What in the Heck is "Unsecured PHI?"
By now most plan administrators should be aware that there is something called the HITECH Act and that the ARRA of 2009 made some changes to HIPAA with respect to medical privacy and security regulations. In my August 24, 2009 entry about plan compliance items, I make reference to the HITECH Act and the new "security breach" requirements and the need to update business associate agreements. But as a follow up, I wanted to dig a little deeper into what this security breach component is and what it means and take a look at the creation of a class of information called "unsecured protected health information."
Often when I am having discussions about HIPAA, questions are are raised about what constitutes PHI. Technically it is individually identifiable information about past, present or future medical care or diagnosis. So while the medical care or diagnosis part was protected, the individual identifiers themselves were NOT protected by HIPAA privacy. Now I believe that changes.
ARRA creates a class of information called “Unsecured Protected Health Information” which is protected health information (PHI) that is not secured through the use of a technology or methodology specified by HHS as one that renders the PHI as unusable, unreadable or indecipherable to unauthorized individuals. In other words, if it is not encrypted under the technology requirements, it is unsecured. And that may be all there is too it. But I actually think unsecured PHI might go a little deeper.
I think that unsecured PHI might also be that that information that is part of the PHI records, but not necessarily PHI that is specifically secured and protected by HIPAA. So I think we might now have "secured PHI" like a medical diagnosis, and "unsecured PHI" which would be the social security number of the patient who received the diagnosis.
The Department of Health and Human Services is required to issue guidance specifying the technologies and methodologies that render PHI as unusable, unreadable or indecipherable to unauthorized individuals within 60 days of the enactment date (i.e., April 18, 2009) and annually thereafter. Until the guidance is issued, covered entities may rely on a technology or methodology which is developed or endorsed for this purpose by a standards developing organization accredited by the American National Standards. That would appear to cover the technological component but I think it overlooks the fact that PHI does not exist only in electronic format. You can't encrypt a piece of paper, but you still have to protect what is on it.
So I think that, at least in some respects, the purpose of the ARRA changes is that while technically all PHI is protected, not all ancillary information contained within the PHI is necessarily subject to the current protections. If secure PHI is improperly released, there are corrective mechanisms in place under the original regulations. But what to do about that ancillary information that was part of the PHI that is not necessarily protected but should still be secured? Maybe it is now defined as unsecured PHI and new standards apply to it.
The ARRA creates a new notice obligation when the security of an individual’s unsecured PHI is breached. In other words, if unsecured PHI (like social security numbers) gets out, the entity that let it escape has breached this new obligation to protect it. The security of that information is compromised. If the security of this PHI is breached or believed to have been breached, then the covered entity that becomes aware of the breach must notify each impacted individual of the breach, in writing, without unreasonable delay but no later than 60 calendar days after discovery of the breach. Business associates are subject to the same requirement except that the business associate must notify the covered entity of the breach.
The notice must be in writing and sent to the individual’s last known address (or electronically if permitted by the individual) or through an alternative method if the individual’s address is not known. If there are 10 or more individuals for whom an address is not available, the notice must be posted conspicuously on the covered entity’s website or in other major print or broadcast media. If the breach involves more than 500 individuals in one state or jurisdiction for whom an address is not available, the notice must be provided through major media outlets servicing the state or jurisdiction.
The notice must contain (1) a brief description of the breach, including the date of the breach and the date it was discovered; (2) a description of the types of unsecured PHI involved in the breach (e.g., social security number, account number, address, etc.); (3) the steps an individual should take to protect himself from potential harm resulting from the breach; (4) a brief description of actions the covered entity is taking to investigate and mitigate losses from the breach; and (5) contact information in case there are additional questions.
In the end, I find I have not answered my own questions. Hopefully, once the final guidance is rendered from HHS, there will be more clarification. But I do think that it is certainly part of a "best practices" approach to privacy policies for health plans to make sure that ALL parts of the PHI record are treated as protected.
