologies to render protected
to unauthorized individuals. Covered below in the section-by-section health information unusable,
entities and business associates that description of the interim final rule. unreadable, or indecipherable to
implement the specified technologies We have concluded that we have good unauthorized individuals.
and methodologies with respect to cause, under 5 U.S.C. 553(b)(B), to Many commenters expressed concern
protected health information are not waive the notice-and-comment and confusion regarding the purpose of
required to provide notifications in the requirements of the Administrative the guidance and its impact on a
event of a breach of such information— Procedure Act and to proceed with this covered entity’s responsibilities under
that is, the information is not interim final rule. Section 13402(j) the HIPAA Security Rule (45 CFR part
considered ‘‘unsecured’’ in such cases. explicitly required us to issue these 164, subparts A and C). We emphasize
As required by the Act, the Secretary regulations as ‘‘interim final that this guidance does nothing to
initially issued this guidance on April regulations’’ and to do so within 180 modify a covered entity’s
17, 2009 (it was subsequently published days. Based on this statutory directive responsibilities with respect to the
in the Federal Register at 74 FR 19006 and limited time frame, we concluded Security Rule nor does it impose any
on April 27, 2009). The guidance listed that notice-and-comment rulemaking new requirements upon covered entities
and described encryption and was impracticable and contrary to to encrypt all protected health
destruction as the two technologies and public policy. Nevertheless, we sought information. The Security Rule requires
methodologies for rendering protected comments in the RFI referenced above covered entities to safeguard electronic
health information unusable, and considered those comments when protected health information and
unreadable, or indecipherable to drafting this rule. In addition, we permits covered entities to use any
unauthorized individuals. provide the public with a 60-day period security measures that allow them to
In cases in which notification is following publication of this document reasonably and appropriately
required, the Act at section 13402 to submit comments on the interim final implement all safeguard requirements.
prescribes the timeliness, content, and rule. Under 45 CFR 164.312(a)(2)(iv) and
methods of providing the breach (e)(2)(ii), a covered entity must consider
II. Guidance Specifying the
notifications. We discuss these and the implementing encryption as a method
Technologies and Methodologies That
above statutory provisions in more for safeguarding electronic protected
Render Protected Health Information
detail below where we describe section- health information; however, because
Unusable, Unreadable, or
by-section how these new regulations these are addressable implementation
implement the breach notification Indecipherable to Unauthorized
specifications, a covered entity may be
provisions at section 13402 of the Act. Individuals
in compliance with the Security Rule
In addition to the breach notification A. Background even if it reasonably decides not to
provisions for HIPAA covered entities As discussed above, section 13402 of encrypt electronic protected health
and business associates at section the Act requires breach notification information and instead uses a
13402, section 13407 of the Act, which comparable method to safeguard the
following the discovery of a breach of

is to be implemented and enforced by unsecured protected health information. information.
the Federal Trade Commission (FTC), Section 13402(h) of the Act defines Therefore, if a covered entity chooses
imposes similar breach notification to encrypt protected health information
requirements upon vendors of personal 1 The FTC issued a notice of proposed rulemaking to comply with the Security Rule, does
health records (PHRs) and their third to implement section 13407 of the Act on April 20, so pursuant to this guidance, and
party service providers following the 2009 (74 FR 17914). subsequently discovers a breach of that
encrypted information, the covered inaccessible to unauthorized of the NIST pertaining to data storage on
entity will not be required to provide individuals, we do not believe that enterprise-level storage devices, such as
breach notification because the access controls meet the statutory RAID (redundant array of inexpensive
information is not considered standard of rendering protected health disks), or SAN (storage-attached
‘‘unsecured protected health information unusable, unreadable, or network) systems.
information’’ as it has been rendered indecipherable to unauthorized For ease of reference, we have
unusable, unreadable, or indecipherable individuals. If access controls are published this updated guidance in this
to unauthorized individuals. On the compromised, the underlying document below; however, it will also
other hand, if a covered entity has information may still be usable, be available on the HHS Web site at
decided to use a method other than readable, or decipherable to an http://www.hhs.gov/ocr/privacy/. Any
encryption or an encryption algorithm unauthorized individual, and thus, further comments regarding this
that is not specified in this guidance to constitute unsecured protected health guidance received in response to the
safeguard protected health information, information for which breach interim final rule will be addressed in
then although that covered entity may notification is required. Therefore, we the first annual update to the guidance,
be in compliance with the Security have not included access controls in the to be issued in April 2010.
Rule, following a breach of this guidance; however, we do emphasize
information, the covered entity would the benefit of strong access controls, B. Guidance Specifying the
have to provide breach notification to which may function to prevent breaches Technologies and Methodologies that
affected individuals. For example, a of unsecured protected health Render Protected Health Information
covered entity that has a large database information from occurring in the first Unusable, Unreadable, or
of protected health information may place. Indecipherable to Unauthorized
choose, based on their risk assessment Other commenters suggested that the Individuals
under the Security Rule, to rely on guidance include redaction of paper
firewalls and other access controls to records as an alternative to destruction. Protected health information (PHI) is
make the information inaccessible, as Because redaction is not a standardized rendered unusable, unreadable, or
opposed to encrypting the information. methodology with proven capabilities to indecipherable to unauthorized
While the Security Rule permits the use destroy or render the underlying individuals if one or more of the
of firewalls and access controls as information unusable, unreadable or following applies:
reasonable and appropriate safeguards, a indecipherable, we do not believe that (a) Electronic PHI has been encrypted
covered entity that seeks to ensure redaction is an accepted alternative as specified in the HIPAA Security Rule
breach notification is not required in the method to secure paper-based protected by ‘‘the use of an algorithmic process to
event of a breach of the information in health information. Therefore, we have transform data into a form in which
the database would need to encrypt the clarified in this guidance that only there is a low probability of assigning
information pursuant to the guidance. destruction of paper protected health meaning without use of a confidential
We also received several comments information, and not redaction, will process or key’’ 2 and such confidential
asking for clarification and additional satisfy the requirements to relieve a process or key that might enable
detail regarding the forms of covered entity or business associate decryption has not been breached. To
information and the specific devices from breach notification. We note, avoid a breach of the confidential
and protocols described in the guidance. however, that covered entities and process or key, these decryption tools
As a result, we provide clarification business associates may continue to should be stored on a device or at a
regarding the forms of information create limited data sets or de-identify location separate from the data they are
addressed in the National Institute of protected health information through used to encrypt or decrypt. The
Standards and Technology (NIST) redaction if the removal of identifiers encryption processes identified below
publications referenced in the guidance. results in the information satisfying the have been tested by the National
We clarify that ‘‘data in motion’’ criteria of 45 CFR 164.514(e)(2) or Institute of Standards and Technology
includes data that is moving through a 164.514(b), respectively. Further, a loss (NIST) and judged to meet this standard.
network, including wireless or theft of information that has been (i) Valid encryption processes for data
transmission, whether by e-mail or redacted appropriately may not require at rest are consistent with NIST Special
structured electronic interchange, while notification under these rules either Publication 800–111, Guide to Storage
‘‘data at rest’’ includes data that resides because the information is not protected Encryption Technologies for End User
in databases, file systems, flash drives, health information (as in the case of de- Devices.3 4
memory, and any other structured identified information) or because the
storage method. ‘‘Data in use’’ includes unredacted information does not (ii) Valid encryption processes for
data in the process of being created, compromise the security or privacy of data in motion are those which comply,
retrieved, updated, or deleted, and ‘‘data the information and thus, does not as appropriate, with NIST Special
disposed’’ includes discarded paper constitute a breach as described in Publications 800–52, Guidelines for the
records or recycled electronic media. Section IV below. Selection and Use of Transport Layer
Additionally, many commenters In response to comments received, we Security (TLS) Implementations; 800–
suggested that access controls be also make two additional clarifications 77, Guide to IPsec VPNs; or 800–113,
included in the guidance as a method in the guidance. First, for purposes of Guide to SSL VPNs, or others which are
for rendering protected health the guidance below and ensuring Federal Information Processing
information unusable, unreadable, or encryption keys are not breached, we Standards (FIPS) 140–2 validated.5
indecipherable to unauthorized clarify that covered entities and
individuals. We recognize that access business associates should keep 2 45 CFR 164.304, definition of ‘‘encryption.’’
3 NIST Roadmap plans include the development
controls, as well as other security encryption keys on a separate device
of security guidelines for enterprise-level storage
methods such as firewalls, are important from the data that they encrypt or devices, and such guidelines will be considered in
tools for safeguarding protected health decrypt. Second, we also include in the updates to this guidance, when available.
information. While we believe access guidance below a note regarding 4 Available at http://www.csrc.nist.gov/.
controls may render information roadmap guidance activities on the part 5 Available at http://www.csrc.nist.gov/.
(b) The media on which the PHI is detailed discussion and an example of Protected Health Information
stored or recorded have been destroyed our harmonization efforts. We note that the definition of
in one of the following ways: ‘‘breach’’ is limited to protected health
(i) Paper, film, or other hard copy IV. Section-by-Section Description of
Interim Final Rule information. With respect to a covered
media have been shredded or destroyed
entity or business associate of a covered
such that the PHI cannot be read or
The following discussion describes entity, protected health information is
otherwise cannot be reconstructed.
the provisions of the interim final rule individually identifiable health
Redaction is specifically excluded as a
section by section. Those interested in information that is transmitted or
means of data destruction.
(ii) Electronic media have been commenting on the interim final rule maintained in any form or medium,
cleared, purged, or destroyed consistent can assist the Department by preceding including electronic information. 45
with NIST Special Publication 800–88, discussion of any particular provision or CFR 160.103. If information is de-
Guidelines for Media Sanitization,6 such topic with a citation to the section of the identified in accordance with 45 CFR
that the PHI cannot be retrieved. interim final rule being discussed. 164.514(b), it is not protected health
information, and thus, any inadvertent
III. Overview of Interim Final Rule A. Applicability—Section 164.400 or unauthorized use or disclosure of
We are adding a new subpart D to part Section 164.400 of the interim final such information will not be considered
164 of title 45 of the Code of Federal a breach for purposes of this subpart.
rule provides that this breach
Regulations (CFR) to implement the Additionally, § 160.103 excludes certain
notification rule is applicable to
breach notification provisions in section types of individually identifiable health
breaches occurring on or after 30 days
13402 of the Act. These provisions information from the definition of
from the date of publication of this
apply to HIPAA covered entities and ‘‘protected health information,’’ such as
interim final rule. See Section IV.K.
their business associates and set forth employment records held by a covered
Effective/Compliance Date of this rule entity in its role as employer. If
the requirements for notification to
for further discussion. individually identifiable health
affected individuals, the media, and the
Secretary of HHS following a breach of B. Definitions—Section 164.402 information that is not protected health
unsecured protected health information. information is used or disclosed in an
In drafting this interim final regulation, Section 164.402 of the interim final unauthorized manner, it would not
we considered the public comments rule adopts definitions for the terms qualify as a breach for purposes of this
received in response to the RFI ‘‘breach’’ and ‘‘unsecured protected subpart—although the covered entity
described above. health information.’’ should consider whether it has
In addition, we consulted closely with notification requirements under other
the FTC in the development of these 1. Breach
laws. Further, we note that although the
regulations. Commenters in response to Section 13402 of the Act and this definition of ‘‘breach’’ applies to
both the RFI as well as the FTC’s notice interim final rule require covered protected health information generally,
of proposed rulemaking urged HHS and entities and business associates to covered entities and business associates
the FTC to work together to ensure that provide notification following a breach are required to provide the breach
the regulated entities know with which of unsecured protected health notifications required by the Act and
rule they must comply and that those information. Section 13400(1)(A) of the this interim final rule (discussed below)
entities that are subject to both rules Act defines ‘‘breach’’ as the only upon a breach of unsecured
because they may operate in different protected health information. See also
‘‘unauthorized acquisition, access, use,
roles are not subject to two completely Section II of this document for a list of
or disclosure of protected health
different and inconsistent regulatory the technologies and methodologies that
information which compromises the
schemes. In addition, commenters were render protected health information
security or privacy of the protected
concerned that individuals could secure such that notification is not
health information, except where an
receive multiple notices of the same required in the event of a breach.
breach if the HHS and the FTC unauthorized person to whom such
regulations overlapped. Thus, HHS information is disclosed would not Unauthorized Acquisition, Access, Use,
coordinated with the FTC to ensure reasonably have been able to retain such or Disclosure
these issues were addressed in the information.’’ Section 13400(1)(B) of the The statute defines a ‘‘breach’’ as the
respective rulemakings. First, the rules Act provides several exceptions to the ‘‘unauthorized’’ acquisition, access, use,
make clear that entities operating as definition of ‘‘breach.’’ Based on section or disclosure of protected health
HIPAA covered entities and business 13400(1)(A), we have defined ‘‘breach’’ information. Several commenters asked
associates are subject to HHS’, and not at § 164.402 of the interim final rule as that we define ‘‘unauthorized’’ or that
the FTC’s, breach notification rule. ‘‘the acquisition, access, use, or we clarify its meaning. We clarify that
Second, in those limited cases where an disclosure of protected health ‘‘unauthorized’’ is an impermissible use
entity may be subject to both HHS’ and information in a manner not permitted or disclosure of protected health
the FTC’s rules, such as a vendor that under subpart E of this part which information under the HIPAA Privacy
offers PHRs to customers of a HIPAA compromises the security or privacy of Rule (subpart E of 45 CFR part 164).
covered entity as a business associate the protected health information.’’ We Accordingly, the definition of ‘‘breach’’
and also offers PHRs directly to the have added paragraph (1) to the at § 160.402 of the interim final rule
public, we worked with the FTC to definition to clarify when the security or interprets the ‘‘unauthorized
ensure both sets of regulations were privacy of information is considered to acquisition, access, use, or disclosure of
harmonized by including the same or be compromised. Paragraph (2) of the protected health information’’ as ‘‘the
similar requirements, within the definition then includes the statutory acquisition, access, use, or disclosure of
constraints of the statutory language. exceptions, including the exception protected health information in a
See Section IV.F. below for a more within section 13400(1)(A) that refers to manner not permitted under subpart E
whether the recipient would reasonably of this part.’’ We emphasize that not all
6 Available at http://www.csrc.nist.gov/. have been able to retain the information. violations of the Privacy Rule will be
breaches under this subpart, and 45 CFR 164.502(a)(1)(iii) and, therefore, existing obligations on Federal agencies
therefore, covered entities and business would not qualify as a potential breach. (some of which also must comply with
associates need not provide breach Finally, violations of administrative these rules as HIPAA covered entities)
notification in all cases of impermissible requirements, such as a lack of pursuant to OMB Memorandum M–07–
uses and disclosures. We also note that reasonable safeguards or a lack of 16 to have in place breach notification
the HIPAA Security Rule provides for training, do not themselves qualify as policies for personally identifiable
administrative, physical, and technical potential breaches under this subpart information that take into account the
safeguards and organizational (although such violations certainly may likely risk of harm caused by a breach
requirements for electronic protected lead to impermissible uses or in determining whether breach
health information, but does not govern disclosures that qualify as breaches). notification is required. Thus, to
uses and disclosures of protected health determine if an impermissible use or
Compromises the Security or Privacy of
information. Accordingly, a violation of disclosure of protected health
Protected Health Information
the Security Rule does not itself information constitutes a breach,
constitute a potential breach under this The Act and regulation next limit the covered entities and business associates
subpart, although such a violation may definition of ‘‘breach’’ to a use or will need to perform a risk assessment
lead to a use or disclosure of protected disclosure that ‘‘compromises the to determine if there is a significant risk
health information that is not permitted security or privacy’’ of the protected of harm to the individual as a result of
under the Privacy Rule and thus, may health information. Accordingly, once it the impermissible use or disclosure. In
potentially be a breach under this is established that a use or disclosure performing the risk assessment, covered
subpart. violates the Privacy Rule, the covered entities and business associates may
The Act does not define the terms entity must determine whether the need to consider a number or
‘‘acquisition’’ and ‘‘access.’’ Several violation compromises the security or combination of factors, some of which
commenters asked that we define or privacy of the protected health are described below.7
identify the differences between information. Covered entities and business
acquisition, access, use, and disclosure For the purposes of the definition of associates should consider who
of protected health information, for ‘‘breach,’’ many commenters suggested impermissibly used or to whom the
purposes of the definition of ‘‘breach.’’ that we add a harm threshold such that information was impermissibly
We interpret ‘‘acquisition’’ and ‘‘access’’ an unauthorized use or disclosure of disclosed when evaluating the risk of
to information based on their plain protected health information is harm to individuals. If, for example,
meanings and believe that both terms considered a breach only if the use or protected health information is
are encompassed within the current disclosure poses some harm to the impermissibly disclosed to another
definitions of ‘‘use’’ and ‘‘disclosure’’ in individual. These commenters noted entity governed by the HIPAA Privacy
the HIPAA Rules. Accordingly, we have that the ‘‘compromises the security or and Security Rules or to a Federal
not added separate definitions for these privacy’’ language in section agency that is obligated to comply with
terms. We have retained the statutory 13400(1)(A) of the Act contemplates that the Privacy Act of 1974 (5 U.S.C. 552a)
terms in the regulation in order to covered entities will perform some type and the Federal Information Security
maintain consistency with the statute. of risk assessment to determine if there Management Act of 2002 (44 U.S.C.
In addition, we note that while the is a risk of harm to the individual, and 3541 et seq.), there may be less risk of
HIPAA Security Rule at § 164.304 therefore, if a breach has occurred. harm to the individual, since the
includes a definition of the term Commenters urged that the addition of recipient entity is obligated to protect
‘‘access,’’ such definition is limited to a harm threshold to the definition the privacy and security of the
the ability to use ‘‘system resources’’ would also align this regulation with information it received in the same or
and not to access to information more many State breach notification laws that similar manner as the entity that
generally and thus, we have revised that require entities to reach similar harm disclosed the information. In contrast, if
definition to make clear that it does not thresholds before providing notification. protected health information is
apply for purposes of these breach Finally, some commenters noted that impermissibly disclosed to any entity or
notification rules. failure to include a harm threshold for person that does not have similar
For an acquisition, access, use, or requiring breach notification may obligations to maintain the privacy and
disclosure of protected health diminish the impact of notifications security of the information, the risk of
information to constitute a breach, it received by individuals, as individuals harm to the individual is much greater.
must constitute a violation of the may be flooded with notifications for We expect that there may be
Privacy Rule. Therefore, one of the first breaches that pose no threat to the circumstances where a covered entity
steps in determining whether security or privacy of their protected takes immediate steps to mitigate an
notification is necessary under this health information or, alternatively, may impermissible use or disclosure, such as
subpart is to determine whether a use or cause unwarranted panic in individuals, by obtaining the recipient’s satisfactory
disclosure violates the Privacy Rule. We and the expenditure of undue costs and assurances that the information will not
note that uses or disclosures that other resources by individuals in be further used or disclosed (through a
impermissibly involve more than the remedial action. confidentiality agreement or similar
minimum necessary information, in We agree that the statutory language means) or will be destroyed. If such
violation of §§ 164.502(b) and encompasses a harm threshold and have steps eliminate or reduce the risk of
164.514(d), may qualify as breaches clarified in paragraph (1) of the harm to the individual to a less than
under this subpart. In contrast, a use or definition that ‘‘compromises the ‘‘significant risk,’’ then we interpret that
disclosure of protected health security or privacy of the protected the security and privacy of the
information that is incident to an health information’’ means ‘‘poses a

otherwise permissible use or disclosure significant risk of financial, 7 Covered entities may also wish to review OMB
and occurs despite reasonable reputational, or other harm to the Memorandum M–07–16 for examples of the types
of factors that may need to be taken into account
safeguards and proper minimum individual.’’ This ensures better in determining whether an impermissible use or
necessary procedures would not be a consistency and alignment with State disclosure presents a significant risk of harm to the
violation of the Privacy Rule pursuant to breach notification laws, as well as individual.
information has not been compromised harm—especially in light of fears about identification, these commenters stated
and, therefore, no breach has occurred. employment discrimination. that creating a limited data set was not
In addition, there may be We also address impermissible uses comparable to encrypting information,
and disclosures involving limited data and therefore, should not be included as
circumstances where impermissibly
sets (as the term is used at 45 CFR a method to render protected health
disclosed protected health information
164.514(e) of the Privacy Rule), in information unusable, unreadable, or
is returned prior to it being accessed for
paragraph (1) of the definition of indecipherable to unauthorized
an improper purpose. For example, if a ‘‘breach’’ at § 164.402 of the interim individuals.
laptop is lost or stolen and then final rule. In the RFI discussed above, The majority of commenters,
recovered, and a forensic analysis of the we asked for public comment on however, did support the inclusion of
computer shows that its information whether limited data sets should be the limited data set in the guidance.
was not opened, altered, transferred, or considered unusable, unreadable, or These commenters stated that it would
otherwise compromised, such a breach indecipherable and included as a be impractical to require covered
may not pose a significant risk of harm methodology in the guidance. A limited entities and business associates to notify
to the individuals whose information data set is created by removing the 16 individuals of a breach of information
was on the laptop. Note, however, that direct identifiers listed in within a limited data set because, by
if a computer is lost or stolen, we do not § 164.514(e)(2) from the protected health definition, such information excludes
consider it reasonable to delay breach information.9 These direct identifiers the very identifiers that would enable
notification based on the hope that the include the name, address, social covered entities and business associates,
computer will be recovered. security number, and account number of without undue burden, to identify the
In performing a risk assessment, an individual or the individual’s affected individuals and comply with
covered entities and business associates relative, employer, or household the breach notification requirements.
should also consider the type and member. When these 16 direct Additionally, these commenters cited
amount of protected health information identifiers are removed from the contractual concerns regarding the data
involved in the impermissible use or protected health information, the use agreement, which prohibits the
disclosure. If the nature of the protected information is not completely de- recipient of a limited data set from re-
health information does not pose a identified pursuant to 45 CFR identifying the information and
significant risk of financial, 164.514(b). In particular, the elements of therefore, may pose problems with
reputational, or other harm, then the dates, such as dates of birth, and zip complying with the notification
violation is not a breach. For example, codes, are allowed to remain within the requirements of section 13402(b) of the
if a covered entity improperly discloses limited data set, which increase the Act.
potential for re-identification of the These commenters also noted that the
protected health information that
information. Because there is a risk of decision to exclude the limited data set
merely included the name of an
re-identification of the information from the guidance, such that a breach of
individual and the fact that he received
within a limited data set, the Privacy a limited data set would require breach
services from a hospital, then this
Rule treats this information as protected notification, would reduce the
would constitute a violation of the
health information that may only be likelihood that covered entities would
Privacy Rule, but it may not constitute continue to create and share limited
used or disclosed as permitted by the
a significant risk of financial or data sets. This, in turn, would have a
Privacy Rule.
reputational harm to the individual. In Several commenters suggested that chilling effect on the research and
contrast, if the information indicates the the limited data set should not be public health communities, which rely
type of services that the individual included in the guidance as a method to on receiving information from covered
received (such as oncology services), render protected health information entities in limited data set form.
that the individual received services unusable, unreadable, or indecipherable Finally, commenters noted that the
from a specialized facility (such as a to unauthorized individuals such that removal of the 16 direct identifiers in
substance abuse treatment program 8), or breach notification is not required. the limited data set presents a minimal
if the protected health information These commenters cited concerns about risk of serious harm to the individual by
includes information that increases the the risk of re-identification of protected limiting the possibility that the
risk of identity theft (such as a social health information in a limited data set information could be used for an illicit
security number, account number, or and noted that, as more data exists in purpose if breached. These commenters
mother’s maiden name), then there is a electronic form and as more data also suggested that the inclusion of the
higher likelihood that the impermissible becomes public, it will be easier to limited data set in the guidance would
use or disclosure compromised the combine these various sources to re- align with most state breach notification
security and privacy of the information. establish the identity of the individual. laws, which, as a general matter, only
The risk assessment should be fact Furthermore, due to the risk of re- require notification when certain
specific, and the covered entity or identifiers are exposed and when there
business associate should keep in mind 9 A limited data set is protected health is a likelihood that the breach will result
that many forms of health information, information that excludes the following direct in harm to the individual.
identifiers of the individual or of relatives,
not just information about sexually employers, or household members of the
We also asked commenters if they
transmitted diseases or mental health, individual: (1) Names; (2) postal address believed that the removal of an
should be considered sensitive for information, other than town or city, State, and zip individual’s date of birth or zip code, in
purposes of the risk of reputational code; (3) telephone numbers; (4) fax numbers; (5) addition to the 16 direct identifiers in
e-mail addresses; (6) social security numbers; (7)
45 CFR 164.514(e)(2), would reduce the
medical record numbers; (8) health plan beneficiary

8 Note that an impermissible disclosure that numbers; (9) account numbers; (10) certificate/ risk of re-identification of the
indicates that an individual has received services license plate numbers; (11) vehicle identifiers and information such that it could be
from a substance abuse treatment program may also serial numbers; (12) device identifiers and serial included in the guidance. Several
constitute a violation of 42 U.S.C. 290dd–2 and the numbers; (13) Web URLs; (14) Internet Protocol (IP)
implementing regulations at 42 CFR part 2. These address numbers; (15) biometric identifiers,
commenters responded to this question.
provisions require the confidentiality of substance including finger and voice prints; and (16) full face While some stated that the removal of
abuse patient records. photographic images and any comparable images. these data elements would render the
information useless to the research and We have provided a narrow, explicit this interim final rule. In cases where a
public health communities, which may, exception to what compromises the covered entity is the recipient of a
for example, require zip codes for many privacy or security of protected health limited data set pursuant to § 164.514(e)
population based studies, many information for a use or disclosure of of the Privacy Rule and it is unable to
commenters did acknowledge that the protected health information that re-identify the individuals after a breach
removal of these additional identifiers excludes the 16 direct identifiers listed occurs, it may satisfy the requirements
would reduce the risk of re- at 45 CFR 164.514(e)(2) as well as dates of § 164.404 without re-identifying the
identification of the information. of birth and zip codes. Thus, we deem information, by providing substitute
After considering these comments, we an impermissible use or disclosure of notice to the individuals as required by
decided against including the limited this information to not compromise the paragraph (d)(2) of that section.
data set in the guidance as a method for security or privacy of the protected We note that the discussion above
rendering protected health information health information, because we believe regarding ‘‘limited data sets’’ applies to
unusable, unreadable, or indecipherable that impermissible uses or disclosures any protected health information that
to unauthorized individuals due to the of this information—if subjected to the excludes the 16 direct identifiers listed
potential risk of re-identification of this type of risk assessment described at § 164.514(e)(2), regardless of whether
information. However, we address above—would pose a low level of risk. the information is used for health care
breaches of limited data sets in the We emphasize that this is a narrow operations, public health, or research
definition of ‘‘breach’’ as follows. exception. If, for example, the purposes (see § 164.514(e)(3)(i)), and is
Under the definition of ‘‘breach’’ at information does not contain birth dates subject to a data use agreement under
§ 164.402, in order to determine but does contain zip code information § 164.514(e) of the Privacy Rule. Thus,
whether a covered entity’s or business or contains both birth dates and zip for example, a covered entity that
associate’s impermissible use or code information, then this narrow impermissibly uses or discloses data
disclosure of protected health exception would not apply, and the that is stripped of the 16 direct
information constitutes a breach, the covered entity or business associate identifiers described above, zip codes,
would be required to perform a risk and dates of birth, may take advantage
covered entity or business associate will
assessment to determine if the risk of re- of the exception to what is a breach,
need to perform the risk assessment
identification poses a significant risk of regardless of the intended purpose of
discussed above. This applies to
harm to the individual. We invite the use or disclosure or whether a data
impermissible uses or disclosures of
comments on this narrow exception. We use agreement was in place.
protected health information that With respect to any type of protected
constitute a limited data set, unless, as do not believe that this narrow
exception will have the unintended health information, we note that
discussed below, the protected health § 164.414, discussed below, gives
information also does not include zip consequence of discouraging the use of
covered entities and business associates
codes or dates of birth. In performing encryption and other methods for
the burden of demonstrating that no
the risk assessment to determine the rendering protected health information
breach has occurred because the
likely risk of harm caused by an unusable, unreadable, or
impermissible use or disclosure did not
impermissible use or disclosure of a indecipherable; however, we invite
pose a significant risk of harm to the
limited data set, the covered entity or comments on this issue as well. Finally,
individual. Covered entities and
business associate should take into we note that this narrow exception
business associates must document their
consideration the risk of re- should not be construed as encouraging
risk assessments, so that they can
identification of the protected health or permitting the use or disclosure of
demonstrate, if necessary, that no
information contained in the limited more than the minimum necessary breach notification was required
data set. information, in violation of following an impermissible use or
Through a risk assessment, a covered §§ 164.502(b) and 164.514(d). disclosure of protected health
entity or business associate may We do not intend to interfere with information. For impermissible uses or
determine that the risk of identifying a research or public health activities that disclosures of protected health
particular individual is so small that the rely on dates of birth or zip codes. Uses information that fall under the narrow
use or disclosure poses no significant and disclosures of limited data sets that exception at paragraph (1)(ii) of this
risk of harm to any individuals. For include this information continue to be definition, which do not qualify as
example, it may be determined that an permissible under the Privacy Rule if breaches because the protected health
impermissible use or disclosures of a the applicable requirements, such as a information is a limited data set that
limited data set that includes zip codes, data use agreement, are satisfied. does not include zip codes or dates of
based on the population features of Further, we note that a covered entity or birth, documentation that demonstrates
those zip codes, does not create a business associate is not responsible for that the lost information did not include
significant risk that a particular a breach by a third party to whom it these identifiers will suffice.
individual can be identified. Therefore, permissibly disclosed protected health
there would be no significant risk of information, including limited data sets, Exceptions to Breach
harm to the individual. If there is no unless the third party received the Section 13400(1) of the Act also
significant risk of harm to the information in its role as an agent of the includes three exceptions to the
individual, then no breach has occurred covered entity or business associate. To definition of ‘‘breach’’ that encompass
and no notification is required. If, the extent that a third party recipient of situations Congress clearly intended to
however, the covered entity or business the information is itself a covered entity, not constitute breaches: (1)
associate determines that the individual and the information is breached while at Unintentional acquisition, access, or use
can be identified based on the the third party (i.e., used or disclosed in of protected health information by an
information disclosed, and there is an impermissible manner and in a employee or individual acting under the
otherwise a significant risk of harm to manner determined to compromise the authority of a covered entity or business
the individual, then breach notification privacy or security of the information), associate (section 13400(1)(B)(i)); (2)
is required, unless one of the other then the third party will be responsible inadvertent disclosure of protected
exceptions discussed below applies. for complying with the provisions of health information from one person
authorized to access protected health the security and privacy of the from more than one health care
information at a covered entity or information has not been compromised provider.10 See 45 CFR 160.103. This
business associate to another person by any such permissible use or includes, for example, a covered entity,
authorized to access protected health disclosure. such as a hospital, and the health care
information at the covered entity or To illustrate this exception, we offer providers who have staff privileges at
business associate (section the following example. A billing the hospital.
13400(1)(B)(ii) and (iii)); and (3) employee receives and opens an e-mail We received several comments with
unauthorized disclosures in which an containing protected health information respect to this exception, and many
unauthorized person to whom protected about a patient which a nurse commenters asked that we clarify and
health information is disclosed would mistakenly sent to the billing employee. explain the statutory language regarding
not reasonably have been able to retain The billing employee notices that he is what it means to be a ‘‘similarly situated
the information (section 13400(1)(A)). not the intended recipient, alerts the individual’’ and what constitutes the
We have included these three nurse of the misdirected e-mail, and ‘‘same facility’’ for purposes of this
exceptions as paragraphs (2)(i), (ii), and then deletes it. The billing employee exception. We believe that a ‘‘similarly
(iii), respectively. unintentionally accessed protected situated individual,’’ for purposes of the
The first regulatory exception at health information to which he was not statute, means an individual who is
paragraph (2)(i) of this definition, for authorized to have access. However, the authorized to access protected health
unintentional acquisition, access, or use billing employee’s use of the information, and thus, for clarity, we
of protected health information, information was done in good faith and have substituted this language for the
generally mirrors the exception in within the scope of authority, and statutory language in the regulation.
section 13400(1)(B)(i) of the Act. This therefore, would not constitute a breach Thus, a person who is authorized to
statutory section excepts from the and notification would not be required, access protected health information is
definition of ‘‘breach’’ the unintentional provided the employee did not further similarly situated, for purposes of this
acquisition, access, or use of protected use or disclose the information accessed regulation, to another person at the
health information by an employee or in a manner not permitted by the covered entity, business associate of the
individual acting under the authority of Privacy Rule. covered entity, or organized health care
a covered entity or a business associate, In contrast, a receptionist at a covered arrangement in which the covered entity
if the acquisition, access, or use was entity who is not authorized to access participates, who is also authorized to
made in good faith, within the course protected health information decides to access protected health information
and scope of employment or other look through patient files in order to (even if the two persons may not be
professional relationship, and does not learn of a friend’s treatment. In this authorized to access the same types of
result in further use or disclosure. case, the impermissible access to protected health information). For
We modified the statutory language to protected health information would not example, a physician who has authority
use ‘‘workforce members’’ instead of fall within this exception to breach to use or disclose protected health
employees. Workforce member is a because such access was neither information at a hospital by virtue of
defined term in 45 CFR 160.103 and unintentional, done in good faith, nor participating in an organized health care
means ‘‘employees, volunteers, trainees, within the scope of authority. arrangement with the hospital is
and other persons whose conduct, in the The second regulatory exception, at similarly situated to a nurse or billing
performance of work for a covered paragraph (2)(ii) of this definition, employee at the hospital. In contrast,
entity, is under the direct control of covers inadvertent disclosures and the physician is not similarly situated to
such entity, whether or not they are generally mirrors the exception an employee at the hospital who is not
paid by the covered entity.’’ provided in section 13400(1)(B)(ii) and authorized to access protected health
A person is acting under the authority (iii) of the Act, with slight information.
of a covered entity or business associate modifications. The statute excepts from Additionally, we have interpreted
if he or she is acting on its behalf. This the definition of ‘‘breach’’ inadvertent ‘‘same facility’’ to mean the same
may include a workforce member of a disclosures from an individual who is covered entity, business associate, or
covered entity, an employee of a otherwise authorized to access protected organized health care arrangement in
business associate, or even a business health information at a facility operated which the covered entity participates
associate of a covered entity. Similarly, by a covered entity or business associate and have substituted this language in
to determine whether the access, to another similarly situated individual the regulation. By focusing on the legal
acquisition, or use was made ‘‘within at the same facility if the information is entity or status of the entities as an
the scope of authority,’’ the covered not further used or disclosed without organized health care arrangement when
entity or business associate should authorization. We have modified the interpreting ‘‘same facility,’’ we believe
consider whether the person was acting statutory language slightly to except we have more clearly captured the
on its behalf at the time of the from breach inadvertent disclosures of intent of the statute and have also
inadvertent acquisition, access, or use. protected health information from a alleviated commenter concerns that the
Additionally, while the statutory person who is authorized to access term ‘‘facility’’ was too narrow.
language provides that this exception protected health information at a Therefore, the size of the covered entity,
applies where the recipient does not covered entity or business associate to
further use or disclose the information, another person authorized to access 10 45 CFR 160.103 also defines ‘‘organized health
we have interpreted this exception as protected health information at the same care arrangement’’ to include ‘‘an organized system
encompassing circumstances where the covered entity, business associate, or of health care in which more than one covered
entity participates’’ and in which the participating
recipient does not further use or organized health care arrangement in
covered entities engage in certain joint utilization

disclose the information in a manner which the covered entity participates. review, quality assessment and improvement, or
not permitted under the Privacy Rule. In Organized health care arrangement is payment activities. In addition, the definition
circumstances where any further use or defined by the HIPAA Rules to mean, encompasses certain relationships between group
health plans and health insurance issuers or health
disclosure of the information is among other things, a clinically maintenance organizations (HMO), as well as
permissible under the Privacy Rule, we integrated care setting in which relationships among group health plans which are
interpret that there is no breach because individuals typically receive health care maintained by the same plan sponsor.
business associate, or organized health As another example, a nurse ‘‘unsecured protected health
care arrangement will dictate the scope mistakenly hands a patient the information’’ as ‘‘protected health
of this exception. If a covered entity has discharge papers belonging to another information that is not secured through
a single location, then the exception patient, but she quickly realizes her the use of a technology or methodology
will apply to disclosures between a mistake and recovers the protected specified by the Secretary in guidance
workforce member and, e.g., a physician health information from the patient. If issued under [section 13402(h)(2)].’’
with staff privileges at that single the nurse can reasonably conclude that Further, the Act at section 13402(h)(2)
location. However, if a covered entity the patient could not have read or requires that the Secretary specify in the
has multiple locations across the otherwise retained the information, then guidance the technologies and
country, the same exception will apply this would not constitute a breach. methodologies that render protected
even if the workforce member makes the With respect to any of the three health information unusable,
disclosure to a physician with staff exceptions discussed above, a covered unreadable, or indecipherable to
privileges at a facility located in another entity or business associate has the unauthorized individuals. Accordingly,
state. burden of proof, pursuant to the interim final rule defines
We interpret the statutory limitation § 164.414(b) (discussed below), for ‘‘unsecured protected health
that the information not be ‘‘further showing why breach notification was information’’ to mean protected health
acquired, accessed, used, or disclosed not required. Accordingly, the covered information that is not rendered
without authorization’’ as meaning that entity or business associate must unusable, unreadable, or indecipherable
the information is not further used or document why the impermissible use or to unauthorized individuals through the
disclosed in a manner not permitted by disclosure falls under one of the above use of a technology or methodology
the Privacy Rule. Thus, this exception exceptions. specified by the Secretary in guidance.
encompasses circumstances in which a Based on the above, we envision that We also provide in the regulation that
person who is authorized to use or covered entities and business associates the guidance will be published on the
disclose protected health information will need to do the following to HHS Web site.
determine whether a breach occurred. Section 13402(h)(2) of the Act
within a covered entity, business
First, the covered entity or business required that the Secretary initially
associate, or organized health care
associate must determine whether there issue such guidance, after consultation
arrangement inadvertently discloses that
has been an impermissible use or with stakeholders, no later than 60 days
information to another person who is
disclosure of protected health after enactment, or April 17, 2009. As
authorized to use or disclose protected
information under the Privacy Rule. discussed above, the Secretary issued
health information within the same
Second, the covered entity or business the guidance along with a request for
covered entity, business associate, or
associate must determine, and information on April 17, 2009, on the
organized health care arrangement, as
document, whether the impermissible HHS Web site at http://www.hhs.gov/
long as the recipient does not further
use or disclosure compromises the ocr/privacy/ and the guidance was later
use or disclose the information in security or privacy of the protected published in the Federal Register on
violation of the Privacy Rule. health information. This occurs when April 27, 2009 (74 FR 19006). The
The final regulatory exception to there is a significant risk of financial, Department has reviewed the public
breach at paragraph (2)(iii) of this reputational, or other harm to the comment received in response to the
definition mirrors the exception found individual. Lastly, the covered entity or request for information and provides an
in section 13400(1)(A) of the Act. The business associate may need to update to the guidance in Section II of
statute excepts from the definition of determine whether the incident falls this document. As provided in this
‘‘breach’’ situations in which the under one of the exceptions in interim final rule, this updated guidance
unauthorized person to whom protected paragraph (2) of the breach definition. is also (and any future updates will be)
health information has been disclosed We treat the breach as having available on the HHS Web site at http://
would not reasonably have been able to occurred at the time of the www.hhs.gov/ocr/privacy/.
retain the information. We have slightly impermissible use or disclosure (or in We note that the definition of
modified this language to except from the case of the exceptions listed at ‘‘unsecured protected health
‘‘breach’’ situations where a covered paragraphs (2)(i) and (ii) of the information’’ in the Act and this interim
entity or business associate has a good definition of ‘‘breach,’’ at the time of the final rule incorporates generally the
faith belief that the unauthorized person ‘‘further’’ impermissible use or term ‘‘protected health information,’’ as
to whom the disclosure of protected disclosure), but recognize that a covered defined at 45 CFR 160.103 of the HIPAA
health information was made would not entity or business associate may require Rules, which includes information in
reasonably have been able to retain the a reasonable amount of time to confirm any form or medium. Accordingly, the
information. whether the incident qualifies as a term ‘‘unsecured protected health
For example, a covered entity, due to breach. As discussed below, a breach is information’’ can include information in
a lack of reasonable safeguards, sends a considered discovered when the any form or medium, including
number of explanations of benefits incident becomes known, not when the electronic, paper, or oral form.
(EOBs) to the wrong individuals. A few covered entity or business associate
of the EOBs are returned by the post C. Notification to Individuals—Section
concludes the above analysis of whether
office, unopened, as undeliverable. In 164.404
the facts constitute a breach.
these circumstances, the covered entity Section 164.404 of the interim final
can conclude that the improper 2. Unsecured Protected Health rule provides the requirements for the
addressees could not reasonably have Information notifications covered entities are to
retained the information. The EOBs that The interim final rule adopts a provide to individuals affected by a
were not returned as undeliverable, definition of ‘‘unsecured protected breach of unsecured protected health
however, and that the covered entity health information’’ to identify to what information. This section includes
knows were sent to the wrong information the breach notification implementation specifications regarding
individuals, should be treated as provisions apply. Section timeliness, content, and methods of the
potential breaches. 13402(h)(1)(A) of the Act defines notice.
General Rule We have also modified the statutory mailings as the information becomes
language slightly to better conform to available.
Section 164.404(a)(1) provides the existing language in the HIPAA In response to the RFI, some
general rule that a covered entity shall, Enforcement Rule by incorporating the commenters suggested that suspected
following the discovery of a breach of term ‘‘by exercising reasonable but unconfirmed breaches should not be
unsecured protected health information, diligence.’’ The term ‘‘reasonable treated as discovered until all the facts
notify each individual whose unsecured diligence’’ means the ‘‘business care and of the breach could be confirmed.
protected health information has been, prudence expected from a person Others suggested that 60 days was an
or is reasonably believed by the covered seeking to satisfy a legal requirement insufficient amount of time to conduct
entity to have been, accessed, acquired, under similar circumstances.’’ We have a complete investigation and send the
used, or disclosed as a result of such made these clarifications for consistency required notifications. We disagree.
breach. This regulatory provision and uniformity across the regulations. Waiting longer than 60 days to notify
implements section 13402(a) of the Act, Because a covered entity or business individuals of breaches of their
but does not include the phrase ‘‘that associate is liable for failing to provide unsecured protected health information
accesses, maintains, retains, modifies, notice of a breach when the covered could substantially increase the risk of
records, stores, destroys, or otherwise entity or business associate did not harm to individuals as a result of the
holds, uses, or discloses’’ used in the know—but by exercising reasonable breach and decrease the ability of the
statute to describe a covered entity’s diligence would have known—of a individuals to effectively protect
actions with respect to unsecured breach, it is important for such entities themselves from such harm. The statute
protected health information because to implement reasonable systems for and interim final rule provide that the
inclusion of such terms was deemed discovery of breaches. We also note that notification must be provided without
unnecessary. In addition, the statute these provisions attribute knowledge of unreasonable delay and in no case later
refers to protected health information a breach by a workforce member or than 60 calendar days. The purpose of
that has been ‘‘accessed, acquired, or other agent (other than the person this period is to give covered entities
disclosed’’; it does not include ‘‘used.’’ committing the breach), such as certain and business associates time to conduct
In contrast, the statutory definition of business associates, to the covered a prompt investigation into the incident
‘‘breach’’ refers to the ‘‘acquisition, entity itself. This is important, as to identify and collect the information
access, use, or disclosure’’ of protected knowledge of a breach, i.e., when a needed to provide meaningful notice to
health information. For consistency breach is treated as ‘‘discovered,’’ starts the individual about what happened.
with the definition, therefore, we have the clock in terms of the period of time Thus, the time period for breach
added ‘‘used’’ to the list of actions for a covered entity has to make the notification begins when the incident is
which notification is required in notifications required by the interim first known, not when the investigation
§ 164.404(a)(1). final rule. Thus, covered entities should of the incident is complete, even if it is
ensure their workforce members and initially unclear whether the incident
Breaches Treated as Discovered other agents are adequately trained and constitutes a breach as defined in this
aware of the importance of timely rule.
Section 164.404(a)(2) states that a reporting of privacy and security Further, the duration of an
breach shall be treated as discovered by incidents and of the consequences of investigation is limited by the statute
a covered entity as of the first day the failing to do so. and interim final rule’s requirement that
breach is known to the covered entity, any delay be reasonable—the
or by exercising reasonable diligence Timeliness investigation cannot take an
would have been known to the covered Regarding timeliness of individual unreasonable amount of time. Thus, if a
entity. Thus, a covered entity is not notifications, § 164.404(b) mirrors the covered entity learns of an
liable for failing to provide notification statutory requirement in section impermissible use or disclosure but
in cases in which it is not aware of a 13402(d) of the Act and requires that, unreasonably allows the investigation to
breach unless the covered entity would except when law enforcement requests lag for 30 days, this would constitute an
have been aware of the breach had it a delay in accordance with § 164.412 unreasonable delay. Further, the 60 days
exercised reasonable diligence. Section (provision discussed below), a covered is an outer limit and therefore, in some
164.404(a)(2) further provides that a entity shall send the required cases, it may be an ‘‘unreasonable
covered entity is deemed to have notification without unreasonable delay delay’’ to wait until the 60th day to
knowledge of a breach if such breach is and in no case later than 60 calendar provide notification. For example, if a
known, or by exercising reasonable days after the date the breach was covered entity has compiled the
diligence would have been known, to discovered by the covered entity. Thus, information necessary to provide
any person, other than the person provisions for timeliness should be read notification to individuals on day 10 but
committing the breach, who is a together with the above provisions for waits until day 60 to send the
workforce member or agent of the when a breach is treated as discovered. notifications, it would constitute an
covered entity (determined in We expect a covered entity to make the unreasonable delay despite the fact that
accordance with the federal common individual notifications as soon as the covered entity has provided
law of agency). These provisions reasonably possible. The covered entity notification within 60 days.
implement section 13402(c) of the Act may take a reasonable time to We also note that if a covered entity
but clarify that the federal common law investigate the circumstances promptly investigates a reported breach
of agency is to control in determining surrounding the breach, in order to and can swiftly conclude that there was
who is an agent of the covered entity. collect and develop the information that no breach, then the covered entity need
This approach is consistent with the § 164.404(c) requires to be included in not send out breach notifications. For
HIPAA Enforcement Rule (45 CFR part the notice to the individual. As example, where a laptop with
160, subparts C through E), which discussed below, covered entities are unsecured protected health information
provides that the federal common law of also permitted to provide the required is initially reported by an employee to
agency applies in determining agency information to individuals within the be stolen but is discovered the next day
liability under the HIPAA Rules. required time period in multiple in another secure office within the
covered entity, then the covered entity circumstances, the notice to the Methods of Notification
need not send out breach notifications. individual may include
recommendations that the individual Section 13402(e)(1) of the Act
Content provides for both actual written notice
contact his or her credit card company
Section 13402(f) of the Act sets forth and information about how to contact to the individual, as well as substitute
the content requirements for the breach the credit bureaus and obtain credit notice to the individual if contact
notice to the individual. Section monitoring services (if credit card information is insufficient or out-of-
164.404(c) of the interim final rule information was breached); information date. Accordingly, the interim final rule
implements section 13402(f) of the Act about steps the covered entity is taking at § 164.404(d) adopts the statutory
and requires the notification to include, to retrieve the breached information, provisions for actual and substitute
to the extent possible, the following such as filing a police report (if a breach notification to the individual.
elements: (1) A brief description of what suspected theft of unsecured protected Section 164.404(d)(1)(i) requires a
happened, including the date of the health information occurred); covered entity to provide breach notice
breach and the date of the discovery of information about steps the covered to the individual in written form by
the breach, if known; (2) A description entity is taking to improve security to first-class mail at the last known address
of the types of unsecured protected prevent future similar breaches; and of the individual. Consistent with the
health information that were involved information about sanctions the covered statute, the interim final rule also
in the breach (such as whether full entity imposed on workforce members provides that written notice may be in
name, social security number, date of involved in the breach. the form of electronic mail, provided the
birth, home address, account number, Some commenters recommended that
diagnosis, disability code, or other types individual agrees to receive electronic
we impose a page limitation on the
of information were involved); (3) any notice and such agreement has not been
length of the notice (e.g., one page in
steps individuals should take to protect withdrawn. We note that, consistent
length) and ensure the content of the
themselves from potential harm with § 164.502(g) of the Privacy Rule,
notice is non-technical and non-
resulting from the breach; (4) a brief where the individual affected by a
complex so individuals can easily
description of what the covered entity breach is a minor or otherwise lacks
understand the information being
involved is doing to investigate the legal capacity due to a physical or
provided. We agree that it is important
breach, to mitigate harm to individuals, mental condition, notice to the parent or
for individuals to be able to understand
and to protect against any further other person who is the personal
the information being provided to them
breaches; and (5) contact procedures for in the breach notifications and thus, at representative of the individual will
individuals to ask questions or learn § 164.404(c)(2) of the interim final rule, satisfy the requirements of
additional information, which must include a requirement that such § 164.404(d)(1). The statute also requires
include a toll-free telephone number, an notifications be written in plain that, if the individual is deceased,
e-mail address, Web site, or postal language. To satisfy this requirement, notice must be sent to the last known
address. With respect to indicating in the covered entity should write the address of the next of kin. The interim
the notification the types of protected notice at an appropriate reading level, final rule adopts this provision at
health information involved in a breach, using clear language and syntax, and not § 164.404(d)(1)(ii), but provides that
we emphasize that this provision include any extraneous material that such notice be sent to either the
requires covered entities to describe might diminish the message it is trying individual’s next of kin or personal
only the types of information involved. to convey. We do not impose a page representative, as such term is used for
Thus, covered entities should not limitation, however, so as not to purposes of the Privacy Rule,
include a listing of the actual protected constrain covered entities in including recognizing that in some cases, a
health information that was breached in the notifications the information they covered entity may have contact
(e.g., list in the notice the individual’s believe could be helpful to individuals. information for a personal
social security number or credit card Further, we note that some covered representative of a deceased individual
number that was breached) and entities may have obligations under rather than the next of kin. We believe
generally should avoid including any other laws with respect to their this conforms to the intent of the statute
sensitive information in the notification communication with affected and improves consistency between this
itself. Further, in the interim final rule individuals. For example, to the extent subpart and the Privacy Rule. Under 45
at § 164.404(c)(1)(B), we add the term a covered entity is obligated to comply CFR 164.502(g), a ‘‘personal
‘‘diagnosis’’ in the parenthetical listing with Title VI of the Civil Rights Act of representative’’ of a deceased individual
of examples of types of protected health 1964, the covered entity must take is a person who has authority to act on
information to make clear that, where reasonable steps to ensure meaningful behalf of the decedent or the decedent’s
appropriate, a covered entity may need access for Limited English Proficient estate. The interim final rule also
to indicate in the notification to the persons to the services of the covered clarifies that a covered entity is only
individual whether and what types of entity, which could include translating required to provide notice to next of kin
treatment information were involved in the notice into frequently encountered or the personal representative if the
a breach. In addition, at languages. Similarly, to the extent that covered entity both knows the
§ 164.404(c)(1)(D), we replace the a covered entity is obligated to comply individual is deceased and has the
statutory term ‘‘mitigate losses’’ with with Section 504 of the Rehabilitation address of the next of kin or personal
‘‘mitigate harm to the individual’’ to Act of 1973 or the Americans with representative of the decedent. This
make clear that the notification should Disabilities Act of 1990, the covered clarification should address some of the
describe the steps the covered entity is entity has an obligation to take steps comments which raised both
taking to mitigate potential harm to the that may be necessary to ensure administrative and privacy concerns
individual resulting from the breach and effective communication with with a covered entity being required to
that such harm is not limited to individuals with disabilities, which obtain contact information for next of
economic loss. could include making the notice kin of a deceased patient, if the
Under these content requirements, for available in alternate formats, such as individual did not otherwise provide
example, and depending on the Braille, large print, or audio. the information while alive.
If a covered entity does not have another location may be appropriate if may be very different from what is
sufficient contact information for some the covered entity lacks any current considered major print or broadcast
or all of the affected individuals, or if contact information for the patients, so media in a rural area. For example, if
some notices are returned as long as the posting is done in a manner the affected individuals are reasonably
undeliverable, the covered entity must that is reasonably calculated to reach likely to reside in a rural area, then a
provide substitute notice for the the individuals. local newspaper could be the major
unreachable individuals in accordance If a covered entity has insufficient or newspaper serving that area and most
with § 164.404(d)(2) of the interim final out-of-date contact information for 10 or likely to reach the individuals affected.
rule. Substitute notice should be more individuals, then For affected individuals in a
provided as soon as reasonably possible § 164.404(d)(2)(ii) requires the covered metropolitan area, then a newspaper
after the covered entity is aware that it entity to provide substitute notice serving the entire metropolitan area or
has insufficient or out-of-date contact through either a conspicuous posting for the entire State would be more likely to
information for one or more affected a period of 90 days on the home page reach the individuals affected. If the
individuals. Whatever form of substitute of its Web site or conspicuous notice in affected individuals likely reside in
notice is provided, the notice must major print or broadcast media in different regions or States, then the
contain all the elements that geographic areas where the individuals covered entity may need to utilize
§ 164.404(c) requires be included in the affected by the breach likely reside. As multiple media outlets to reasonably
direct written notice to individuals. described above, these substitute reach these individuals.
With respect to decedents, however, the notifications must be provided in a Also, we clarify in this interim final
rule provides that a covered entity is not manner that is reasonably calculated to rule that any notice in print or broadcast
required to provide substitute notice for reach the affected individuals. In media under this section must be
the next of kin or personal addition, substitute notice through the conspicuous, similar to the posting on
representative in cases where the Web site or media for 10 or more the Web site. Thus, for example, for
covered entity either does not have individuals requires the covered entity notice in print media, thought should be
contact information or has out-of-date to have a toll-free phone number, active given to what location and duration of
contact information for the next of kin for 90 days, where an individual can the notice is reasonably calculated to
or personal representative. learn whether the individual’s reach the affected individuals.
unsecured protected health information Some commenters were concerned
Section 164.404(d)(2) requires that the may be included in the breach and to that providing substitute notice in major
substitute form of notice be reasonably include the number in the notice. media would be costly and onerous.
calculated to reach the individuals for If the covered entity chooses to Covered entities that are concerned with
whom it is being provided. If there are provide substitute notice on the home the cost of providing substitute notice in
fewer than 10 individuals for whom the page of its Web site, the notice must be this manner have the option of instead
covered entity has insufficient or out-of- conspicuous and posted for at least 90 posting the substitute notice on their
date contact information to provide the days. A covered entity may provide all Web sites. For smaller covered entities
written notice, § 164.404(d)(2)(i) permits the information described at that do not have Web sites, we would
the covered entity to provide substitute § 164.404(c) directly on its home page or expect those covered entities generally
notice to such individuals through an may provide a hyperlink to the notice serve a patient population located in a
alternative form of written notice, by containing such information. We relatively compact and discrete area. In
telephone, or other means. For example, interpret ‘‘home page’’ to include the such cases, the geographic area in which
if the covered entity learns that the home page for visitors to the covered the affected individuals reside would be
home address it has for one of its entity’s Web site and the landing page comparably small, and, therefore, we do
patients is out-of-date but it has the or login page for existing account not believe that providing substitute
patient’s e-mail address, it may provide holders. If a covered entity uses a notice in the appropriate local
substitute notice by e-mail even if the hyperlink on the home page to convey newspaper or television station would
patient has not agreed to electronic the substitute notice, the hyperlink be excessively costly or onerous.
notice. Similarly, in the above example, should be prominent so that it is Finally, we note that covered entities
if the covered entity has a current noticeable given its size, color, and with out-of-date or insufficient contact
telephone number rather than e-mail graphic treatment in relation to other information for some individuals can
address for the patient, then the covered parts of the page, and it should be attempt to update the contact
entity may telephone the patient and worded to convey the nature and information so that they can provide
provide the information required by the importance of the information to which direct written notification, in order to
notice over the phone. We note, it leads. limit the number of individuals for
however, that the covered entity should Alternatively, or if the covered entity whom substitute notice is required and,
be sensitive to not unnecessarily does not have or does not wish to use thus, potentially avoid the obligation to
disclose protected health information in a Web site for the substitute notice, the provide substitute notice through a Web
the process of providing substitute covered entity may provide substitute site or major print or broadcast media
notice, such as where the covered entity notice of the breach in major print or under § 164.404(d)(2)(ii).
leaves an answering machine message broadcast media in geographic areas Other commenters were concerned
that could be picked up by other where the individuals affected by the that the requirement to include a toll-
household members. In such cases, the breach likely reside. What constitutes free phone number in the substitute
covered entity should take care to limit major print or broadcast media for a media notice would overly burden a
the amount of information disclosed on particular area will depend on the covered entity with calls from
an answering machine message, such as, geographic area where the affected individuals unaffected by the breach.
for example, by leaving only its name individuals are likely to reside and what We note that the statute requires that
and number and indicating it has a very is reasonably calculated to reach the covered entities include a toll-free
important message for the individual. affected individuals. We emphasize that phone number in cases where substitute
Alternatively, posting a notice on the what is considered major print or notice is required for 10 or more
Web site of the covered entity or at broadcast media for a metropolitan area individuals. Covered entities concerned
with the number of calls they may example, for a breach affecting 500 or reside in Virginia, 200 of which reside
receive from unaffected individuals may more individuals across a particular in Maryland, and 200 of which reside in
wish to include sufficient information state, a prominent media outlet may be the District of Columbia, such a breach
in the notice itself or a Web address in a major, general-interest newspaper did not affect more than 500 residents
the notice for more information (or other with a daily circulation throughout the of any one State or jurisdiction, and as
means) as a way for individuals to entire state. In contrast, a newspaper such, notification is not required to be
determine whether their information serving only one town and distributed provided to the media pursuant to
may have been included in the breach. on a monthly basis, or a daily § 164.406. However, individual
newspaper of specialized interest (such notification under § 164.404 would be
Additional Notice in Urgent Situations
as sport, politics) would not be viewed required, as would notification to the
Finally, § 164.404(d)(3) of the interim as a prominent media outlet. If a breach Secretary under § 164.408 because the
final rule implements the provision in affects 500 or more individuals in a breach involved 500 or more
the statute at section 13402(e)(1)(c), limited jurisdiction, such as a city, then individuals. Conversely, if a covered
which makes clear that notice by a prominent media outlet may be a entity discovered a breach of unsecured
telephone or other means may be made, major, general-interest newspaper with protected health information involving
in addition to written notice, in cases daily circulation throughout the city, 600 residents within the state of
deemed by the covered entity to require even though the newspaper does not Maryland and 600 residents of the
urgency because of possible imminent serve the whole State. District of Columbia, notification must
misuse of unsecured protected health Commenters also asked HHS to clarify be provided to a prominent media outlet
information. We emphasize, however, what is meant by ‘‘State or jurisdiction’’ serving the state of Maryland and to a
that such notice, if utilized, is in for purposes of notice to the media prominent media outlet serving the
addition to, and not in lieu of, the direct under this provision. We note that District of Columbia.
written notice required by ‘‘State’’ is already defined at § 160.103 We also recognize that in some cases
§ 164.404(d)(1). of the HIPAA Rules to mean ‘‘any of the a breach may occur at a business
D. Notification to the Media—164.406 several States, the District of Columbia, associate and involve the protected
the Commonwealth of Puerto Rico, the health information of multiple covered
Section 164.406 implements section Virgin Islands, and Guam.’’ That entities. In that case, a covered entity
13402(e)(2) of the Act, which requires definition applies to this new provision. involved would only be required to
that notice be provided to prominent We also note that the Act includes a provide notification to the media if the
media outlets serving a State or definition of ‘‘State’’ which applies for information breached included the
jurisdiction, following the discovery of purposes of this provision and defines protected health information of 500 or
a breach if the unsecured protected ‘‘State’’ to include, in addition to what more individuals located in any one
health information of more than 500 is included at § 160.103, American State or jurisdiction. For example, if a
residents of such State or jurisdiction is, Samoa and the Northern Mariana business associate discovers a breach
or is reasonably believed to have been, Islands. Thus, we provide at affecting 800 individuals, the business
accessed, acquired, or disclosed during § 164.406(a) that, for purposes of this associate must notify the appropriate
such breach. This media notice differs provision, ‘‘State’’ also includes covered entity (or covered entities)
from the substitute media notice American Samoa and the Northern subject to § 164.410 (discussed below).
described in § 164.404(d)(1)(2) in that it Mariana Islands. With respect to If 450 of the affected individuals are
is directed ‘‘to’’ the media and is jurisdiction, we clarify that, for patients of one covered entity and the
intended to supplement, but not purposes of this provision, jurisdiction remaining 350 are patients of another
substitute for, individual notice. The is a geographic area smaller than a state, covered entity, because the breach has
Act requires that notification to the such as a county, city, or town. not affected more than 500 individuals
media under this provision be provided To illustrate how these provisions at either covered entity, there is no
within the same timeframe as notice is apply, we provide the following obligation to provide notification to the
to be provided to the individual. See example. If laptops containing the media under this section. Additionally,
section 13402(d)(1) of the Act. unsecured protected health information neither covered entity has the obligation
Accordingly, § 164.406(b) of the interim of more than 500 residents of a of notifying the Secretary under
final rule requires a covered entity to particular city were stolen from a § 164.408(b) concurrently with notice to
notify prominent media outlets without covered entity, notification under this the affected individuals; however, both
unreasonable delay and in no case later section should be provided to covered entities must include this
than 60 calendar days after discovery of prominent media outlets serving that breach in their annual submission to the
the breach. In paragraph (c) of this city. In this case, the prominent media Secretary pursuant to § 164.408(c). In
section, we require that notification to outlet may be a major television station cases where the entities involved are
the media under this provision include or newspaper (or other media outlet) unable to determine which entity’s
the same information required to be serving primarily the residents of that protected health information was
included in the notification to the city or a prominent media outlet serving involved, the covered entities may
individual under § 164.404(c). We the entire state. Alternatively, for a consider having the business associate
expect that most covered entities will breach involving 500 or more residents provide the notification to the media on
provide notification to the media under across a State and not within any one behalf of all of the covered entities.
this section in the form of a press particular county or city of the State, the Section 164.406(c) sets forth the
release. prominent media outlet chosen must content requirement for covered entities
Commenters asked that we define serve the entire State. notifying the media. In this section, we
what constitutes a ‘‘prominent media In response to comments received, we require that the notice to the media
outlet.’’ We do not define ‘‘prominent also offer clarification on how to include the same content as that
media outlet’’ in this regulation because address a breach involving residents in required for notification to the
what constitutes a prominent media multiple States or jurisdictions. For individual under § 164.404(c). We
outlet will differ depending upon the example, if a covered entity discovers a emphasize that this provision does not
State or jurisdiction affected. For breach of 600 individuals, 200 of which replace either direct written or
substitute notice to the individual under incorrect because the entity did not submitted and how to submit such
§ 164.404. If a covered entity is required have sufficient time to conduct an information.
to provide substitute notice under investigation into the facts surrounding For calendar year 2009, the covered
§ 164.404(d)(2)(ii)(A) and chooses to do the breach. In addition, this entity is only required to submit
so through major print or broadcast interpretation satisfies the statutory information to the Secretary for
media, notification to the media under requirement that notifications of larger breaches occurring after the effective
this section would only satisfy such breaches be provided to the Secretary date of this regulation, i.e., on or after
substitute notice if the prominent media immediately as compared to the reports September 23, 2009. Information about
outlet ran a notification reasonably of smaller breaches the statute allows be breaches occurring prior to that date
calculated to reach the individuals for reported annually to the Secretary. The need not be submitted. This is because,
which substitute notice was required interim final rule also provides that the pursuant to § 164.400, this subpart only
and included all the information notification be provided in a manner to applies to breaches occurring on or after
required be provided in the individual be specified on the HHS Web site. The that date.
notice, including the toll-free number Department will post instructions on its We emphasize that although covered
required by § 164.404(d)(2)(ii)(B). Web site for submitting both this entities need only provide notification
notification as well as the annual to the Secretary of breaches involving
E. Notification to the Secretary— less than 500 individuals annually, they
164.408 notification described below. In
addition, as required by section must still provide notification of such
Section 164.408 of the interim final 13402(e)(4) of the Act, the Secretary will breaches to affected individuals without
rule implements section 13402(e)(3) of post on the HHS Web site a list of unreasonable delay and not later than
the Act, which requires covered entities covered entities that submit reports of 60 days after discovery of the breach
to notify the Secretary of breaches of breaches of unsecured protected health pursuant to § 164.404. In addition, we
unsecured protected health information. information involving more than 500 note that pursuant to § 164.414(a), a
For breaches involving 500 or more individuals. covered entity must follow the
individuals, the Act requires covered documentation requirements that
Covered entities must notify the
entities to notify the Secretary otherwise apply to the HIPAA Privacy
Secretary of discovered breaches
immediately. For breaches involving Rule under § 164.530 with respect to the
involving more than 500 individuals
less than 500 individuals, the Act requirements of this rule. Thus,
generally, without regard to whether the
provides that a covered entity may pursuant to § 164.530(j)(2), covered
maintain a log of such breaches and breach involved more than 500
entities must maintain the internal log
annually submit such log to the residents of a particular State or
or other documentation for six years.
Secretary documenting the breaches jurisdiction (the threshold for triggering Further, as with other required
occurring during the year involved. notification to the media under documentation, a covered entity must
Section 164.408(a) of the interim final § 164.406 of the interim final rule). make such information available to the
rule contains the general rule that Thus, where a covered entity has Secretary upon request in accordance
requires a covered entity to notify the discovered a breach of 600 individuals, with § 160.310.
Secretary following the discovery of a 300 of which reside in Maryland and
breach of unsecured protected health 300 of which reside in the District of F. Notification by a Business
information. Section 164.408(b) Columbia, notification of the breach Associate—164.410
provides the implementation must be provided to the Secretary Section 13402(b) of the Act requires a
specification for breaches involving 500 concurrently with notification to the business associate of a covered entity
or more individuals. Section 164.408(c) affected individuals. However, the that accesses, maintains, retains,
provides the implementation breach in this example would not trigger modifies, records, destroys, or otherwise
specification for breaches involving the requirement to notify the media holds, uses, or discloses unsecured
fewer than 500 individuals. under § 164.406 because the breach did protected health information to notify
With respect to breaches involving not involve more than 500 residents of the covered entity when it discovers a
500 or more individuals, we interpret any one State or jurisdiction. breach of such information. Section
the term ‘‘immediately’’ in the statute to For breaches involving less than 500 164.410(a) implements section 13402(b)
require notification be sent to the individuals, § 164.408(c) requires a of the Act, but does not include the
Secretary in the case of these larger covered entity to maintain a log or other terms ‘‘that accesses, maintains, retains,
breaches concurrently with the documentation of such breaches and to modifies, records, stores, destroys, or
notification sent to the individual under submit information annually to the otherwise holds, uses, or discloses’’
§ 164.404, which must be sent without Secretary for breaches occurring during used in the statute to describe a
unreasonable delay but in no case later the preceding calendar year. As business associate’s actions with respect
than 60 calendar days following recommended by several commenters, to unsecured protected health
discovery of a breach. Many we have designated a date for information because inclusion of such
commenters were concerned that submission of the information to the terms was deemed unnecessary.
covered entities would be required to Secretary. The interim final rule Thus, following the discovery of a
provide notification to the Secretary in requires the submission of this breach of unsecured protected health
a much shorter time frame than the information to the Secretary no later information, a business associate is
other notifications required by the Act, than 60 days after the end of each required to notify the covered entity of
making it difficult for covered entities to calendar year. As with notification of the breach so that the covered entity can
comply. This interpretation thus allows the larger breaches above, the interim notify affected individuals. We clarify
the notice to the Secretary to include all final rule provides that information that a business associate that maintains
of the information provided in the about breaches involving less than 500 the protected health information of
notice to the individual and better individuals is to be provided to the multiple covered entities need notify
avoids the situation where a covered Secretary in the manner specified on the only the covered entity(s) to which the
entity reports information to the HHS Web site. HHS will specify on its breached information relates. However,
Secretary that later turns out to be Web site the information to be in cases in which a breach involves the
unsecured protected health information these clarifications for consistency and may be unaware of the identification of
of multiple covered entities and it is uniformity across the regulations. the individuals whose unsecured
unclear to whom the breached Section 164.410(b) implements protected health information was
information relates, it may be necessary section 13402(d)(1) of the Act and breached. For example, a business
to notify all potential affected covered provides that, with the exception associate that is a record storage
entities. provided in § 164.412, a business company holds hundreds of boxes of
We received several comments in associate must provide notice of a paper medical records on behalf of a
support of adding a provision to require breach of unsecured protected health covered entity. The business associate
business associates to provide notice to information to a covered entity without discovers that several boxes are missing
a senior official or privacy official at the unreasonable delay and in no case later and is unable to provide the covered
covered entity. We do not believe such than 60 days following the discovery of entity with a list of the individuals
a provision is necessary, however. a breach. With respect to breaches at the whose information has been breached. It
Covered entities and business associates business associate, the covered entity is not our intent that the business
already have established business must provide the required notifications associate delay notification of the
relationships and communication to affected individuals under breach to the covered entity, when the
channels, including with respect to § 164.404(a) without unreasonable covered entity may be better able to
privacy and security matters. For delay, but no later than 60 days. identify the individuals affected.
example, the HIPAA Rules already If a business associate is acting as an Further, we recognize that, depending
require a business associate contract to agent of a covered entity, then, pursuant on the circumstances surrounding a
provide that the business associate to § 164.404(a)(2), the business breach of unsecured protected health
report to the covered entity uses or associate’s discovery of the breach will information, a business associate may be
disclosures not provided by the contract be imputed to the covered entity. in the best position to gather the
as well as security incidents of which Accordingly, in such circumstances, the information the covered entity is
the business associate becomes aware. covered entity must provide required by § 164.404(c) to include in
See 45 CFR 164.504(e)(2)(ii)(C) and notifications under § 164.404(a) based the notification to the individual about
164.314(a)(2)(i)(C). Thus, we believe it is on the time the business associate the breach. Thus, in addition to the
appropriate to leave it up to covered discovers the breach, not from the time identification of affected individuals,
entities and business associates to the business associate notifies the § 164.410(c)(2) requires a business
determine how the required reporting covered entity. In contrast, if the associate to provide the covered entity
should be implemented. business associate is an independent with any other available information
Section 164.410(a)(2) implements contractor of the covered entity (i.e., not that the covered entity is required to
section 13402(c) of the Act, which an agent), then the covered entity must include in the notification to the
provides when a breach is to be treated provide notification based on the time individual under § 164.404(c), either at
as discovered by the business associate. the business associate notifies the the time it provides notice to the
Accordingly, § 164.410(a)(2) states that a covered entity of the breach. As covered entity of the breach or promptly
breach shall be treated as discovered by reflected in the comments we received thereafter as information becomes
a business associate as of the first day in response to the timing of business available. Because we allow this
on which such breach is known to the associate notification to a covered entity information to be provided to a covered
business associate or, by exercising following a breach, covered entities may entity after the initial notification of the
reasonable diligence, would have been wish to address the timing of the breach as it becomes available, a
known to the business associate. Section notification in their business associate business associate should not delay the
164.410(a)(2) further provides that a contracts. initial notification to the covered entity
business associate shall be deemed to Section 164.410(c) implements the of the breach in order to collect
have knowledge of a breach if the second sentence of section 13402(b) of information needed for the notification
breach is known, or by exercising the Act, which specifies the information to the individual. To ensure the covered
reasonable diligence would have been that a business associate must provide entity is aware of all the available facts
known, to any person, other than the to a covered entity following a breach of surrounding a breach, we also note that
person committing the breach, who is unsecured protected health information. a business associate should provide this
an employee, officer, or other agent of Section 164.410(c)(1) requires business information even if it becomes available
the business associate (determined in associates, to the extent possible, to after notifications have been sent to
accordance with the federal common provide covered entities with the affected individuals or after the 60-day
law of agency). As with § 164.404(a)(2) identity of each individual whose period specified in § 164.410(b) has
with respect to a covered entity’s unsecured protected health information elapsed.
knowledge of a breach, we clarify in this has been, or is reasonably believed to In response to a significant number of
provision that the federal common law have been, breached. Depending on the commenters who expressed concern
of agency is to control in determining circumstances, business associates may that this requirement would prevent
who is an agent of the covered entity. provide the covered entity with covered entities and their business
This approach is consistent with the immediate notification of the breach, as associates from addressing these issues
HIPAA Enforcement Rule (45 CFR part discussed above and then follow up in their business associate contracts, we
160, subparts C through E), which with the required information in emphasize that we do not intend for this
provides that the federal common law of § 164.410(c) when available but without section to interfere with the current
agency applies in determining agency unreasonable delay and within 60 days. relationship between covered entities
liability under the HIPAA Rules. Also, Section 164.410(c)(1) departs slightly and their business associates. Business
as with § 164.404(a)(2), we have from the statutory language by only associates and covered entities will
modified the statutory language slightly requiring business associates to provide continue to have the flexibility to set
to better conform to existing language in this information ‘‘to the extent forth specific obligations for each party,
the HIPAA Enforcement Rule at 45 CFR possible.’’ Based on some comments such as who will provide notice to
160.410, by incorporating the term received, we recognize that there may be individuals and when the notification
‘‘reasonable diligence.’’ We have made situations in which a business associate from the business associate to the
covered entity will be required, §§ 164.404, 164.406, 164.408, and associates to develop and document
following a breach of unsecured 164.410 if instructed to do so by a law policies and procedures, train workforce
protected health information, so long as enforcement official. members on and have sanctions for
all required notifications are provided We retain the definition of ‘‘law failure to comply with these policies
and the other requirements of the enforcement official’’ currently used in and procedures, permit individuals to
interim final rule are met. We encourage the Privacy Rule at § 164.501, which file complaints regarding these policies
the parties to consider which entity is defines such person as ‘‘an officer or and procedures or a failure to comply
in the best position to provide notice to employee of any state agency or with them, and require covered entities
the individual, which may depend on authority of the United States, a State, to refrain from intimidating or
circumstances, such as the functions the a territory, a political subdivision of a retaliatory acts. Thus, a covered entity is
business associate performs on behalf of State or territory, or an Indian tribe, who required to consider and incorporate the
the covered entity and which entity has is empowered by law to: (1) Investigate requirements of this subpart with
the relationship with the individual. We or conduct an official inquiry into a respect to its administrative compliance
also encourage the parties to ensure the potential violation of law; or (2) and other obligations. In addition to
individual does not receive notifications prosecute or otherwise conduct a § 164.414(a), to make clear that these
from both the covered entity and the criminal, civil, or administrative provisions apply to this subpart as well
business associate about the same proceeding arising from an alleged as subpart E, we have made conforming
breach, which may be confusing to the violation of law.’’ However, in this modifications in each of the above
individual. interim final rule, we move the sections of the Privacy Rule to include
Finally, we note that where an entity definition up to § 164.103 so that it will a reference to this subpart D.
provides PHRs to customers of a HIPAA apply to this subpart D as well as Consistent with section 13402(d)(2) of
covered entity through a business continue to apply to subpart E (Privacy the Act, § 164.414(b) provides that,
associate arrangement but also provides Rule). following an impermissible use or
PHRs directly to the public and a breach Section 164.412(a), which is based on disclosure under the Privacy Rule,
of its records occurs, in certain cases, as the requirements of 45 CFR covered entities and business associates
described in its rule, the FTC will deem 164.528(a)(2)(i) of the Privacy Rule, have the burden of demonstrating that
compliance with certain provisions of provides for a temporary delay of all notifications were made as required
HHS’ rule as compliance with FTC’s notification in situations in which a law by this subpart. Additionally, as part of
rule. In particular, in such situations, it enforcement official provides a demonstrating that all required
may be appropriate for the vendor to statement in writing that the delay is notifications were made, we clarify in
provide the same breach notice to all its necessary because notification would the regulatory text that a covered entity
PHR customers since it has a direct impede a criminal investigation or cause or business associate, as applicable, also
relationship with all the affected damage to national security, and must be able to demonstrate that an
individuals. Thus, in those limited specifies the time for which a delay is impermissible use or disclosure did not
circumstances where a vendor of PHRs required. In these instances, the covered constitute a breach, as such term is
(1) provides notice to individuals on entity is required to delay the defined at § 164.402, in cases where the
behalf of a HIPAA covered entity, (2) notification, notice, or posting for the covered entity or business associate
has dealt directly with these individuals time period specified by the official. determined that notifications were not
in managing their personal health Similarly, § 164.412(b), which is required. We also make conforming
record accounts, and (3) provides notice based on 45 CFR 164.528(a)(2)(ii) of the changes to § 160.534 of the HIPAA
to its customers at the same time, the Privacy Rule, requires a covered entity Enforcement Rule to make clear that,
FTC will deem compliance with HHS or business associate to temporarily during any administrative hearing, the
requirements governing the timing, delay a notification, notice, or posting if covered entity has the burden of going
method, and content of notice to be a law enforcement official states orally forward and the burden of persuasion
compliance with the corresponding FTC that a notification would impede a with respect to these issues.
rule provisions.11 criminal investigation or cause damage Thus, when a covered entity or
to national security. However, in this business associate knows of an
G. Law Enforcement Delay—164.412 case, the covered entity or business impermissible use or disclosure of
Section 13402(g) of the Act provides associate is required to document the protected health information, it should
that if a law enforcement official statement and the identity of the official maintain documentation that all
determines that a notification, notice, or and delay notification for no longer than required notifications were made, or,
posting required under this section 30 days, unless a written statement alternatively, of its risk assessment
would impede a criminal investigation meeting the above requirements is (discussed above in § 164.402) or the
or cause damage to national security, provided during that time. We interpret application of any exceptions to the
such notification, notice, or posting these provisions as tolling the time definition of ‘‘breach’’ to demonstrate
shall be delayed in the same manner as within which notification is required that notification was not required.
provided under 45 CFR 164.528(a)(2) of under §§ 164.404, 164.406, 164.408, and
the Privacy Rule in the case of a I. Other Conforming Changes to the
164.410, as applicable.
disclosure covered under such section. HIPAA Rules
Section 164.412 implements section H. Administrative Requirements and In addition to the conforming
13402(g) of the Act and thus, requires a Burden of Proof—164.414 modifications discussed above, we make
covered entity or business associate to Section 164.414(a) requires covered the following changes to align the
temporarily delay notification under entities to comply with the HIPAA Rules in light of the new breach
administrative requirements of notification requirements of this rule.

11 We note, however, that with respect to the § 164.530(b), (d), (e), (g), (h), (i), and (j) First, we revise the statutory basis and
customers to whom it provides PHRs directly, the of the Privacy Rule with respect to the purpose sections at §§ 160.101 and
vendor must comply with all other FTC rule
requirements, including the requirement to notify
breach notification provisions of this 164.102 to include references to section
the FTC within ten business days after discovering subpart. These provisions, for example, 13402 of the Act. Second, in Part 160,
the breach. require covered entities and business for purposes of the preemption of State
law, we amend § 160.202 to revise the and apply this preemption standard entity or business associate will not be
definition of ‘‘contrary’’ to include a appropriately. out of compliance with this subpart if,
reference to section 13402 of the Act. Although we received many after the date set forth at § 164.400, the
(See below for a discussion of comments concerning perceived entity maintains unsecured protected
preemption and these new conflicts between the interaction of health information. We recognize,
requirements.) Finally, in Part 164, State laws and these breach notification though, that many covered entities and
subpart C, which contains the HIPAA provisions, based on the ‘‘contrary’’ business associates are voluntarily
Security Rule requirements, we revise standard for preemption, in general we choosing to secure their protected
the definition of ‘‘access’’ in § 164.304 believe that covered entities can comply health information in accordance with
to make clear that the definition does with both the applicable State laws and the guidance in order to avoid the
not apply to any use of the term in this regulation. In addition, based on the possibility of having to provide breach
subpart D. comments received, we believe that, in notifications pursuant to this subpart.
most cases, a single notification can We encourage covered entities and
J. Preemption satisfy the notification requirements business associates to take such an
We received several public comments under State laws and this regulation. approach—securing their protected
regarding the issue of preemption and For example, if a state breach health information—and understand
the interaction between this regulation notification law requires notification to that the process may take more than 30
and state breach notification laws. be sent to the individual within five days from the publication of this interim
HIPAA (Pub. L. 104–191) added section days following the detection of a breach, final rule.
1178 of the Social Security Act, 42 a covered entity that sends that notice We also recognize that it will take
U.S.C. 1320d–7, which sets forth the within five days to comply with State covered entities and business associates
general effect of the HIPAA provisions law will also be in compliance with this time to implement the processes and
on State law. Section 1178 provides that regulation, as the covered entity must procedures necessary to comply with
HIPAA administrative simplification send the notification ‘‘without this subpart. For example, once
provisions generally preempt conflicting unreasonable delay and in no case later compliance with this subpart is
State law. This section of the statute is than 60 calendar days after the required, a covered entity or business
implemented by 45 CFR 160.203, which discovery of a breach.’’ If covered associate will be held accountable for
states that a standard, requirement, or entities do not have all the information breaches that, through the exercise of
implementation specification that is required by this regulation available to reasonable diligence, would have been
adopted as regulation at 45 CFR parts them within five days, they may send known to the entity. This means that a
160, 162, or 164 and that is ‘‘contrary to the individual an additional notification covered entity or business associate
a provision of State law preempts the when they have accumulated the must have reasonable systems in place
provision of State law.’’ Section 160.203 appropriate information. to detect breaches. Putting such systems
provides several exceptions in which Likewise, if a State law requires a in place may take some time.
State law will not be preempted; breach notification but requires On the other hand, the majority of
however, we do not believe these additional elements be included in the states already have breach notification
exceptions apply to the breach notice, or requires that certain elements laws in place. While this interim final
notification regulations in 45 CFR part be described in a certain way, there is rule differs from any such State laws,
164 subpart D.12 Therefore, contrary no conflict between the State law and we believe that most covered entities or
State law will be preempted by these this regulation. As the Act and interim business associates should already have
breach notification regulations. We final rule are flexible in terms of how some form of breach notification
solicit comment in this area. the elements are to be described, and do procedures in place. Those covered
Whether a State law is contrary to not prohibit additional elements from entities and business associates should
these breach notification regulations is being included in the notice, covered be able to build upon such existing
to be determined based on the definition entities can develop a notice that procedures in order to come into
of ‘‘contrary’’ at § 160.202. A State law satisfies both laws. compliance with this interim final rule.
is contrary if ‘‘a covered entity could We have decided that, consistent with
K. Effective/Compliance Date section 13402(j) of the Act, the
find it impossible to comply with both
the State and federal requirements’’ or if Section 13402(j) of the Act states that provisions of this subpart are effective,
the State law ‘‘stands as an obstacle to section 13402 applies to breaches that and compliance is required, for breaches
the accomplishment and execution of are discovered by a covered entity or occurring on or after 30 calendar days
the full purposes and objectives’’ of the business associate on or after 30 from the publication of this rule.
breach notification provisions in the calendar days from the date of However, based on the concerns
Act. As discussed above, we make a publication of this interim final rule. described above, and based on some
conforming change to paragraph (2) of Commenters expressed concern that this ambiguity within the statute,13 we will
the definition of ‘‘contrary’’ in this effective date did not allow enough time
section to incorporate reference to the for covered entities to implement the 13 While section 13402(j) of the HITECH Act
guidance for rendering protected health provides that section 13402 becomes effective 30
breach notification provisions at section calendar days after publication of this interim final
13402 of the Act. Therefore, covered information unusable, unreadable, or rule, it is section 13410(a)(2) that provides the
entities will need to analyze relevant indecipherable to unauthorized Department with authority to impose civil money
State laws with respect to this individuals or have systems in place to penalties, pursuant to § 1176 of the Social Security
comply with the requirements of the Act (42 U.S.C. 1320d–5), on violations by covered
regulation to understand the interaction entities of the requirements imposed by the
rule and suggested that compliance with
HITECH Act, including those of section 13402.

12 We do not interpret the preemption exception these breach notification provisions not Moreover, authority to impose civil money
at § 160.203(b), which addresses more stringent be required in 30 days. penalties on business associates for violations of the
State law related to privacy, as applying to these In response, we note that the guidance HITECH Act is provided by sections 13401(b) and
breach notification provisions because that 13404(c). Sections 13410(a)(2), 13401(b), and
paragraph only applies to the provisions of the
on securing protected health 13404(c) do not become effective until February 18,
Privacy Rule promulgated under section 264(c) of information is not mandatory; it is 2010 (see section 13423 of the Act). Thus, there is
the HIPAA statute. See section 264(c)(2) of HIPAA. discretionary. Accordingly, a covered a statutory ambiguity due to the HITECH Act
use our enforcement discretion to not Review (September 30, 1993, as further 1,045 insurance firms and 3,522 third
impose sanctions for failure to provide amended), the Regulatory Flexibility party administrators. Of the combined
the required notifications for breaches Act (RFA) (5 U.S.C. 601 et seq.), section total of health insurance firms and third
that are discovered before 180 calendar 202 of the Unfunded Mandates Reform party administrators, we estimate that
days from the publication of this rule, Act of 1995 (2 U.S.C. 1532), Executive approximately 71 percent, or 3,266,
or February 22, 2010. During this initial Order 13132 on Federalism (August 4, meet the SBA’s definition of a small
time period—after this rule has taken 1999), and the Congressional Review entity of annual receipts of $7 million
effect but before we are imposing Act (5 U.S.C. 804(2)). or less. Pharmacies are also considered
sanctions—we expect covered entities to Executive Order 12866 directs covered entities under HIPAA (NAICS
comply with this subpart and will work agencies to assess all costs and benefits code 44611) and based on the 2007
with covered entities, through technical of available regulatory alternatives and, National Association of Chain Drug
assistance and voluntary corrective if regulation is necessary, to select Stores Industry Profile approximately
action, to achieve compliance. regulatory approaches that maximize 17,500 independent pharmacy
net benefits (including potential drugstores meet the SBA definition of a
V. Impact Statement and Other economic, environmental, public health small business of $7 million or less in
Required Analyses and safety effects, distributive impacts, annual receipts. For more information
A. Introduction and equity). A regulatory impact on SBA’s size standards, see the Small
Section 13402 of the Act prescribes in analysis (RIA) must be prepared for Business Administration’s Web site at
specific terms the obligations and major rules with economically http://sba.gov/idc/groups/public/
responsibilities on HIPAA covered significant effects ($100 million or more documents/sba_homepage/
entities to notify an affected individual in any one year). This interim final rule serv_sstd_tablepdf.pdf.
when a breach of his or her unsecured is not an economically significant rule Although the RFA only requires an
protected health information occurs, to because we estimate that the breach initial regulatory flexibility analysis
notify the Secretary, to notify the media notification requirements are not (IRFA) when an agency issues a
in certain circumstances, and for expected to cost more than $100 million proposed rule, the Department has a
business associates to notify covered per year. Nevertheless, because of the policy of voluntarily conducting an
entities of such breaches. In most public interest in this rule, we have IRFA for interim final regulations. We
instances, the interim final regulation prepared an RIA that to the best of our examine the burden of the interim final
adheres and conforms to the language of ability presents the costs and benefits of regulation in section D below.
the proposed rule. We request Section 202 of the Unfunded
the statute in defining terms and in
comments on the economic analysis Mandates Reform Act of 1995 (UMRA)
prescribing remedies. The rule tracks
provided in this proposed rule. also requires that agencies assess
the language of the statute with regard
The RFA requires agencies to analyze anticipated costs and benefits before
to the actions covered entities must take
options for regulatory relief of small issuing any rule whose mandates
to notify an affected individual when a
businesses if a rule has a significant require spending in any one year of
reportable breach occurs, the time frame
impact on a substantial number of small $100 million in 1995 dollars, updated
in which the covered entity must act,
entities. The scope of the interim final annually for inflation. In 2009, that
the mode of communicating with an
rule will apply to all HIPAA covered threshold is approximately $133
affected individual and the content of
entities and their business associates. million. This rule will not impose an
the notice.
Based on U.S. business census data unfunded mandate on States, tribal
The prescriptive language of the
provided to the Small Business government or the private sector of more
statute leaves little discretion for the
Administration Office of Advocacy than $133 million annually.
Secretary in how to implement the
there were 605,845 entities classified Executive Order 13132 establishes
statute. Measures we have taken to
under the North American Industrial certain requirements that an agency
modify the statutory language are
Classification System (NAICS) 62. Code must meet when it promulgates a
minimal and were undertaken to make
62 encompasses physicians, dentists, proposed rule (and subsequent final
certain terms used in the statute
ambulatory care centers, kidney dialysis rule) that imposes substantial direct
conform to other parts of the HIPAA
centers, family planning clinics, home costs of compliance on State and local
Rules. We also clarify when a breach of care services, mental health and drug governments, preempts State law, or
protected health information rehabilitation centers, medical otherwise has Federalism implications.
compromises the security or privacy of laboratories, hospitals and nursing Section 13421(a) of the Act expressly
such information. Yet, because the facilities. In addition, based on data provides that provisions or
statutory language is so detailed and from the Centers for Medicare & requirements of subtitle D of the Act,
specific as to the requirements and Medicaid Services, we estimate that which includes the provisions requiring
definitions placed on covered entities, there are 107,567 suppliers of durable breach notification, shall preempt State
and because we have endeavored to medical equipment and prosthetics. law in the same respect that the HIPAA
follow the statutory language as closely Almost all of these health providers fall Rules preempt State law pursuant to
as possible, we believe that, in large under the RFA’s definition of a small section 1178 of the Social Security Act.
measure, the economic burden imposed entity by either meeting the Small Accordingly, this rule expressly adopts
on covered entities results from the Business Administration’s (SBA’s) size the preemption provisions that are
statute and not from the interim final standard of a small business or by being applicable to the HIPAA Rules and as
regulation. a non-dominant nonprofit organization. discussed in Section IV.J. Preemption
We have examined the impacts of this The SBA’s size standard for NAICS 62
above.
rule as required by Executive Order ranges between $7 million and $34.5
12866 on Regulatory Planning and million in annual receipts. Also covered B. Why Is This Rule Needed?
under HIPAA are health insurance firms This regulation is required to
providing an effective date of 30 days from
publication of this rule, but a later date for when
and third party administrators (NAICS implement section 13402 of the Act.
the Department may impose civil money penalties codes 524114 and 524292). The 2006 The purpose of the statute is to establish
for violations of section 13402. business census data show that there are a uniform requirement on all HIPAA
covered entities to inform individuals of losing business as a result of breaches presented in the
when the individual’s unsecured notification. Moreover, requiring breach DataLossdb.org tables.
protected health information has been notification creates an incentive on all Upon examining the distribution of
improperly used or disclosed and the covered entities to invest in data affected individuals and records for
result of the improper use or disclosure security improvements in efforts to 2008, we identified one breach
may lead to financial damage, harm to minimize the possibility of reportable involving 2.2 million individuals. The
the individual’s reputation, or other data breaches. incident occurred at a major university
harm. Without the statutory requirement At the same time that the statute and hospital system and involved the theft
for notifying an individual of data interim final regulation create the of backup tapes that were being
breaches, it would be left to the entity incentive to minimize breaches of transported to storage. The next highest
to decide whether to notify an affected protected health information, in the breach affected 344,482 individuals.
individual or the decision would be event that a breach occurs, the affected Including the outlier breach in our
subject to significantly varying State individual will be notified and thereby analysis, we believe, would significantly
laws (which are generally focused on be given an opportunity to mitigate any skew the analysis. Removing this case
breaches of financial information rather harm that may result from the breach. produces a more homogeneous
than health information). distribution of affected individuals and
Because notification requires C. Costs and Benefits improves the reliability of the analysis.
expenditures and exposes the covered 1. Summary of Costs and Benefits Removing the outlier reduced the
entity to loss of business and possible number of affected individuals from
legal action, there is little incentive for Throughout the following analysis we 5,087,032 to 2,887,032.
the entity to take such action. While invite comments on specific portions of Although the type of data breach that
individuals whose protected health our analysis. The public, however, is occurred in 2008 was not unusual, the
information was improperly accessed invited to offer comments on any and all number of persons affected was six
would be forewarned and as a result of elements of the analysis and the times greater than the next highest
being notified, could take action to assumption underlying the analysis. breach and the number of individuals
mitigate financial or personal harm, Costs: In the analysis that follows, we affected is far from the average number
they may not continue to patronize the applied the provisions of the interim for the year. In 2007, a State mental
entity which notifies them. If alternative final regulation to the dataset of data health agency reported the loss of
providers in the individual’s breaches found at DataLossdb.org. The records affecting 2.9 million individuals
community offer similar services, the database shows, among other things, the resulting from the agency’s data
individual may take their business to name of the organization and the type processor’s negligence. The next largest
one of the alternative entities. Moreover, breach in 2007 involved 375,000
of business, such as finance, medical,
if other individuals, not directly affected individuals and represents one eighth
government, education, or business. The
by the breach, learn of the event, they the number of individuals in the mental
field called ‘‘Total Affected’’ shows a
too may seek services from other health agency breach.
count of either records or individuals Without doubt, breaches of the
providers out of fear that their protected affected by the breach. Without
health information may be improperly magnitude we see in the university
examining the source reports of the hospital and State mental health
accessed. The Ponenmon Institute, LLC breach, we do not know which is being
report of February 2009, ‘‘2008 Annual breaches are a serious concern to the
reported. For these purposes, we will Department. Excluding such
Study: Cost of a Data Breach’’ estimates
take the more conservative approach disproportionately large breaches from
that 69 percent of the cost of a data
and assume that the count is of the cost analysis should not be
breach is the result of lost business (see
individuals. We acknowledge the construed as a lack of interest or
page 4). The study identifies the health
possibility that an individual may have concern in the security of protected
care industry as experiencing the
more than one record housed at a health information at these institutions.
highest customer turnover rate directly
provider, especially if the provider is a We could have included the university
attributable to data breaches of
multi-unit facility. An individual may hospital breach in our 2008 analysis, but
protected health information. Moreover,
have separate inpatient, outpatient, and it is clear that the incident does not
since a health care provider is unlikely
clinic records. Thus, a major breach represent the average or typical case.
to suffer financially from the direct loss
of protected health information, there is could involve more than one record per Since our purpose is to present and
little incentive for the covered entity to breach, and to the extent that this is the illustrate the costs of an average breach,
notify affected individuals. case, we may overstate the costs, which we believe that the inclusion of the one
In such situations, the covered entity we believe is preferable to understating unusually large breach in 2008 would
may perceive that it is more beneficial them. skew the results and present a distorted
to not disclose breaches. The possibility The data we selected covers calendar picture of the level of costs that a typical
of lawsuits arising out of a lack of year 2008 and includes the subset of covered entity could expect.
response to the breach represents a risk breaches from medical firms or In reviewing the following analysis,
but one which is uncertain and lies in containing medical information. Our one must keep in mind that we are able
the future. This compares to the more analysis, thus, not only includes HIPAA to capture only breaches that are either
imminent and certain risk of loss of covered entities found in the dataset but reported to the DataLoss database or are
business if the entity discloses the may include business associates of reported in the media. We suspect that
breach. HIPAA covered entities. In addition, the some percent of breaches in the
By imposing a duty on all covered data may include breaches of health healthcare sector as well as in other
entities to notify affected individuals of information that State agencies may sectors of the economy go unreported
breaches of protected health hold such as Medicaid State agencies either because they are not detected or
information, the statute and the interim that also serve as health plans and are because, in the opinion of the entity, no
final regulation place a similar burden also HIPAA covered entities. Table 1 harm was done. We cannot determine if
on all covered entities to notify affected presents the estimated costs of the the ‘‘no harm’’ type of unreported
individuals and run the same risk of interim final rule based on 2008 breach would meet the harm threshold
in § 164.402 of the interim final rule for these breaches are not included in our of time we anticipate individuals will
a reportable breach. If some or all of analysis. spend calling the toll-free number. The
such breaches reach the harm threshold Table 1 shows the costs of the total cost estimated for the rule is $17
for a breach, as defined in the interim provisions of the interim final rule. We million based on the number of
final rule, then the analysis understates also present the costs required for breaches and the number of affected
the cost of the rule to the degree that investigating breaches and the amount individuals.
TABLE 1—SUMMARY OF COMPLIANCE COST FOR NOTIFYING AFFECTED INDIVIDUALS *

Number of
Number of Cost/affected
Cost elements affected Cost/breach Cost
breaches individuals
individuals
E-mail and 1st Class Mail .................................................... 106 2,888,804 $12,986 $0.477 1,376,528
Alternative Notices Media Notice ......................................... 70 2,888,804 487 0.012 34,080
Toll-Free Number ................................................................. 70 2,888,804 117,676 2.851 8,237,309
Imputed cost to affected individuals .................................... 70 2,888,804 103,172 2.500 7,222,010
Notice to Media Breach 500+ .............................................. 56 2,887,032 75 0.001 4,200
Report to the Secretary ....................................................... 56 2,887,032 75 0.001 4,200
Investigation Costs:
Under 500 ..................................................................... 50 1,772 400 11 20,000
Over 500 ....................................................................... 56 2,887,032 2,211 0.043 123,800
Annual Report to the Secretary ........................................... 106 2,888,804 30 0.001 3,180
TOTAL COST ............................................................... ........................ ........................ 160,616 5.89 17,025,306

* Source: http://www.datalossdb.org.
Our cost impact for HIPAA covered of damaging information. As suggested the problem of discerning the real
entities of approximately $17 million is above, perhaps the greatest benefit of change in breaches from the growth in
approximately 350 percent of the FTC improved data security accrues to the reporting breaches. Therefore, we
cost estimate for non-HIPAA covered HIPAA entity. We believe the cost of decided to base our estimates on the
entities. The FTC estimate was based on notifying affected individuals and loss latest and most complete year of data
requiring toll-free lines for six months. of business that may result from a available.
Their final rule requires toll-free lines breach of protected health information The second factor is the Department’s
for only three months, as does this rule. provide strong incentives for the entity implementation of the ARRA provisions
This should reduce the FTC estimated to improve its data security so as to regarding health information and
costs by approximately half to about $5 prevent future breaches. privacy. Implementation of incentive
million; about 30 percent of our cost payments to health care providers and
estimate for HIPAA covered entities of 2. Costs
the issuance of health IT standards
$17 million. In this analysis we rely entirely on provided in the ARRA are likely to
Benefits: Notifying individuals of a historical data from 2008 for estimating stimulate adoption of health IT systems;
breach of their personal health the costs of the interim final rule. We and with growth in IT adoption, one
information as close in time to the could have attempted to project future may expect the number of data breaches
breach can benefit the individuals costs but two factors argued against of protected health information to
directly affected, as well as other such an effort. First, the DataLossdb increase.
entities such as credit card companies dataset provides only four years of At the same time, the Department is
and credit agencies. We found little reasonably good data going back to taking steps to ensure greater protection
information showing the monetary 2005. Although, in theory, we could use of protected health information, for
benefits of medical data notification, but the four data points to establish a trend, example, by promulgating this interim
one study 14 presents evidence to show it is not clear whether the trend final rule along with the encryption
that the sooner affected individuals presented for the four years represents guidance that the Department issued on
learn of their personal financial a trend in the number of breaches April 17, 2009. In the event that
information being compromised, the reported, or a trend in the reporting of protected health information is
lower the risk of financial loss to the breaches. In the first instance, the compromised, affected individuals will
individual. be notified of breaches.
growth in data breaches would be the
We did not find any information
result of a real growth in the number of As a result of the efforts to both
regarding the benefits of notification of
breaches. If this were the case, we stimulate growth in the adoption of
breached medical information.
would have confidence that the data health IT (and the implications that has
However, early notification of the
represented a real trend. In the latter for increased risk of data breaches) and
breach of sensitive medical information
case, however, the growth in the the countervailing efforts to reduce the
may help an affected individual mitigate
number of breaches may simply reflect incidences of breaches by encrypting
the embarrassment that exposure of
a growth in the reporting of breaches records, we believe that at the present
sensitive medical information may
rather than an actual growth in the time there is no reasonable way to
cause. Notification may permit an

number of breaches. Under these forecast the net effects of both the
individual to intervene sooner rather
circumstances, projecting a future trend change in costs or number of breaches
than later to forestall the harmful effects
would lead us to erroneous conclusions. that are likely to occur. Nevertheless, to
14 ‘‘Toward a Rational Personal Data Breach More likely, the changes we see from the extent that the rate of adoption of
Notification Regime,’’ by Michael Turner: year to year are a combination of both encryption technology out paces health
Information Policy Institute, June, 2006. phenomena, which still leaves us with IT adoption, we can predict fewer
reportable breaches under this rule. plans and third party administrators. the number of business associates
Given the state of flux, however, we The Centers for Medicare & Medicaid affected by this rule. However, we can
believe the most prudent analysis is to Services report 107,567 durable medical estimate that approximately 0.9 million
simply rely on the historical data at equipment and prosthetic suppliers, and HIPAA covered entities will be subject
hand. the National Association of Chain Drug to the interim final rule. Table 2
Stores reports 88,396 pharmacies. In presents the number of HIPAA covered
a. Affected Entities addition, we estimate that each covered entities. However, as noted, only the
Section 13402 of the Act applies to entity has contractual arrangements number of HIPAA covered entities is
HIPAA covered entities that are health with three business associates as well established. It is possible the
care providers, health plans, or defined under our regulations at 45 CFR
number of affected business associates
clearinghouses and their business 160.103. It should be noted, however,
could be small if a few firms contracted
associates that access, maintain, retain, that many of the same business
with many HIPAA entities. In any event,
modify, record, store, destroy, or associates contract or have arrangements
otherwise hold, use, or disclose with many different HIPAA covered we need not speculate about this
unsecured protected health information. entities. To the extent that this occurs, relationship as our cost estimate is not
Based on 2006 data from the Office of the total number of business associates based on the number of affected entities.
Advocacy, Small Business will be overstated. Since we do not Instead, it is based on a unique database
Administration there are 605,845 health know the extent of duplication among of breaches and affected individuals as
care entities, 4,567 health insurance business associates, we cannot estimate described below.
TABLE 2—NUMBER OF HIPAA COVERED ENTITIES BY NAICS CODE 1

Number of
NAICS code Providers/suppliers entities
622 .................... Hospitals (General Medical and Surgical, Psychiatric and Drug and Alcohol Treatment, Other Specialty) ....... 4,060
623 .................... Nursing Facilities (Nursing care facilities, Residential mental retardation, mental health and substance abuse 34,400
facilities, Residential mental retardation facilities, Residential mental health and substance abuse facilities,
Community care facilities for the elderly, Continuing care retirement communities).
6211–6213 ........ Offices of MDs (DOs, Mental health, Dentists, Practitioners, PT, OT, ST, Audiologists) ................................... 419,286
6214 .................. Outpatient Care Centers (Family Planning Centers, Outpatient Mental Health and Drug Abuse Centers, 13,962
Other Outpatient Health Centers, HMO Medical Centers, Kidney Dialysis Centers, Freestanding Ambula-
tory Surgical and Emergency Centers, All Other Outpatient Care Centers).
6215 .................. Medical Diagnostic, and Imaging Services .......................................................................................................... 7,879
6216 .................. Home Health Services .......................................................................................................................................... 15,329
6219 .................. Other Ambulatory Care Services (Ambulance and Other) ................................................................................... 5,879
n/a ..................... Durable Medical Equipment Supliers 2 ................................................................................................................. 107,567
4611 .................. Pharmacies 3 ......................................................................................................................................................... 88,396
524114 .............. Heath Insurance Carriers ..................................................................................................................................... 1,045
524292 .............. Third Party Administrators .................................................................................................................................... 3,522
1 Office of Advocacy, Small Business Administration http://www.sba.gov/advo/research/data.html.
2 Centers for Medicare and Medicaid Services.
3 The Chain Pharmacy Industry http://www.nacds.org/wmspage.cfm?parm1=507.
Healthcare clearinghouses are also information on a Web site, or the office Web site of a drug rehabilitation facility,
considered covered entities. In the final staff mailing a medical report to the a reasonable person may conclude that
rule implementing the 5010 standard wrong patient, may constitute a breach. the association of a person’s name with
published in the Federal Register on In the case of posting information on a the facility could cause damage to their
January 16, 2009 (74 FR 3318), we facility’s Web site or mailing the wrong reputation. In that case, the provider
estimated that 162 clearinghouses will report, the entity responsible for the would be required to notify the affected
be affected by the interim final rule. inappropriate release of protected health individuals. Therefore, a covered entity
b. How Many Breaches Will Require information may not have to notify the may not assume that these types of
Notification? affected person if the entity has breaches do not require notices to the
determined (e.g., by performing a risk affected individuals. The entity must
(1) What Is a Breach of Protected Health assessment) that the release of the undertake an analysis of the information
Information? protected health information will not that was improperly divulged and only
The interim final rule at § 164.402 result in financial, reputational, or other after an investigation may it conclude
defines a breach as an event that harm to the individual. For example, if that the information released poses no
‘‘compromises the security or privacy of a general hospital impermissibly posted significant harm.
the protected health information,’’ protected health information on its Web Contrasted with an event that clearly
which means that it poses a significant site that included only an individual’s falls into the category of a data breach
risk of financial, reputational, or other name and address, under paragraph (1) and, after investigation requires notice
harm to the individual. Events such as of the definition of ‘‘breach’’ at to affected individuals, paragraph (2) of
hacking into a database to steal § 164.402(1), the facility may not have to the definition of ‘‘breach’’ at § 164.402
protected health information would notify affected individuals if it specifies three types of improper uses
clearly constitute a breach of protected determines that only minimal or no and disclosures of protected health
health information. Other events, harm could result from such an information that are excluded from the
however, such as a hospital inadvertent posting. However, if the definition of a breach. The first is
inadvertently posting protected health same information were posted on the unintentional access to protected health
information in good faith in the course on the few sources available to us and holders, the FTC estimated that 232,000
of performing one’s job, and such access accept that each source has specific individuals will be notified each year of
does not result in further impermissible limitations. Essentially, we examined data breaches. We believe this
use or disclosure. For example, a staff three sources and methods for methodology has little applicability to
person receives and opens an e-mail estimating the number of breaches and the HIPAA universe of covered entities.
from a nurse containing protected then attempted to apply them to the We do not believe these estimates are
health information about a patient that universe of HIPAA covered entities and appropriate for the purposes of this rule
the nurse mistakenly sent to the staff their business associates. for several reasons. First, the HIPAA
person, realizes the e-mail is On April 20, 2009, the FTC published covered universe contains many more,
misdirected and then deletes it. a proposed rule that would implement but also much smaller, entities than the
The second exclusion is an section 13407 of ARRA (74 FR 17914) FTC web-based universe. Second, this
inadvertent disclosure of protected and that applies to entities that are not rule exempts many small breaches from
health information by a person HIPAA covered entities but which may reporting requirements because they
authorized to access protected health retain, accept, and process personal either fall under the exceptions to the
information at a covered entity or health information in the form of definition of ‘‘breach’’ in the regulation
business associate to another person personal health records. Examples of the or the entity determines that no harm
authorized to access protected health kind of entities to which the FTC rule will occur. Third, although we use
information at the same covered entity applies are web-based organizations that historical data for our impact estimates,
or business associate, or organized will receive, store, and maintain an it is possible that the provisions of this
health care arrangement in which the individual’s health information for that rule that exempt from the notification
covered entity participates. For individual. The FTC estimated there are requirements data encrypted pursuant
example, a nurse calls a doctor who 900 such entities. to the Secretary’s guidance may greatly
provides medical information on a To arrive at an estimate of the number
reduce the future number of reportable
patient in response to the inquiry. It of breaches per year that would occur to
breaches; and fourth, as the FTC itself
turns out the information was for the personal health records that these
states, their costs are over-estimated
wrong patient. Such an event would not entities retain, the FTC examined a
because they apply all cost factors to all
be considered a breach under paragraph general database of breaches from 2002
estimated web-based breaches.
(2)(ii) of the definition of ‘‘breach’’ at to 2007. They identified 246 breaches
occurring within the 5-year period for Because the interim final regulation
§ 164.402, provided the information
businesses. Averaging the number of specifies different levels of responses on
received was not further used or
breaches over the 5-year period equals the part of HIPAA covered entities when
disclosed in a manner not permitted by
50 breaches per year. FTC next unsecured protected health information
the Privacy Rule.
The third type of improper disclosure identified 418,713 retail businesses with is breached, we had to determine the
that is excluded from the definition of revenues of $1 million or more per year. number of breaches occurring using the
a ‘‘breach’’ is when protected health However, concerned that applying the size categories contained in our interim
information is improperly disclosed, but annual number of breaches to so large final regulation. The regulation requires
the covered entity or business associate a number would yield an unrealistically increasing levels of notification for
believes, in good faith, that the recipient small number of breaches per entity, the breaches that affect fewer than ten
of the unauthorized information would FTC took one percent of the number of individuals, 10 to 499 individuals and
not be able to retain the information. For retail businesses (which equals 4,187 for breaches affecting more than 500
example, a nurse hands a patient a entities) on the assumption that only individuals.
medical report, but quickly realizes that one percent of the industry had such Rather than follow the approach the
it was someone else’s report and weak security that they would be FTC adopted we turned to the DataLoss
requests the return of the incorrect attractive targets for data breaches. The database maintained by the Open
report. In this case, if the nurse can FTC then calculated the breach rate Security Foundation at http://
reasonably conclude that the patient based on the smaller number. The datalossdb.org/. The database identifies
could not have read or otherwise resulting rate is 1.2 percent which when data breaches by type of business and
retained the information, then providing applied to the 900 entities the FTC the number of records or individuals
the patient report to the wrong patient identified as maintainers of personal affected. Because business associates
does not constitute a breach. health records, equals 11 breaches per also must comply with provisions of the
year. interim final rule in addition to HIPAA
(2) How Many Breaches Occur and How To estimate the number of affected covered entities, we looked at all entries
Many Individuals Are Affected? individuals, the FTC used a survey by that either were identified as a medical
The sources for identifying the the Ponemon Institute, ‘‘National entity or identified medical information
number of HIPAA covered entity Survey on Data Security Breach as being involved in the data breach.
breaches and the number of individuals Notification,’’ 2005 to derive a percent Table 3 is a summary of the findings
are limited to State health agencies and of the number of individuals notified as from the database for the year 2008,
one database maintained by a nonprofit a result of a breach. Using 11.6 percent categorized by the number of
organization. There is no national and applying the value to an estimated individuals affected by each breach. We
registry of data breaches that captures 2 million individuals using the services chose 2008 because it is the latest year
all data breaches. Thus, we have to rely of the 900 personal health record for which we have a full year of data.
TABLE 3—NUMBER OF BREACHES BY NUMBER OF AFFECTED FOR 2008

Year
Affected size Data 2008
Unknown ..................................................................................... Breaches .................................................................................... 36

Affected Individuals .................................................................... ........................
TABLE 3—NUMBER OF BREACHES BY NUMBER OF AFFECTED FOR 2008—Continued

Year
Affected size Data 2008
10 to 499 .................................................................................... Breaches .................................................................................... 14

Affected Individuals .................................................................... 1,772
500 or More* ............................................................................... Breaches .................................................................................... 56
Affected Individuals .................................................................... 2,887,032
Total Number of Breaches ......................................................... ..................................................................................................... 107
Total Sum of Total Affected ....................................................... ..................................................................................................... 2,888,804
* Data for 2008 is adjusted to remove one outlier breach of 2.2 million records.
As Table 3 demonstrates, the number ten category. Because of the gap in the final rule, we will assume that no State
of breaches and the number affected data for breaches involving fewer than has a notification requirement. Yet,
individuals are substantially smaller ten individuals, our estimate for this clearly this would significantly
than the numbers we would generate group may be understated. We invite overstate the burden imposed on HIPAA
using the FTC approach: 2.9 million public comment on this point. covered entities because HIPAA covered
affected individuals and 106 breaches. The third limitation is the way entities have trained their staffs and
There are nevertheless, shortcomings information finds its way into the have prepared procedures to follow
associated with the data displayed in database. Since the database is privately when a breach occurs to comply with
the table. As discussed previously, the maintained and operated and is not existing requirements of most of the
meaning of ‘‘Total Affected’’ is not clear. responsible to either a state or federal states. To ameliorate the overstatement
Without examining each table data agency for regulating its content, the of our cost estimate somewhat, we will
entry, it is impossible to know precisely completeness and accuracy of assume the costs for training personnel
if the numbers in the cells represent information posted on the Web site is and for developing procedures have
individuals, records, or both. In looking unknown. Generally, the information already been expended and are therefore
at a small sample of the descriptive posted on the Web site is gleaned from in the baseline and we did not estimate
detail for actual database entries, we published sources or individuals with these costs in our analysis. We invite
found evidence for both individuals and knowledge of the breaches submitting public comment on these assumptions.
records. We assume that in the cases information. Nevertheless, we cannot be
completely confident in the reliability of (b) Estimation of Costs
where the number of records breached
was reported, that the number the information obtained from this In its notice of proposed rulemaking,
corresponds roughly to the number of source. Therefore, as is evident from the the FTC identified the cost elements
individuals—that each record represents lack of affected records or individuals in that an entity will encounter when
an individual. Yet, because an the ‘‘under ten’’ grouping, it is highly complying with the interim final rule.
individual may have more than one likely that a certain number of breaches We examine the cost of notifying
record in data that was improperly never reach the database, thus resulting affected individuals by first class mail,
accessed, our estimate of the affected in an undercount of the total number of issuing a substitute notice in major
number of individuals may be breaches and the total number of media or on a Web site along with a toll-
overstated. We invite public comment individuals or records affected. We free phone number, notifying prominent
on this point. invite public comment on this point. media in the event of a breach involving
Another concern we have is the table (3) Estimating the Costs 500 or more individuals, and notifying
does not show any affected individuals the Secretary of a breach, as well as the
or records for the ‘‘under ten’’ grouping. (a) Baseline costs of investigating breaches.
Because ‘‘Unknown’’ in the database is Approximately 45 States have laws Cost of Notifying Affected Individuals
blank, the default value is zero. that to varying degrees contain breach by First Class Mail or E-Mail
However, it would be improper to notification provisions similar to the
assume that the actual value of the Act. These 45 States require notification Section 164.404 requires all covered
reported ‘‘Total Affected’’ was zero. of individuals whose information was in entities to notify an individual whose
There is evidence, on the other hand, some manner compromised as a result unsecured protected health information
that the ‘‘Total Affected’’ in this group of inappropriate access to their is believed to have been breached as
is less than 500 based on information information. Several States also link defined in the interim final rule, either
we were able to obtain from the their requirements to federal by first class mail, or if the individual
California Department of Public Health. notification requirements. Thus while has agreed, by e-mail. In its analysis, the
For the first six months of this year (the all the States with breach laws require FTC assumed that 90 percent of the
first year that California’s law requiring some form of notification to affected notices to affected individuals will be e-
notification of data breaches involving individuals, those States whose laws mailed and only 10 percent will be sent
protected health information went into conform to the Federal requirements by regular first class mail. Since the
effect), of the 196 cases that have been need only develop procedures to firms that the FTC is addressing are
examined to date, none of the cases has conform to their State laws in addition primarily web-based, assuming that the
involved more than 499 affected to the interim final rule. The entities in vast majority of communications would
individuals. We interpret this fact as those States, thus, will have a small be conducted through e-mail is a
pointing to the likelihood that the compliance burden compared to the reasonable assumption. For HIPAA
number of individuals or records entities in other states. covered entities, 90 percent of which are
affected where the number is unknown Because not all states have a small businesses or nonprofit
is likely to be less than 500 and a notification requirement, in our organizations, that engage the entire
majority of cases may fall into the under estimation of the costs of the interim U.S. population in providing health care
services, we believe that notification median hourly wage for office and notice (106 × $42) equals $4,346.
through e-mail will be much more administrative support staff is $14.32 Allocating half the costs to e-mailing
limited than in the case of the entities per hour. Accounting for benefits, the and the same amount to regular mail
the FTC regulates. Most physicians hourly costs is $29. For the 30 minutes, yields $2,173 to each category.
appear concerned with the lack of we estimate $15 per breach. The For 2008, there were 2,888,804
confidentiality associated with e-mail combined cost for composing and reported affected individuals. Splitting
use, and many older patients may be preparing the document is this number evenly between e-mail and
uncomfortable with and/or do not have approximately $42 per breach. Half of regular mail gives us 1,444,402 affected
access to e-mail. We, therefore, assume the cost will be allocated to the mailing individuals for each notice category. For
that only 50 percent of individuals of the first-class letter and the other half e-mails we divide affected individuals
affected as a result of a breach of to the sending of e-mails. by the number of addressed envelopes
unsecured protected health information Although computer costs for sending
processed in an hour (200) and multiply
will receive e-mail notices. e-mail will be insignificant, it will take
by the hourly cost of $30. To this
staff time to select the e-mail address
There will be certain costs that both number we add the $2,173 giving us an
from the entity’s mailing list. We
e-mail and first-class mail estimated cost for e-mail notices of
assume that a staff person could process
communication will share. The cost of $218,833.
and send 200 e-mails per hour at a cost
preparing the notice and preparing a of $30 per hour. For each mailed notice We follow the same method for
draft will apply to both forms. The we assume $0.06 for paper and envelope estimating the cost of mailing notices
median hourly wage for a healthcare and $0.44 for a first class stamp, totaling using postal mail plus the cost of
practitioner and technical worker in $0.50 per letter. We estimate another postage and supplies. Dividing 100
2008 was $27.15 Doubling the amount to $30 per hour to prepare the mailing by letters per hour into 1,444,402 yields
account for fringe benefits equals $54. If hand at a rate of 100 letters per hour. 14,444 hours which is then multiplied
we assume 30 minutes per breach for Using the data from Table 3 above for by $30 plus postage and supplies of plus
composing the letter, the cost equals 2008 (the latest year for which we have the costs of composing and drafting
$27. We assume that it will take 30 a complete year of data), there were a equals $ 1,157,695. Summing the cost of
minutes per breach for an total of 106 breach events reported e-mail and postal mail notices equals
administrative assistant to draft the including those of an unknown number $1,376,528. Table 4 presents the results
letter in either e-mail or printed formats of affected records or individuals. of our analysis. We invite public
and to document the letter to comply Multiplying the number of breaches by comment on this analysis and our
with §§ 164.414(a) and 164.530(j). The the cost of composing and drafting a assumptions.
TABLE 4—COST OF E-MAIL AND FIRST CLASS MAIL TO AFFECTED INDIVIDUALS

Composing Affected Hours to Cost to Postage
Composing Breaches and drafting individuals prepare prepare and sup- Total
and drafting costs or records mailing mailing plies
Mail ................................... 21 106 $2,173 1,444,402 14,444 $433,321 $722,201 $1,157,695

E-mail ............................... 21 106 2,173 1,444,402 7,222 216,660 .................... 218,833
Total .......................... .................... .................... 4,346 2,888,804 .................... .................... .................... 1,376,528
Cost of Substitute Notice entity to (1) publish a notice in the the 10 to 499 and 500 or more groupings
In the event that a HIPAA covered media (newspaper, television, or radio) (70), yields $33,600.
entity is not able to contact an affected containing the information contained in It is conceivable that some breaches
individual through e-mail or postal the mailed notice or post a notice on its involving more than 10 but fewer than
mail, it must attempt to contact the Web site, and (2) set up a toll-free 500 individuals may require notices in
person through some other means. If the number. The toll-free number is to be several states or jurisdictions. The
number of individuals who cannot be included in the public notice and Web probability of this event occurring,
reached through the mailings is less site. however, we believe, is low and we did
than ten, the entity may attempt to reach not attempt to estimate the costs of such
Based on the cost for publishing a
them by some other written means, or an event.
public notice in the two leading
by telephone. We do not know how If a HIPAA covered entity has a Web
newspapers, in the Washington, DC site, we assume there will be no cost to
many breaches occurred with fewer
area, rates range between $2.91 and post the notice to the Web site.
than ten affected individuals and
$15.23 per line. Based on these The cost of setting up a toll-free
therefore cannot estimate a cost for
numbers, we estimate the cost of a phone number is a straight forward
contacting them. We believe, however,
that the costs would be very small and public notice will cost between $80 and process of contacting any one of a
as a result we have not attempted to $400. Taking the mean of the range, we number of service providers who offer
estimate the costs of contacting them. estimate an average price of $240 per toll-free service. In checking the
In the event that the covered entity is notice. If we assume that a provider will internet, we found prices for toll-free
unable to contact 10 or more affected publish two notices, the cost will be service ranging from $0.027 per minute
individuals through e-mail or postal $480. Multiplying this amount by the for a basic mail box arrangement to
mail, the interim final rule requires the number of breaches reported in 2008 for $0.07 per minute. Some require a
15 Department of Labor, Occupational
Employment Statistics; Healthcare Practitioner and

Technical Occupations. http://www.bls.gov/oes/.
monthly fee ranging from $10 to $15 per number either because they did not minutes at $0.07 per minute, we
month. A major, national phone service learn of the breach or are not concerned. estimate the total cost for all calls to
company offers toll-free service for $15 In its proposed rule, the FTC equal $1,011,084. Added to this is
per month per toll-free number and per estimated that 5,000 people would call $4,200 that represents the monthly fee
minute charge of $0.07. There is a one- within the first month and then decline per breach (70 breaches) for three
time charge of $15. For purposes of our to an average of 1,000 calls per month. months plus the one-time fee (totaling
analysis, we will use the costs of $15 Since most HIPAA covered entities do $60 per breach). This brings the total
per month plus $15 activation fee and not serve that many patients, we cost of toll-free lines to $1,015,284.
$0.07 per minute. decided to use the mean number of To this cost, we must also include the
Since the regulation requires affected individuals for each of the two office staff time to answer the incoming
providers to maintain a toll-free number groups, 10–499 and 500 or more affected calls at $30 per hour. Based on an
for three months, the monthly charge individuals. For breaches with 10–499 average of five minutes per call, a staff
plus initial fee per breach will be $60. affected individuals, the mean is 127 person could handle 12 calls per hour.
To estimate the number of calls to the and for 500 or more, the mean equals Dividing 12 into 2,888,804 equals
toll-free number we assumed that more 51,554 individuals. Since multiplying 240,734 hours and then multiplied by
individuals than those who did not the mean times the number of breaches $30 equals $7,222,025. Summing all
receive a notice or who are not affected equals the total number of affected cost elements yields a total cost of
by the breach would call out of concern individuals, we assume that breaches $8,237,309.
that their protected health information affecting between 10 and 500 To the degree that firms already
might have been compromised. The individuals will generate 1,772 calls. maintain toll-free phone lines, our
calls from individuals who are not Similarly, for breaches affecting 500 or estimate overstates the costs of setting
affected will make up for the affected more individuals, we assume 2,887,032 up a toll-free line as required under the
individuals who will not call the calls. Assuming that a call averages five rule. Table 5 presents our cost analysis.
TABLE 5—COST FOR SETTING UP A TOLL-FREE LINE FOR THREE MONTHS

Number of Number of Number of call Number of call
breaches breaches
Costs 11–499 500 + Total
11–499 500 + (1772) (2,887,032)
(14) (56)
Monthly Charges for 3 months + 1-time Charge ($60/

breach) ............................................................................. $840 $3,360 ........................ ........................ $4,200
Direct Calling Charges @ $.07/min × 5 minutes ................. ........................ ........................ 622 1,010,461 1,011,084
Labor cost @ $30/hr × 5 min per call .................................. ........................ ........................ 4,445 7,217,580 7,222,025
Total .............................................................................. 840 3,360 5,067 8,228,041 8,237,309
In addition to the cost of the toll-free information affecting 500 or more take 15 minutes. The average hourly rate
number and staff time answering calls, individuals, § 164.406 of the interim for a public relations manager is
we also imputed a cost to the time final rule requires the entity to notify approximately $49 in 2008. Doubling
individuals will spend calling the toll- the media in the jurisdiction or State in the amount for benefits equals $98.
free number. In estimating the time which 500 or more individuals reside. Rounding up to $100, one quarter of an
involved, we assumed that a person will Also, § 164.408 requires the entity to hour equals $25 for approving the
spend five minutes per call. However, submit a report to the Secretary at the release. The total cost of the release
the person may not get through the first same time it notifies the media. The equals $75, and multiplying this amount
time and thus may have to call back a covered entity must take these steps in by the number of breaches affecting 500
second time which could add another 5 addition to undertaking efforts to or more individuals (56) equals $4,200.
minutes. Taking the average between 5 directly notify affected individuals by It should be noted that this amount may
and 10 minutes, we used an average call first-class mail or e-mail and through overstate the actual costs of issuing a
time of 7.5 minutes. alternative means of notification if it notice to the media. The regulation
For purposes of imputing cost to an cannot contact 10 or more individuals. requires a release only in the
individual’s time, we took the mean We anticipate that, when a covered jurisdiction or State where 500 or more
compensation amount from the Bureau entity must notify the media under the individuals are affected. As the example
of Labor Statistics of $20.32 for all interim final rule, it will issue a press in the discussion of § 164.406 discussed
occupations at http://www.bls.gov/oes/ release. The tasks involved in issuing above in Section IV illustrates, a breach
current/oes_nat.htm. Dividing 60 by 7.5 the press release will be the drafting of may affect a total of 500 or more
minutes yields 8 calls per hour. the statement and clearing it through the individuals but may affect fewer than
Dividing the number of calls per hour organization. We assume that drafting a 500 persons in each State or jurisdiction
into 2,888,804 calls and then one-page statement will contain where the affected individuals reside. In
multiplying by $20, gives us a cost of essentially the same information that case, the covered entity does not
$7,222,010. We invite the public to provided in the notice to affected have to issue a notice to the media, but
individuals and will take 1 hour of an must take all the other steps required of
comment on our analysis and

assumptions. equivalent to a GS–12 Federal a breach of that size.
employee, earning $29 per hour. There is the possibility that a breach
Cost of Breaches Involving 500 or More Multiplying the amount by two to may affect 500 or more individuals in
Individuals account for benefits equals $58. several States or jurisdictions. In such
If a covered HIPAA entity experiences Approval of the release involves reading situations, the covered entity has the
a data breach of protected health the document. We expect this activity to choice of notifying the media in each of
the several States or jurisdictions; or it loss of laptops and other data bearing percent of the cases. For those who did
may choose to notify the national media equipment accounted for almost 50 not take steps to mitigate the damage for
with the expectation that the local percent of data losses. For these reasons, 6 months or longer, the amount of fraud
media in each jurisdiction will pick up we believe that estimating the average exceeded $5,000 in 44 percent of the
the information. We expect the covered time and cost for breach investigation as cases. From this evidence, it appears
entity to select the most efficient means being half the amount FTC estimated is that there are some tangible benefits to
for informing the media. a reasonable assumption. Multiplying notifying individuals as soon as possible
The report to the Secretary of HHS our cost estimate by the number of after a breach of protected health
that must be sent contemporaneously to breaches of 500 or more individuals information occurs. We did not,
the sending of the notices to the affected protected health information yields us however, find a clear connection
individuals will contain essentially the $128,800. between the breach of protected health
same information as the notice sent to information and the amount of financial
the affected individuals: (a) Information Cost of Submitting the Annual Breach loss or its frequency.
regarding the nature and cause of the Summary to HHS The harm to a person’s reputation or
data breach, (b) the number and Under § 464.408, covered entities standing in the community resulting
contents of the records breached, (c) the must maintain a log of all breach events. from the release of protected health
number of individuals affected, (d) steps Once per year a covered entity that has information could be substantial and
the entity took to notify affected experienced a breach must submit a could have financial and economic
individuals and the degree of success it summary of its log to the Department. consequences. We lack data on the
had in reaching affected individuals, Since the material for the submission frequency and extent of damages from
and (e) steps taken to improve data has already been gathered and organized the inappropriate release of sensitive
security. for the issuance of the notices to the medical information. Notifying a person
We anticipate the time and cost to affected individuals, we expect of unauthorized access can, however,
prepare the report will be the same as submitting the log summary to the enable a person to take measures to
that required for issuing a notice to the Department will require at most an hour reduce the damage. Notification can
media. The cost for reporting the 56 of office staff time once per year. At $30 enable them to prepare psychologically
breaches affecting 500 or more per hour multiplied by the total number and take actions to prepare for the
individuals based on the 2008 data is of breaches reported for 2008 (106) consequences. The individual also may
$4,200. equals $3,180. take steps to prepare others for the
Cost of Investigating a Breach possible consequences.
3. Benefits Benefits to the HIPAA covered entity
As a prerequisite to issuing a notice We were not able to identify any will rest with the actions it takes to
to individuals or to the media and the studies that pointed to quantitative prevent data breaches. As our analysis
report to the Secretary when a breach benefits arising from the notification of demonstrates, the costs of notification
occurs, the covered entity will need to health data breaches. On an intuitive for an entity may be significant,
conduct some form of investigation to level, however, it seems that notifying although in the aggregate in terms of
determine the nature and cause of the affected individuals of compromises to overall health care costs, they are
breach. We anticipate that most their protected health information extremely small. Nevertheless, we
breaches involving fewer than 500 would help in two ways. It would alert believe that the costs of the interim final
records or individuals will be relatively them to the possibility of identity theft rule are avoidable if either before a
easy to investigate and may involve a resulting from the exposure of covered entity experiences a breach or
day of investigation to determine the identifiers such as credit card numbers, following one, the entity adopts
cause and the extent of the breach. An date of birth, and social security measures to strengthen its data security.
office manager’s time at $50 per hour numbers associated with the As pointed out, the most frequent form
multiplied by 8 hours equals $400 and individual’s name. The other benefit of of data loss is the result of lost or stolen
multiplied by the number of breaches notification is enabling an affected laptops and data bearing media such as
affecting fewer than 500 individuals is individual to mitigate harm to his or her hard drives. If the data on these devices
$20,000. We note that this estimate personal reputation that may result from is encrypted, then under the interim
includes the time required to produce the exposure of sensitive medical final rule definition of a breach, the
the documentation required by information. event would not require the covered
§ 164.414(a). With respect to the mitigation of entity or the business associate to notify
For breaches involving 500 or more financial loss, in the study cited affected individuals.
individuals, the breach investigation previously 16 Turner presents evidence Because much of the harm resulting
may take considerably longer and from breaches of protected health
suggesting that 69 percent of individuals
involve significantly greater costs. The information may come from the pain
who were able to take action within 6
FTC, in its proposed rule (74 FR 17921 and suffering individuals’ may sustain
months of the breach to their financial
and footnote 27) estimated 100 hours at to their reputations and standing in
information to mitigate damages
a cost of $4,652. We accept this cost for their communities, the benefits that
suffered no out-of-pocket expenses. This
investigating a breach as an upper reductions in the number of breaches
compares to 40 percent who took action
bound, but we expect that the average and number of individuals affected is
after 6 months. In cases where affected
investigation will take half the time and hard to quantify while the costs of the
individuals who were able to take action
cost approximately $2,300. Based on the rule are identifiable and specific. For
within 5 months of the breach such as
Ponemon report cited above, the most these reasons, we are unable to estimate
monitor their credit card statement and

frequent cause for data breaches was a the net benefits of the rule. Yet we
notify credit bureaus, the value of the
lost laptop computer accounting for 35 believe by providing an incentive to
fraud exceeded $5,000 only in 11
percent of all data breaches. While reduce the number of breaches of
system failure was the second most 16 ‘‘Towards A Rational Breach Notification unsecured protected health information,
frequently cited cause of data breaches Regime’’ by Michael Turner; Information Policy the rule will help increase confidence
accounting for 33 percent, the combined Institute. among members of the public in the
security of their protected health instances, already have obligations to information collections must be directed
information. To whatever extent greater provide notification of data breaches to the OS Paperwork Clearance Officer
trust can be fostered between patients under most State laws covering medical at the above e-mail address within 14
and health care providers, the better the breaches. Therefore, the Secretary days.
communication and the higher the certifies that the rule will not have a Abstract: The Health Information
quality of health care delivered. significant impact on a substantial Technology for Economic and Clinical
number of small entities. Health (HITECH) Act, Title XIII of
D. Regulatory Flexibility Analysis
Division A and Title IV of Division B of
The RFA requires agencies to analyze VI. Paperwork Reduction Act
the American Recovery and
options for regulatory relief of small Information Collection
Reinvestment Act of 2009 (ARRA) (Pub.
businesses if a rule has a significant In compliance with the requirement L. 111–5) requires the Office for Civil
impact on a substantial number of small of section 3506(c)(2)(A) of the Rights to collect information regarding
entities. We are implementing this Paperwork Reduction Act of 1995, the breaches discovered by covered entities
interim final rule as required by section Office of the Secretary (OS), Department and their business associates. ARRA
13402 of Public Law 111–5. The of Health and Human Services, is was enacted on February 17, 2009. The
objective of the rule is to establish publishing the following summary of a HITECH Act (the Act) at section 13402
uniform requirements for HIPAA proposed information collection request requires the Department of Health and
covered entities and their business for public comment. Human Services (HHS) to issue interim
associates to notify individuals whose Because this rule will go into effect 30 final regulations within 180 days of
unsecured protected health information days following publication, we have enactment to require HIPAA covered
may have been improperly accessed or submitted a request to OMB for review entities and their business associates to
used. of these information collection notify affected individuals and the
In Table 2 above, we identified the requirements on an emergency basis, Secretary of breaches of unsecured
type and number of HIPAA covered pursuant to 5 CFR 1320.13. We are protected health information. Section
entities to which the interim regulation providing an abbreviated comment 164.404 of this interim final regulation
applies. For purposes of our regulatory period of 14 days. Interested persons are requires HIPAA covered entities to
flexibility analysis, it is our practice to invited to send comments by September notify affected individuals of a breach of
assume that all health care providers 8, 2009 regarding this burden estimate their unsecured protected health
and suppliers meet the definition of a or any other aspect of this collection of information without reasonable delay
small entity. Ninety percent of small information, including any of the and in any case within 60 days of
entities either meet the Small Business following subjects: (1) The necessity and discovery of the breach, and, in some
Administration size standard for a small utility of the proposed information cases, to notify the media of such
business or are nonprofit organizations. collection for the proper performance of breaches pursuant to § 164.406. Section
Approximately 71 percent of health the agency’s functions; (2) the accuracy 164.408 requires covered entities to
insurance carriers and third party of the estimated burden; (3) ways to provide the Secretary with immediate
administrators meet the SBA’s small enhance the quality, utility, and clarity notice of all breaches of unsecured
business size standard. Although we do of the information to be collected; and protected health information involving
not have separate revenue data for (4) the use of automated collection more than 500 individuals.
health insurance carriers and third party techniques or other forms of information Additionally, the Act requires covered
administrators, we believe that the technology to minimize the information entities to provide the Secretary with an
majority of the third party collection burden. annual log of all breaches of unsecured
administrators meet the SBA standard. To comment on this collection of protected health information that
Approximately 22 percent of information or to obtain copies of the involve less than 500 individuals.
pharmacies meet the SBA standard for supporting statement and any related Finally, covered entities must maintain
a small business. forms for the proposed paperwork appropriate documentation under
Based on the analysis of data breaches collections referenced above, e-mail § 164.530(j) to comply with their burden
for 2008, we do not expect the interim your comment or request, including of proof under § 164.414.
final rule to have a significant impact on your address and phone number to The estimated annualized burden
a substantial number of small entities. Sherette.funncoleman@hhs.gov, or call table below was developed using the
We estimate that the average cost per the Reports Clearance Office on (202) same estimates and workload
breach will cost $160.616. Second, the 690–6162. Written comments and assumptions in the impact statement in
rule will apply to entities that, in many recommendations for the proposed section V, above.
ESTIMATED ANNUALIZED BURDEN TABLE

Average Average
Number of number of Total burden
Type of respondent burden hours
respondents responses per hours
per response
respondent
Individual Notice—Written and E-mail Notice (investigation; drafting, pre-

paring, and documenting notification; and sending notification) .................. 106 27,253 1/60 48,147
Individual Notice—Substitute Notice (posting or publishing notice and toll-
free number) ................................................................................................. 70 1 668 46,760

Media Notice .................................................................................................... 56 1 1 56
Notice to Secretary (Notice for breaches affecting 500 or more individuals
and annual notice) ....................................................................................... 106 1 22/60 39
Total .......................................................................................................... ........................ ........................ ........................ 95,002
List of Subjects § 160.534 The hearing. used in this subpart, not as used in
* * * * * subparts D or E of this part.)
45 CFR Part 160
(b)(1) * * * * * * * *
Administrative practice and (iv) Compliance with subpart D of ■ 9. Add a new subpart D to part 164
procedure, Computer technology, part 164, as provided under to read as follows:
Electronic information system, § 164.414(b).
Electronic transactions, Employer Subpart D—Notification in the Case of
(2) The Secretary has the burden of Breach of Unsecured Protected Health
benefit plan, Health, Health care, Health going forward and the burden of
facilities, Health insurance, Health Information
persuasion with respect to all other
records, Hospitals, Investigations, Sec.
issues, including issues of liability other 164.400 Applicability.
Medicaid, Medical research, Medicare, than with respect to subpart D of part
Penalties, Privacy, Reporting and 164.402 Definitions.
164, and the existence of any factors 164.404 Notification to individuals.
recordkeeping requirements, Security. considered aggravating factors in 164.406 Notification to the media.
45 CFR Part 164 determining the amount of the proposed 164.408 Notification to the Secretary.
penalty. 164.410 Notification by a business
Administrative practice and associate.
procedure, Computer technology, * * * * *
164.412 Law enforcement delay.
Electronic information system, 164.414 Administrative requirements and
PART 164—SECURITY AND PRIVACY
Electronic transactions, Employer burden of proof.
benefit plan, Health, Health care, Health ■ 5. The authority citation for part 164 Authority: Secs. 13400 and 13402, Pub. L.
facilities, Health insurance, Health is revised to read as follows: 111–5, 123 Stat. 258–263.
records, Hospitals, Medicaid, Medical
research, Medicare, Privacy, Reporting Authority: 42 U.S.C. 1320d–1320d–8; sec. Subpart D—Notification in the Case of
and recordkeeping requirements, 264, Public Law 104–191, 110 Stat. 2033– Breach of Unsecured Protected Health
2034 (42 U.S.C. 1320–2 (note)); secs. 13400
Security. and 13402, Public Law 111–5, 123 Stat. 258–
Information
■ For the reasons set forth in the 263. § 164.400 Applicability.
preamble, the Department proposes to The requirements of this subpart shall
revise 45 CFR subtitle A, subchapter C, ■ 6. Revise § 164.102 to read as follows:
apply with respect to breaches of
parts 160 and 164, as follows: § 164.102 Statutory basis. protected health information occurring
PART 160—GENERAL The provisions of this part are on or after September 23, 2009.
ADMINISTRATIVE REQUIREMENTS adopted pursuant to the Secretary’s
§ 164.402 Definitions.
authority to prescribe standards,
■ 1. The authority citation for part 160 requirements, and implementation As used in this subpart, the following
is revised to read as follows: specifications under part C of title XI of terms have the following meanings:
the Act, section 264 of Public Law 104– Breach means the acquisition, access,
Authority: 42 U.S.C. 1302(a); 42 U.S.C.
191, and section 13402 of Public Law use, or disclosure of protected health
1320d–1320d–8; sec. 264, Public Law 104–
191, 110 Stat. 2033–2034 (42 U.S.C. 1320d– 111–5. information in a manner not permitted
2 (note)); 5 U.S.C. 552; and secs. 13400 and under subpart E of this part which
■ 7. In § 164.103, add in alphabetical
13402, Public Law 111–5, 123 Stat. 258–263. compromises the security or privacy of
order the definition of ‘‘Law the protected health information.
■ 2. Revise § 160.101 to read as follows: enforcement official’’ to read as follows: (1)(i) For purposes of this definition,
§ 160.101 Statutory basis and purpose. § 164.103 Definitions. compromises the security or privacy of
* * * * * the protected health information means
The requirements of this subchapter poses a significant risk of financial,
implement sections 1171 through 1179 Law enforcement official means an
reputational, or other harm to the
of the Social Security Act (the Act), as officer or employee of any agency or
individual.
added by section 262 of Public Law authority of the United States, a State,
(ii) A use or disclosure of protected
104–191, section 264 of Public Law a territory, a political subdivision of a
health information that does not include
104–191, and section 13402 of Public State or territory, or an Indian tribe, who
the identifiers listed at § 164.514(e)(2),
Law 111–5. is empowered by law to:
date of birth, and zip code does not
■ 3. In § 160.202, revise the second (1) Investigate or conduct an official compromise the security or privacy of
paragraph of the definition ‘‘Contrary’’ inquiry into a potential violation of law; the protected health information.
to read as follows: or (2) Breach excludes:
(2) Prosecute or otherwise conduct a (i) Any unintentional acquisition,
§ 160.202 Definitions. criminal, civil, or administrative access, or use of protected health
* * * * * proceeding arising from an alleged information by a workforce member or
Contrary * * * violation of law. person acting under the authority of a
(2) The provision of State law stands * * * * * covered entity or a business associate, if
as an obstacle to the accomplishment such acquisition, access, or use was
■ 8. In § 164.304, revise the definition of
and execution of the full purposes and made in good faith and within the scope
‘‘Access’’ to read as follows:
objectives of part C of title XI of the Act, of authority and does not result in
section 264 of Public Law 104–191, or § 164.304 Definitions. further use or disclosure in a manner
section 13402 of Public Law 111–5, as * * * * * not permitted under subpart E of this
applicable. Access means the ability or the means part.
* * * * * necessary to read, write, modify, or (ii) Any inadvertent disclosure by a
■ 4. In § 160.534 add paragraph communicate data/information or person who is authorized to access
(b)(1)(iv), and revise (b)(2) to read as otherwise use any system resource. protected health information at a
follows: (This definition applies to ‘‘access’’ as covered entity or business associate to
another person authorized to access (a) of this section shall include, to the personal representative of the
protected health information at the same extent possible: individual under paragraph (d)(1)(ii).
covered entity or business associate, or (A) A brief description of what (i) In the case in which there is
organized health care arrangement in happened, including the date of the insufficient or out-of-date contact
which the covered entity participates, breach and the date of the discovery of information for fewer than 10
and the information received as a result the breach, if known; individuals, then such substitute notice
of such disclosure is not further used or (B) A description of the types of may be provided by an alternative form
disclosed in a manner not permitted unsecured protected health information of written notice, telephone, or other
under subpart E of this part. that were involved in the breach (such means.
(iii) A disclosure of protected health as whether full name, social security (ii) In the case in which there is
information where a covered entity or number, date of birth, home address, insufficient or out-of-date contact
business associate has a good faith belief account number, diagnosis, disability information for 10 or more individuals,
that an unauthorized person to whom code, or other types of information were then such substitute notice shall:
the disclosure was made would not involved); (A) Be in the form of either a
reasonably have been able to retain such (C) Any steps individuals should take conspicuous posting for a period of 90
information. to protect themselves from potential days on the home page of the Web site
Unsecured protected health harm resulting from the breach; of the covered entity involved, or
information means protected health (D) A brief description of what the conspicuous notice in major print or
information that is not rendered covered entity involved is doing to broadcast media in geographic areas
unusable, unreadable, or indecipherable investigate the breach, to mitigate harm where the individuals affected by the
to unauthorized individuals through the to individuals, and to protect against breach likely reside; and
use of a technology or methodology any further breaches; and (B) Include a toll-free phone number
specified by the Secretary in the (E) Contact procedures for individuals that remains active for at least 90 days
guidance issued under section to ask questions or learn additional where an individual can learn whether
13402(h)(2) of Public Law 111–5 on the information, which shall include a toll- the individual’s unsecured protected
HHS Web site. free telephone number, an e-mail health information may be included in
address, Web site, or postal address. the breach.
§ 164.404 Notification to individuals. (2) Plain language requirement. The (3) Additional notice in urgent
(a) Standard—(1) General rule. A notification required by paragraph (a) of situations. In any case deemed by the
covered entity shall, following the this section shall be written in plain covered entity to require urgency
discovery of a breach of unsecured language. because of possible imminent misuse of
protected health information, notify (d) Implementation specifications: unsecured protected health information,
each individual whose unsecured Methods of individual notification. The the covered entity may provide
protected health information has been, notification required by paragraph (a) of information to individuals by telephone
or is reasonably believed by the covered this section shall be provided in the or other means, as appropriate, in
entity to have been, accessed, acquired, following form: addition to notice provided under
used, or disclosed as a result of such (1) Written notice. (i) Written paragraph (d)(1) of this section.
breach. notification by first-class mail to the
(2) Breaches treated as discovered. individual at the last known address of § 164.406 Notification to the media.
For purposes of paragraph (a)(1) of this the individual or, if the individual (a) Standard. For a breach of
section, §§ 164.406(a), and 164.408(a), a agrees to electronic notice and such unsecured protected health information
breach shall be treated as discovered by agreement has not been withdrawn, by involving more than 500 residents of a
a covered entity as of the first day on electronic mail. The notification may be State or jurisdiction, a covered entity
which such breach is known to the provided in one or more mailings as shall, following the discovery of the
covered entity, or, by exercising information is available. breach as provided in § 164.404(a)(2),
reasonable diligence would have been (ii) If the covered entity knows the notify prominent media outlets serving
known to the covered entity. A covered individual is deceased and has the the State or jurisdiction. For purposes of
entity shall be deemed to have address of the next of kin or personal this section, State includes American
knowledge of a breach if such breach is representative of the individual (as Samoa and the Northern Mariana
known, or by exercising reasonable specified under § 164.502(g)(4) of Islands.
diligence would have been known, to subpart E), written notification by first- (b) Implementation specification:
any person, other than the person class mail to either the next of kin or Timeliness of notification. Except as
committing the breach, who is a personal representative of the provided in § 164.412, a covered entity
workforce member or agent of the individual. The notification may be shall provide the notification required
covered entity (determined in provided in one or more mailings as by paragraph (a) of this section without
accordance with the federal common information is available. unreasonable delay and in no case later
law of agency). (2) Substitute notice. In the case in than 60 calendar days after discovery of
(b) Implementation specification: which there is insufficient or out-of-date a breach.
Timeliness of notification. Except as contact information that precludes (c) Implementation specifications:
provided in § 164.412, a covered entity written notification to the individual Content of notification. The notification
shall provide the notification required under paragraph (d)(1)(i) of this section, required by paragraph (a) of this section
by paragraph (a) of this section without a substitute form of notice reasonably
shall meet the requirements of

unreasonable delay and in no case later calculated to reach the individual shall § 164.404(c).
than 60 calendar days after discovery of be provided. Substitute notice need not
a breach. be provided in the case in which there § 164.408 Notification to the Secretary.
(c) Implementation specifications: is insufficient or out-of-date contact (a) Standard. A covered entity shall,
Content of notification—(1) Elements. information that precludes written following the discovery of a breach of
The notification required by paragraph notification to the next of kin or unsecured protected health information
as provided in § 164.404(a)(2), notify the associate to have been, accessed, procedures with respect to protected
Secretary. acquired, used, or disclosed during the health information required by this
(b) Implementation specifications: breach. subpart and subpart D of this part, as
Breaches involving 500 or more (2) A business associate shall provide necessary and appropriate for the
individuals. For breaches of unsecured the covered entity with any other members of the workforce to carry out
protected health information involving available information that the covered their functions within the covered
500 or more individuals, a covered entity is required to include in entity.
entity shall, except as provided in notification to the individual under (2) * * * (i) * * *
§ 164.412, provide the notification § 164.404(c) at the time of the (C) To each member of the covered
required by paragraph (a) of this section notification required by paragraph (a) of entity’s workforce whose functions are
contemporaneously with the notice this section or promptly thereafter as affected by a material change in the
required by § 164.404(a) and in the information becomes available. policies or procedures required by this
manner specified on the HHS Web site. subpart or subpart D of this part, within
§ 164.412 Law enforcement delay.
(c) Implementation specifications: a reasonable period of time after the
Breaches involving less than 500 If a law enforcement official states to material change becomes effective in
individuals. For breaches of unsecured a covered entity or business associate accordance with paragraph (i) of this
protected health information involving that a notification, notice, or posting section.
less than 500 individuals, a covered required under this subpart would
* * * * *
entity shall maintain a log or other impede a criminal investigation or cause (d)(1) Standard: Complaints to the
documentation of such breaches and, damage to national security, a covered covered entity. A covered entity must
not later than 60 days after the end of entity or business associate shall: provide a process for individuals to
each calendar year, provide the (a) If the statement is in writing and
make complaints concerning the
notification required by paragraph (a) of specifies the time for which a delay is
covered entity’s policies and procedures
this section for breaches occurring required, delay such notification, notice,
required by this subpart and subpart D
during the preceding calendar year, in or posting for the time period specified
of this part or its compliance with such
the manner specified on the HHS Web by the official; or
(b) If the statement is made orally, policies and procedures or the
site. requirements of this subpart or subpart
document the statement, including the
identity of the official making the D of this part.
§ 164.410 Notification by a business
associate. statement, and delay the notification, * * * * *
(a) Standard. (1) A business associate notice, or posting temporarily and no (e)(1) Standard: Sanctions. A covered
shall, following the discovery of a longer than 30 days from the date of the entity must have and apply appropriate
breach of unsecured protected health oral statement, unless a written sanctions against members of its
information, notify the covered entity of statement as described in paragraph (a) workforce who fail to comply with the
such breach. of this section is submitted during that privacy policies and procedures of the
(2) Breaches treated as discovered. time. covered entity or the requirements of
For purposes of paragraph (1) of this this subpart or subpart D of this
section, a breach shall be treated as § 164.414 Administrative requirements and part.* * *
burden of proof.
discovered by a business associate as of * * * * *
the first day on which such breach is (a) Administrative requirements. A (g) Standard: Refraining from
known to the business associate or, by covered entity is required to comply intimidating or retaliatory acts. A
exercising reasonable diligence, would with the administrative requirements of covered entity—
have been known to the business § 164.530(b), (d), (e), (g), (h), (i), and (j) (1) May not intimidate, threaten,
associate. A business associate shall be with respect to the requirements of this coerce, discriminate against, or take
deemed to have knowledge of a breach subpart. other retaliatory action against any
(b) Burden of proof. In the event of a individual for the exercise by the
if the breach is known, or by exercising
use or disclosure in violation of subpart individual of any right established, or
reasonable diligence would have been
E, the covered entity or business for participation in any process
known, to any person, other than the
associate, as applicable, shall have the provided for, by this subpart or subpart
person committing the breach, who is
burden of demonstrating that all D of this part, including the filing of a
an employee, officer, or other agent of
notifications were made as required by complaint under this section; and
the business associate (determined in
this subpart or that the use or disclosure * * * * *
accordance with the federal common
did not constitute a breach, as defined (h) Standard: Waiver of rights. A
law of agency).
(b) Implementation specifications: at § 164.402. covered entity may not require
Timeliness of notification. Except as § 164.501 [Amended] individuals to waive their rights under
provided in § 164.412, a business ■ 10. In § 164.501, remove the definition § 160.306 of this subchapter, this
associate shall provide the notification ‘‘Law enforcement official.’’ subpart, or subpart D of this part, as a
required by paragraph (a) of this section ■ 11. In § 164.530, revise paragraphs condition of the provision of treatment,
without unreasonable delay and in no (b)(1), (b)(2)(i)(C), (d)(1), the first payment, enrollment in a health plan, or
case later than 60 calendar days after sentence of paragraph (e)(1), (g)(1), (h), eligibility for benefits.
discovery of a breach. the first sentence of paragraph (i)(1), (i)(1) Standard: Policies and
(c) Implementation specifications: (i)(2)(i) and add paragraph (j)(1)(iv) to procedures. A covered entity must
Content of notification. (1) The implement policies and procedures with
read as follows:
notification required by paragraph (a) of respect to protected health information
this section shall include, to the extent § 164.530 Administrative requirements. that are designed to comply with the
possible, the identification of each * * * * * standards, implementation
individual whose unsecured protected (b)(1) Standard: Training. A covered specifications, or other requirements of
health information has been, or is entity must train all members of its this subpart and subpart D of this part.
reasonably believed by the business workforce on the policies and * * *
(2) Standard: Changes to policies and specifications of this subpart or subpart Dated: August 6, 2009.
procedures. D of this part. Kathleen Sebelius,
(i) A covered entity must change its * * * * * Secretary.
policies and procedures as necessary (j)(1) * * * [FR Doc. E9–20169 Filed 8–19–09; 4:15 pm]
and appropriate to comply with changes (iv) Maintain documentation BILLING CODE 4153–01–P
sufficient to meet its burden of proof
in the law, including the standards,
under § 164.414(b).
requirements, and implementation
* * * * *

Provisional Breach Notification Regulation

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Provisional Breach Notification Regulation

Încărcat de

Drepturi de autor:

Formate disponibile

Monday,

August 24, 2009

following the discovery of a breach of

information that is incident to an health information’’ means ‘‘poses a

medical record numbers; (8) health plan beneficiary

covered entities engage in certain joint utilization

administrative requirements of notification requirements of this rule.

HITECH Act, including those of section 13402.

TABLE 1—SUMMARY OF COMPLIANCE COST FOR NOTIFYING AFFECTED INDIVIDUALS *

TOTAL COST ............................................................... ........................ ........................ 160,616 5.89 17,025,306

cause. Notification may permit an

TABLE 2—NUMBER OF HIPAA COVERED ENTITIES BY NAICS CODE 1

TABLE 3—NUMBER OF BREACHES BY NUMBER OF AFFECTED FOR 2008

Unknown ..................................................................................... Breaches .................................................................................... 36

TABLE 3—NUMBER OF BREACHES BY NUMBER OF AFFECTED FOR 2008—Continued

10 to 499 .................................................................................... Breaches .................................................................................... 14

TABLE 4—COST OF E-MAIL AND FIRST CLASS MAIL TO AFFECTED INDIVIDUALS

Mail ................................... 21 106 $2,173 1,444,402 14,444 $433,321 $722,201 $1,157,695

15 Department of Labor, Occupational

Employment Statistics; Healthcare Practitioner and

TABLE 5—COST FOR SETTING UP A TOLL-FREE LINE FOR THREE MONTHS

Monthly Charges for 3 months + 1-time Charge ($60/

Total .............................................................................. 840 3,360 5,067 8,228,041 8,237,309

comment on our analysis and

monitor their credit card statement and

ESTIMATED ANNUALIZED BURDEN TABLE

Individual Notice—Written and E-mail Notice (investigation; drafting, pre-

free number) ................................................................................................. 70 1 668 46,760

Total .......................................................................................................... ........................ ........................ ........................ 95,002

shall meet the requirements of

S-ar putea să vă placă și