September 10, 2009

Breach Notification Rules Issued

On August 24th and 25th, 2009, respectively, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) (“Agencies”) issued interim and final regulations relating to breach notification of personal health information.  These regulations become effective on September 23rd and 24th, 2009; however, both Agencies have indicated that they will honor a “non-enforcement policy” for six months from the date of issuance.  In effect, this non-enforcement policy will be in place until February 24th and 25th, 2010; thereafter, affected entities must be fully in compliance.  While these two sets of rules are similar, they are not identical.


  • The HHS rules regulate entities subject to HIPAA; specifically, covered entities, which include health care providers, health care clearinghouses, and health plans, as well as business associates. 
  • The FTC rules govern vendors of personal health records (PHR), or a PHR-related entity, who are not otherwise subject to HIPAA.  A PHR-related entity refers to one that offers products or services through the web site of a vendor of PHR, or through web sites of HIPPA-covered entities that offer PHR, or an entity that accesses or sends information via a PHR.

Both Agencies (HHS and FTC) require a business associate to notify an affected entity of any breach of personal health information for which it becomes aware.  The business associate agreement should specifically spell out the business associate’s obligations in the event of a breach of personal health information.

Breach of Personal Health Information

Both rules require that individuals be notified if a breach of unsecured personal health information (PHI) occurs.  If information is secured, then a breach notice is not required.  To be secured, the information must be encrypted, as defined by the regulations, or be destroyed.  This standard applies for purposes of breach notification; it is a higher standard of security than is required by the HIPAA law itself.

A breach notice must only be provided if a breach occurs.  A breach occurs when there is substantive risk that an individual’s information will be misappropriated.  The regulations provide several examples of how to determine whether a breach has occurred.

Notably, both sets of rules require that the breach notice be issued without reasonable delay, and, in no event, later than 60 calendar days following the date the breach is discovered.  It is important to understand that the 60 days is not a safe harbor; in fact, the notice must be provided without reasonable delay, which may well be less than 60 days.  What this means is that, the time for providing the notice may begin to toll well before a full investigation has taken place.

Types of Breach Notifications

There are potentially three breach notices that may be provided: an individual notice, a notice to the media, and a notice to HHS or FTC. 

Individual Notice

An individual breach notice must be provided in writing, unless the individual consented, in advance, to receive electronic notification.  The notice must include:

  1. A brief description of what happened, including the date of the breach and the date the breach was discovered, if known;
  2. A description of the types of unsecured PHI, or PHR identifiable information that was involved in the breach, such as full name, social security number, date of birth, home address, account number, diagnosis, disability code, or similar personal information;
  3. Any steps individuals should take to protect themselves from potential harm resulting from the breach;
  4. A brief description of what the entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
  5. Contact procedures for individuals to ask questions, or learn additional information, which must include a toll-free telephone number, an e-mail address, a web site, or a postal address.

Special rules apply if the contact information is out-of-date, or if the individual is deceased.  

If there is imminent risk that information will be misappropriated, a telephone contact may be required, together with the written notice.

Notice to Media

When a breach involves more than 500 residents of a State or jurisdiction, the rules prescribe when breach notification must be provided to prominent media outlets.

Notice to the Agencies

Finally, the covered entity must maintain a breach notification log.  If the breach affects 500 or more individuals, the relevant Agencies must be notified immediately. Further, the Agencies’ websites provide how this notice must be accomplished.  If the breach involves fewer than 500 individuals, the covered entity’s log must be submitted to the relevant agency within 60 days following the close of the calendar year.

What Should a Covered Entity or Business Associate Do?

If you are a covered entity or business associate:

  • Review and update your HIPAA privacy and security policies.
  • Train your staff to recognize potential breach occurrences.
  • Update your business associate agreements.
  • Develop a procedure to:
    • Identify a breach;
    • Notify affected individuals; and
    • Maintain a breach log


The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations.

As required by U.S. Treasury rules, we inform you that, unless expressly stated otherwise, any U.S. federal tax advice contained in this Benefit Beat is not intended or written to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed by the Internal Revenue Service

Accelerated Recovery Resources

Access articles and tools to help your business generate cash, improve leverage, and align & transform as you recover from the pandemic.

COVID-19 Resources

Access all COVID-19 related articles to help your business respond to the pandemic.

Insights in Your Inbox