The Department of Health and Human Services (HHS) released guidance on April 17, 2009, regarding the new protected health information (PHI) security breach notification requirements set forth in the American Recovery and Reinvestment Act of 2009 (ARRA).

Passed in February 2009, the ARRA established notification requirements to further protect consumers from security breaches compromising the privacy of their PHI. The notification requirements are expected to take effect in September 2009. Under the new requirements, "Covered Entities" (including group health plans and health care providers) and their "Business Associates" (persons or entities that use or disclose PHI on behalf of a covered entity that are not members of the covered entity's workforce) will have specified notification requirements in the case of a breach of an individual's "unsecured" PHI.

ARRA General Security Breach Notification Requirements

In general, within 60 calendar days after the discovery of a breach of "unsecured" PHI, the Covered Entity must notify:

  • Each affected individual of such breach.
  • Prominent media outlets in the state (if the breach involves more than 500 residents of a state or jurisdiction).
  • The Secretary of the HHS. (If the breach involves 500 or more individuals, then notification must be made immediately to the secretary. If the breach involves less than 500 individuals, then a log may be maintained and submitted annually to the secretary.) 
If the breach is by a Business Associate of a Covered Entity, the Business Associate must notify the Covered Entity (not the affected individuals) of the breach.

ARRA Notification Requirements can be Avoided

The ARRA's new notification requirements apply only where "unsecured" PHI is breached. Unsecured PHI is PHI that is not secured through the use of a technology or methodology specified by the Secretary of HHS. Pursuant to the recent HHS guidance, PHI is "secured" if it is rendered unusable, unreadable or indecipherable to unauthorized individuals by one of two methods — encryption or destruction — as set forth in the guidance.

Practical Steps for Covered Entities

Beginning in September 2009, Covered Entities and Business Associates must comply with the new notice rules or insure that their PHI is secured. Accordingly, Covered Entities should: (1) review and revise their policies and procedures to ensure PHI is "secured," and/or implement procedures to comply with the breach notification requirements in the event any "unsecured" PHI is disclosed due to a security breach, (2) review and revise existing Business Associate Agreements to insure that they require Business Associates to comply with the new ARRA requirements, and (3) be aware of state laws in many jurisdictions (including Pennsylvania) requiring notification to residents whose personal information was or may have been disclosed due to a security system breach.