• Health plans that engage in electronic health care transactions, and/or maintain EPHI need to ensure reasonable security from unauthorized access, alteration, deletion, and transmission of PHI.
• A covered entity that discovers a breach must provide notice to the affected individual as soon as it can, but no later than 60 days after the breach is discovered, and must notify HHS of the breach, and, in some cases, the media.
• The breach notification must include a brief description of what happened, the types of PHI involved, steps that individuals should take, what the covered entity is doing to investigate the breach and mitigate loss, and contact procedures to obtain additional information.

Security is an important part of the privacy provision. The health care industry has been moving away from paper processes and relying more heavily on the use of computers to pay claims, answer eligibility questions, provide health information, and conduct a host of administrative functions. Under HIPAA, health plans that engage in electronic health care transactions, and/or maintain electronic PHI (EPHI) need to ensure their systems provide reasonable security from unauthorized access, alteration, deletion, and transmission of PHI.

The security rule provides for ensuring that the confidentiality, integrity, and availability of EPHI created, received, maintained, used, or transmitted is protected. The security rule gets more technical than the privacy rule, as it involves information technology.

Breaches of PHI

The Health Information Technology for Economic and Clinical Health Act (HITECH) included requirements addressing breaches of PHI. In general, a breach is the unauthorized acquisition, access, or use or disclosure of “unsecured PHI” which compromises the privacy or security of the information.

A covered entity that discovers a breach must provide notice to the affected individual as soon as it can, but no later than 60 days after the breach is discovered. In addition, the covered entity is required to notify the Department of Health and Human Services of the breach, and, in some cases, the media.

Notification of a breach

There are a few methods available to notify individuals of the breach:

• In writing using first-class mail at the last known address or by email if the individual prefers. The notification may be provided in one or more mailings as information becomes available.
• If the covered entity does not have adequate contact information for providing written notice, it may comply with the requirement through a phone call (if fewer than 10 people are affected) or provide a conspicuous posting on its website (where 10 or more people are affected). This posting must include a toll-free phone number to call to determine if an individual’s PHI is included in the breach.
• A covered entity may also use post the notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. This would also need to include a toll-free number to obtain more information.
• In urgent situations (imminent misuse of PHI), a covered entity may call individuals in addition to providing notices as above.

If the breach involves more than 500 residents of a state or jurisdiction, the covered entity needs to provide notice to prominent media outlets service the state or jurisdiction.

If the breach involved more than 500 individuals, a covered entity must immediately notify the U.S. Department of Health and Human Services (HHS).

If it involved fewer than 500 individuals, a covered entity must maintain a log of the breach and annually submit the log to the HHS.

The HHS will post a list on its website of covered entities involved in breaches involving 500 or more individuals.

Content of notification

Breach notices need to include the following information:

• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
• A description of the types of unsecured PHI that were involved in the breach (such as full name, SSN, date of birth, home address, account number, or disability code).
• The steps individuals should take to protect themselves from potential harm resulting from the breach.
• A brief description of what the covered entity is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
• Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an e-mail address, website, or postal address.